The ATT&CK Rainbow of Tactics

Olaf Hartong
Mar 31 · 3 min read
Image for post
Image for post

I’ve been a huge fan of MITREs ATT&CK framework ever since its release. It has been of enormous value to the whole InfoSec community and it will hopefully continue to remain so for a long long time.

We’re on the verge of one of the biggest overhauls since its release, the introduction of sub-techniques, or when you read this they might be out already. I personally believe this is a great step forward. This introduction will cause everyone to do a big overhaul of their detection tagging and improvement of their ruleset.

On the positive side it will also bring a lot more clarity and granularity and it will bring more insight to a lot of people of possible attack techniques they weren’t aware of before.

As some of you know I’m quite a visual person and one of my projects is a Splunk application for ThreatHunting which is heavily ATT&CK focussed.

I’ve been building some new dashboard visualisations like the screenshot below. Soon I realised there was a lack of a proper color scheme that would assist in quickly understanding impact and importance. One way of doing this is would be by tactic.

Image for post
Image for post
Example dashboard panel of an attack timeline

After trying out several colour schemes I ended up with a rainbow scheme like below. Introducing, the rainbow of Tactics ;)

Image for post
Image for post
ATT&CK rainbow of Tactics

Most people will not know the ATT&CK matrix by heart, and this will certainly be the case in the near future with the introduction of the sub-techniques. Having a color tag will help them attribute it to a tactic and thereby providing some additional context.

By adding a color to the tagged events most graphs will become more readable and at the same time show a bit more priority in the investigation of events.

In the timeline below color tagging has been applied. By doing this it immediately adds an additional layer of information and will help focus investigations.

Image for post
Image for post
Example dashboard panel of an attack timeline, with tactic color attribution

What you can quickly spot here is that attacks are not sequential, nor is there a normal flow from left to right across the matrix. Anyone who ever worked with the Lockheed Martin Cyber Kill Chain knows this as well. However it is interesting to track these patterns in order to be able to defend better and partially be able to predict these patterns.

Apart from dashboards, this concept can also be applied to reports, mindmaps, detection content, graphs and so on.

An overview of all colours used can be found below:

Image for post
Image for post

Initial Access: #d8031a

Execution: #ff2e45

Persistence: #ff4785

Privilege Escalation: #ff8041

Defense Evasion: #ffaf00

Credential Access:#ffd300

Discovery: #abc530

Lateral Movement: #01c26d

Collection: #007b84

Command and Control: #075190

Exfiltration: #86308c

Impact: #482569


A team of highly specialized security professionals

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store