Visualizing ATT&CK

One of my biggest takeaways from ATT&CKcon last year was that a lot of people really like ATT&CK. And I don’t just mean as a useful knowledge base of adversary tactics and techniques that can be widely used across different security functions to better align operations towards adversary behaviors: people really liked the giant cloth ATT&CK matrix handed out in the swag bag! We saw people taking to Twitter immediately to post about their ATT&CK flags, and others posting later how they put it up in their SOC, at home, or used it as a blanket for their dog. Probably my favorite, though, was the one that was signed by ATT&CK’s co-creator Blake Strom himself.

After receiving such great feedback on the ATT&CK flag handout, we thought it would be great if we could keep handing out large versions of the matrix for people to use at home.

The ATT&CK Roadmap

To coincide with RSA this year, we’re releasing a new, limited edition printout we’re calling the ATT&CK Roadmap. The roadmap is a small pamphlet folded in a way that’s reminiscent of “road maps” commonly used for road trips before the advent of GPS. When unfolded, the ATT&CK roadmap shows a high-quality rendition of the ATT&CK matrix, printed at 24” by 36”. Oh, and for anyone else who’s also road tripped to Disney World: don’t worry, these are much more user friendly than the old maps we used to use!

The roadmap when folded (left) shown with the unfolded full matrix (right).

What about the other side?

With the matrix itself on one side of the roadmap, we were left with an interesting question: what should we put on the back? We could of course leave it blank, but that would feel incomplete — in the past, when we’ve printed out the ATT&CK placemat, we’ve put the matrix on one side and use cases and other information on the back. We could follow the same model for the roadmap, but given all of the real estate we had — 6 square feet! — there might be a better thing to put there. After some back and forth, we ultimately settled on creating a new visualization that mapped out a set of data sources to the techniques those data sources could be used to detect, which even left us room to put in information about use cases.

The new visualization we created for the roadmap (left), and the final product (right). For a high quality version of the roadmap itself, click here, or for a high quality version of just the visualization, click here.

In the process of creating this new visualization, we went through a lot of different iterations, and we realized that some of the resources and visualizations we developed might be useful for the community. Below we’ll discuss a little bit about the process we used to make the visualizations, as well as cover a few of our “runner-ups” that didn’t quite make the grade. We’re also releasing the code we used to make these visualizations on our public GitHub page, which you can download and modify to create your own.

Creating the Visualization

It’s pretty easy to create visualizations from ATT&CK data — since ATT&CK is already represented in STIX2, we can just write Python scripts to extract the relationships we care about (whichever they are), and then port them over to a graph-drawing library to render the data. The hard part here was to properly visualize the data; I tried first to work with some Python libraries but couldn’t get quite the kind of visualization I was looking for. Talking with the team, Katie recommended we check out RAWGraphs, which turned out to work very smoothly.

After experimenting some, we ended up having the following process:

1. Ingest ATT&CK in STIX2 format from the MITRE TAXII2 server.

2. Parse out the relevant data that we want to visualize.

3. Output a CSV file containing the appropriate relationships.

4. Load (copy/paste) the data into RAWGraphs.

5. Choose the right visualization, including specific parameters.

The Simple Case: Tactics and Techniques

To keep things simple, we did a visualization that just showed the tactics linking out to the techniques in the tactic. This one visualized neatly using the Circular Dendrogram option:

Tactics linked to techniques. For a high quality version, click here.

While this looks nice, it didn’t add much content-wise; it was just another way to visualize the same information already displayed in the ATT&CK matrix.

Techniques, Groups, and Software

To try to make things more interesting, we thought it would be cool to have a visualization that brought in the top-level ATT&CK objects — techniques, groups, and software. To test this, we wrote a quick script that output techniques connected to the software that can execute those techniques, to the groups that use that software:

There’s potential here, but clearly there was too much to represent. To try to make it more legible, we scoped it to only include collection techniques:

All collection techniques linked to the software implementing those techniques, and the groups using that software. For a high quality version, click here.

Much better! This restricted version looks interesting, is legible, and hits on most of the important ATT&CK data pieces. Still, while this is nice, it didn’t have that wow! factor that we were looking for; we wanted something that people could look at that was not just appealing but could maybe even help them.

Beyond the Dendrogram: Using Permissions

Going over the ATT&CK data model, I looked for a few things that might be a little more off-the-beaten path when it comes to visualization, and I saw the required permissions field of the technique object. This field holds what permissions an adversary must have if they want to execute the specific technique, leading to a fun question — how do required permissions stack up across different tactics? To try to approach this, I wrote a script to count the number of techniques that needed a minimum permission level within each tactic, putting the output into a Sunburst chart on RAWGraphs:

Minimum permissions as they relate to tactics. For a high quality version, click here.

This one was my favorite so far — it pictorially represented how the techniques within each tactic had varying levels of required permissions. Looking at the chart, we can see that persistence techniques are pretty split between requiring administrator, SYSTEM, or user privileges, whereas discovery techniques typically only needed user permissions to run. As an added bonus, using the Sunburst chart type gave us some variety, and some interesting color schemes. This chart definitely met the interesting qualification we were looking for, but it still didn’t feel like something that would provide something actionable.

Permissions for Defense Evasion

When looking at the technique data model, I noticed another interesting field: defenses evaded. This field — when applicable — would link each technique to the specific defense that technique could evade. What if we used this conjunction with permission information?

Permissions mapped to defenses and techniques that can evade those defenses with the specified permission. For a high quality version, click here.

This concept visualized great with the Circular Dendrogram option. Plus, it was immediately useful: people could look at it and say “what permissions do I have?,” go one-hop out and ask “what defense do I want to evade?” and then choose a technique to evade that specific defense that only needed the permissions they already had. This met most of our criteria, but we still felt like it really wasn’t the right one.

What We Went With: Data Sources and Techniques

Using data sources some way was our first choice from the beginning, but we weren’t sure the right way to visualize them: initially we wanted to include all of the data sources, but no matter how we sliced it, the resulting graph was always just too busy. Eventually we settled on finding a set that seemed both appealing and useful, and were pleased with the results:

The final visualization, linking a set of data sources to the techniques that they can be used to detect. For a high quality version, click here.

This one not only came out well both visually and from a utility perspective –each of the data sources mapped to similar numbers of techniques so that none seem over-represented, many different techniques are represented, and the chart also conveys data that could be useful to defenders. Plus, we also thought this visualization could inspire others to make their own charts of their favorite data sources.

(for anyone interested in how we got to these 12 data sources for inclusion: I ended up writing a script that, given a total number of data sources to include, would find the set of data sources with minimal technique-coverage variance, but that also linked out to at least 100 different techniques. The code we’re releasing has this set hard-coded in, but I’d love to see others find ways to computationally determine the best sets to visualize!)

Interested in Making Your Own Visualizations?

To accompany this blog post and the roadmap itself, we’re releasing the source code used to generate the CSV files used with RAWGraphs to create the figures in this post. The script provides lots of examples, and should be helpful to anyone who wants to make their own chart.

Have a favorite?

Let us know! Tweet us at @MITREattack or send us an email at attack@mitre.org.

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18–3288–7.