MITRE ATT&CK Mapping and Visualization
The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It documents common tactics, techniques, and procedures that can be used in advanced persistent threats against enterprise networks.
The following phases of an attack are represented in the MITRE ATT&CK framework:
MITRE ATT&CK Tactic |
Description |
|---|---|
Initial Access |
Gain entry to your environment. |
Execution |
Run malicious code. |
Persistence |
Maintain foothold. |
Privilege Escalation |
Gain higher-level permissions. |
Defense Evasion |
Avoid detection. |
Credential Access |
Steal login and password information. |
Discovery |
Figure out your environment. |
Lateral Movement |
Move through your environment. |
Collection |
Gather data. |
Exfiltration |
Steal data. |
Command and Control |
Contact controlled systems. |
Workflow for MITRE ATT&CK mapping and visualization
Create your own rule and building block mappings in QRadar Use Case Manager, or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.
Save time and effort by editing multiple rules or building blocks at the same time, and by sharing rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.
After you finish mapping your rules and building blocks, organize the rule report and then visualize the data through diagrams and heat maps. Current and potential MITRE coverage data is available in the following reports: Detected in timeframe report, Coverage map and report, and Coverage summary and trend.
Editing MITRE Mappings in a Rule or Building Block
Create your own rule and building block mappings or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.
Editing MITRE Mappings in Multiple Rules or Building Blocks
Save time and effort by editing multiple rules or building blocks at the same time.
-
Save time and effort when mapping rules and building blocks to tactics and techniques by sharing rule-mapping files between QRadar instances.
Visualizing MITRE Tactic and Technique Coverage in Your Environment
Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in QRadar. After you organize the rule report, you can visualize the data through diagrams and heat maps and export the data to share with others.
Visualizing MITRE Tactics and Techniques that are Detected in a Specific Timeframe
Tune your rules by the MITRE ATT&CK tactics and techniques that are detected in your environment within a specific timeframe. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe.
-
The colors in the MITRE heat maps are calculated based on the number of rule mappings to a tactic or technique plus the level of mapping confidence (low, medium, or high).