MITRE ATT&CK mapping and visualization
The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It documents common tactics, techniques, and procedures that can be used in advanced persistent threats against enterprise networks.
The following phases of an attack are represented in the MITRE ATT&CK framework:
| MITRE ATT&CK Tactic | Description |
|---|---|
| Collection | Gather data. |
| Command and Control | Contact controlled systems. |
| Credential Access | Steal login and password information. |
| Defense Evasion | Avoid detection. |
| Discovery | Figure out your environment. |
| Execution | Run malicious code. |
| Exfiltration | Steal data. |
| Impact | Tries to manipulate, interrupt, or destroy systems and data. |
| Initial Access | Gain entry to your environment. |
| Lateral Movement | Move through your environment. |
| Persistence | Maintain foothold. |
| Privilege Escalation | Gain higher-level permissions. |
| Reconnaissance | Gather information to use in future malicious operations. This tactic displays in the MITRE reports only when the PRE platform is selected in your user preferences. |
| Resource Development | Establish resources to support malicious operations. This tactic displays in the MITRE reports only when the PRE platform is selected in your user preferences. |
Tactics, techniques, and sub-techniques
Tactics represent the goal of an ATT&CK technique or sub-technique. For example, an adversary might want to get credential access to your network.
Techniques represent how an adversary achieves their goal. For example, an adversary might dump credentials to get credential access to your network.
Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.
Workflow for MITRE ATT&CK mapping and visualization
Create your own rule and building block mappings in IBM® QRadar® Use Case Manager, or modify IBM QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.
Save time and effort by editing multiple rules or building blocks at the same time, and by sharing rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.
After you finish mapping your rules and building blocks, organize the rule report and then visualize the data through diagrams and heat maps. Current® and potential MITRE coverage data is available in the following reports: Detected in timeframe report, Coverage map and report, and Coverage summary and trend.