MITRE ATT&CK Navigator: Use Cases, Layers, and How to Get Started

What Is MITRE ATT&CK Navigator?

MITRE ATT&CK Navigator is a tool designed to assist cybersecurity professionals in visualizing and understanding the comprehensive database of cyber adversary behavior known as the MITRE ATT&CK framework. It helps users to explore various attack tactics, techniques, and procedures (TTPs), facilitating a more organized approach to cybersecurity defense and analysis.

The tool is primarily web-based, available free to any user, and it serves as a platform for creating customizable visual representations of the ATT&CK data models. These visualizations assist in planning and orchestration of security strategies, red team operations, and expanding awareness regarding potential adversarial methods.

You can access the online MITRE ATT&CK Navigator here.

Recommended Reading: UEBA (User and Entity Behavior Analytics): Complete Guide.

MITRE ATT&CK Navigator Use Cases 

Identifying Priority Threats and TTPs

The MITRE ATT&CK Navigator enhances threat awareness by enabling security teams to prioritize threats and understand attack vectors that are most relevant to their organization. By visualizing different attack tactics and techniques, teams can effectively identify which areas of their system are most vulnerable to specific TTPs.

This prioritization helps teams focus their resources efficiently, ensuring that the most critical aspects of their defense posture are fortified first. The navigator aids in strategic planning by integrating real-world data about threat actor behaviors and prevalent security challenges faced by similar organizations.

Assessing Detection Capabilities

MITRE ATT&CK Navigator can help assess an organization’s current detection capabilities against various TTPs outlined in the ATT&CK framework. Security teams can map their existing security controls against known attack techniques to identify detection gaps or weaknesses in their defensive measures.

By systematically testing each technique to see if it can be detected and at which stage of the attack it is noticed, organizations can incrementally improve their defensive mechanisms. This iterative approach ensures continual enhancement of detection capabilities, adapting to evolving threat landscapes.

Evaluating Cloud-Native Security Against Specific Threat Actors

Organizations employing cloud-native architectures can utilize MITRE ATT&CK Navigator to identify which specific threat actors and threat actors could target their cloud environments. This helps identify weak spots in cloud security that may be exploited by attackers and enforce necessary defenses.

Furthermore, the tool allows teams to adjust their security strategies based on detailed analysis of adversary tactics and techniques that are commonly used against cloud infrastructures. Teams can adapt preventive measures, ensuring robust security for cloud-native applications and services.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you better leverage MITRE ATT&CK Navigator for enhanced cybersecurity strategies:

Incorporate threat intelligence into custom layers
Import threat intelligence feeds or recent threat actor activity into Navigator’s layers. This ensures your team stays current with emerging threats and aligns your defenses with the latest adversarial tactics.

Use layers to track and compare threat actors
Create separate layers in the Navigator for each threat actor your organization faces. Overlay these layers to identify common tactics and techniques used across adversaries. This helps prioritize defenses against the most frequently used attack methods.

Visualize gaps in detection capabilities
Map your existing security controls against ATT&CK techniques in Navigator. By highlighting areas where you lack coverage, you can quickly identify detection gaps and take steps to strengthen defenses where you’re most vulnerable.

Customize layers to focus on specific attack scenarios
Use custom layers to model specific attack scenarios relevant to your industry or organization. For example, if you face frequent ransomware threats, focus on techniques related to persistence, lateral movement, and data exfiltration to better defend against such attacks.

Track detection and response maturity with Navigator
Continuously update your Navigator layers to reflect your SOC’s detection capabilities. Over time, you can use the tool to track how your detection and response maturity has improved by comparing old and new layers.

What Are ATT&CK Navigator Layers? 

Layers are a core part of the ATT&CK Navigator user interface.

Tactic and Techniques Layers

Within the MITRE ATT&CK Navigator, tactics and techniques layers provide a visual layout where each column represents a tactic, and the cells under each column depict techniques linked with that tactic. This hierarchical structure allows users to swiftly inspect and manage information pertaining to multiple attack scenarios systematically.

By employing tactics and techniques layers, teams can trace the lineage and relationship between tactics and subsequent techniques attackers might use.

Threat Actor Layers

Threat actor layers within the MITRE ATT&CK Navigator offer insights into specific adversary groups and their commonly utilized techniques and tools. Each layer dedicates focus to a particular threat actor, illustrating their modus operandi in a structured, easily understandable format.

This feature is particularly useful for organizations looking to tailor their defense mechanisms against particular types of attackers. By understanding the behaviors and techniques of these actors, defensive strategies can be more effectively aligned with actual threat patterns.

Importing Layers

Importing layers into the MITRE ATT&CK Navigator allows users to integrate customized data or third-party information into their existing navigational framework. This capability enables inclusion of emerging threat information and community-shared insights, enhancing the overall analytical capacity of security operations.

Users can import layers in JSON format, which aligns with the structured approach of the ATT&CK framework, ensuring that data integration is both seamless and coherent. This flexibility in data integration makes Navigator a versatile tool in dynamic threat environments.

Custom Layers

Custom layers in MITRE ATT&CK Navigator empower users to personalize the tool according to specific organization needs or unique security scenarios. Teams can build these layers from scratch, incorporating only relevant tactics and techniques pertinent to their operational context.

These customizations ensure that the Navigator serves not just as a general visualization tool, but as a tailored analytical aid that reflects the unique aspects of an organization’s security posture. Custom layers provide a focused approach to scenario-specific threat modeling and strategic planning.

Getting Started with the MITRE ATT&CK Navigator 

Accessing MITRE ATT&CK Navigator

To access the MITRE ATT&CK Navigator, download the tool from the official GitHub repository, or use the hosted version of the tool.

Searching for Specific Elements

When searching for specific threats or techniques within the MITRE ATT&CK Navigator, you can use the magnifying glass icon located on the toolbar. This lets you search for specific elements within the MITRE ATT&CK framework.

Using the Layers

Layers in the MITRE ATT&CK Navigator function similarly to layers in graphics editing software. They allow you to overlay different sets of data for comparative and analytical purposes without altering underlying information. 

For example, if you are tracking multiple Advanced Persistent Threat (APT) groups, you can create separate layers for each group’s techniques and then overlay these to identify common vulnerabilities and prioritize security measures accordingly.

Downloading Data

The Navigator provides options for downloading data in several formats including JSON, SVG, and Excel. You can export data directly from the Navigator’s interface to share threat information with colleagues.

Exabeam Embraces MITRE Frameworks

The Exabeam family of products — Exabeam Fusion, Exabeam Security Investigation, Exabeam Security Analytics, Exabeam SIEM, and Exabeam Security Log Management — map attacks, alerts, and core use cases against the MITRE ATT&CK framework. Additionally, customers can write their own Correlation Rules to compare incoming log events. 

Organizations can write, test, publish, and monitor their custom Correlation Rules to focus on the most critical business entities and assets, including defining higher criticality or specific inclusion of Threat Intelligence Service-sourced conditions, and assign specific MITRE ATT&CK^® TTPs.