This article discusses how to use the MITRE ATT&CK® Dashboard to get an overview of the threat tactics and techniques in your network.
The MITRE ATT&CK® Dashboard maps the threats identified by the Cato IPS service to tactics and techniques that are presented in the MITRE ATT&CK® Matrix. This provides a powerful framework for analyzing threats and identifying the various phases of attacks. MITRE ATT&CK® tactics are the high-level goals in an attack vector, while techniques are specific methods used to accomplish these goals.
The dashboard contains a number of widgets that provide visibility and analytics including:
-
Summary of tactics identified in your network, with the number of events for each tactic
-
Breakdown of techniques for each tactic
-
Most common techniques identified in your network
-
Device distribution for each technique
-
Time distribution of identified tactics
-
Sources in your network that generated the most security events
The MITRE ATT&CK® Dashboard widgets present a summary of the attack tactics and techniques identified in your network. You can also drill-down to see granular details and analysis for each technique, or view the Events screen pre-filtered for a tactic or technique.
By default, the dashboard shows data for IPS Monitor events (including Suspicious Activity events) and Block events. For a more focused analysis, you can filter the dashboard to only show data for Monitor events, or Block events.
Use the time range filter to determine the time window for the data and analytics in the dashboard. For more about the time range filter, see Setting the Time Range Filter.
This section explains the widgets that are available in the MITRE ATT&CK® Dashboard. The data shown in the dashboard is based on the configured time range.
These are the widgets:
-
Tactics summary - The top row of the dashboard shows the tactics identified in your network, with the number of events generated for each tactic. Tactics are shown according to phases in the attack lifecycle, following the left-to-right arrangement in the MITRE ATT&CK® Matrix.
-
Technique breakdown - The left-hand pane shows the techniques used for each tactic, with the number of events for each technique. Click the row of a technique to open the Details panel containing the following information and widgets:
-
Basic description of the tactic and technique according to the MITRE ATT&CK® definitions
-
Attacks Over Time - Time distribution of attacks using this technique. Click and drag to zoom-in on:
-
Time of events
-
Number of events
-
-
Top Sources - Shows a list of the top sources for the technique, with the number of MITRE ATT&CK® events for each source. Click the source row to open the Events screen pre-filtered for the technique and source.
-
Device distribution - The bottom row shows OS icons with the number of events generated for the technique on each OS
-
-
Top Techniques - Shows a list of the top MITRE ATT&CK® techniques with the number of events for each one. Click a technique name to open the Events screen pre-filtered for that technique.
-
Tactics Distribution Over Time - Graphs the events for each tactic on a timeline.
-
Hover the mouse on the graph to show a summary of events for a point on the timeline
-
Click the toggle button of a tactic to turn its graph on or off
-
Click a tactic name to open the Events screen pre-filtered for the tactic
-
Click and drag to zoom-in on:
-
Time of events
-
Number of events
-
-
-
Top Security Events - Sources that generated the most overall security events, including MITRE ATT&CK® and other event types. The MITRE Techniques column shows the top technique identified for a source.
-
Hover the mouse on a number in the MITRE Techniques column to show additional techniques for the source.
-
Click in the row of a source to open the Events screen pre-filtered for the source.
-
After the IPS service blocks an attack, you can analyze it with the MITRE ATT&CK® Dashboard and take actions to stop similar future attacks at an earlier stage. This is an example of a threat analysis and possible actions:
-
The left-hand pane shows 80 Phishing events under the Initial Access tactic.
-
In the Details panel for the Phishing technique, the Top Hosts widget shows that one user generated 25 of the events, and a second user generated 20.
-
The bottom row of the Details panel shows that 60 of the events were generated by Windows devices, and 20 by Android devices.
-
Investigate the two problematic users to find out why they are vulnerable to these attacks.
-
Educate and train the users to avoid phishing attacks in the future.
-
Verify that all Windows and Android devices on your network have the required security updates.
The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy.
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
The information on this application is for general informational purposes only. Your use of the application is solely at your own risk. This application may contain links to third party content, which we do not warrant, endorse, or assume liability for. Cato Networks make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the application or the information, services, or related graphics contained on the application for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
In no event will Cato Networks be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this application.
2 comments
Is there a way to mark events as false positives? Example: a script running every night is generating events categorized as suspicious traffic, but we know it to be legitimate.
Hi James,
Thanks for the question and sorry for the delay. To stop logging events for specific Suspicious Activity traffic, you can create an allowlist rule in the IPS page under the Allow List tab. Please see here for more information.
Regards,
Jon
Please sign in to leave a comment.