Incident Details - ATT&CK Matrix

Incident Details - ATT&CK Matrix

To effectively contain and eradicate a cybersecurity incident, responders must move beyond simply knowing what happened and understand how and why it happened. This is where the MITRE ATT&CK framework becomes an invaluable asset for forensic analysis.

By mapping an incident to specific Tactics, Techniques, and Procedures (TTPs), forensic analysts can decode the adversary's playbook. Understanding the exact techniques used in an attack provides critical strategic value: it allows your team to anticipate the attacker's next move, uncover hidden persistence mechanisms, identify structural gaps in your current defenses, and ensure that containment strategies address the root cause of the breach rather than just its symptoms.

Within the Lumu Portal, this intelligence is presented in a dedicated panel that dynamically adapts its layout to best fit the nature of the detection. Depending on the incident type, you will see one of two distinct views. 

The ATT&CK Matrix View

This view provides grid-based visualization of the incident, mapping the detected activities across the entire MITRE ATT&CK lifecycle.


The matrix provides the following information:
  • Highlighted TTPs vs. All: By default, the matrix filters to show only the Highlighted TTPs directly associated with the incident, filtering out the noise. Analysts can toggle to All to view the complete matrix for broader context.

  • Attack Lifecycle Mapping: The matrix is organized by columns representing the attacker's overarching goals or Tactics (e.g., Initial Access, Credential Access, Lateral Movement).

  • Techniques and Sub-techniques: Beneath each Tactic, the specific Techniques (e.g., External Remote Services T1133) and Sub-techniques (e.g., Password Spraying T1110.003) utilized by the adversary are clearly flagged, giving analysts an immediate visual understanding of the attack's progression.

The ATT&CK Context View

This view provides detailed breakdown of the specific behaviors detected, serving as an actionable guide for incident responders.


This view provides the following information:
  • Technique Deep Dive: It lists the precise overarching techniques observed during the incident (e.g., Acquire Infrastructure T1583, Protocol Tunneling T1572). Each technique includes a Learn more link that directs analysts to the official MITRE documentation for deeper research.

  • Detected Sub-Techniques: Expandable rows reveal the granular sub-techniques employed (e.g., DNS T1071.004, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003), pinpointing exactly how the attacker manipulated your systems or network protocols.

  • Recommended Mitigations: This is the most actionable area of the panel. It provides explicit, step-by-step containment and remediation strategies directly tied to the detected techniques. For example, it may recommend deploying RPZ Domain Blocks, isolating affected endpoints, or blocking specific outbound authority IPs. This bridges the gap between threat analysis and active incident response.

Check out the following articles to fully understand the incident details provided in the Lumu Portal. 
  1. Incident Details - Detections
  2. Incident Details - Highlights
  3. Incident Details - Threat Intel

      Get an AI Summary

          • Related Articles

          • Incident Details - Highlights

            the Highlights Panel is exclusively dedicated to incidents involving contact with malicious infrastructure. When your network communicates with adversarial assets—such as phishing sites, Command and Control (C&C) servers, malware distribution nodes, ...
          • Incident Details - Threat Intel

            This panel is only visible for Phishing, C&C, Malware, Spam and Mining incidents The Threat Intel Panel provides the tactical and strategic vision necessary to understand exactly who you are up against. This tab equips your security team with a suite ...
          • Login Brute force Incident Response Playbook

            The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • Lumu Incident Detections

            In today's evolving threat landscape, perimeter defenses alone are insufficient to protect an organization's critical assets. As adversaries develop more sophisticated methods to bypass traditional security controls, the ability to rapidly detect, ...
          • Anonymizer Incident Response Playbook

            The Lumu Anonymizer Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...