MITRE ATT&CK® Global Matrix

MITRE ATT&CK® Global Matrix

The MITRE ATT&CK Framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations which provides invaluable insight into incidents and attacks affecting organizations. With that in mind, the Lumu Portal allows visibility into the MITRE ATT&CK Matrix for specific incidents; however, we also understand that this tool may seem intimidating, and proper focus and guidance are necessary to make the most of this powerful resource. It's for that reason that Lumu has now added to its repertoire the MITRE ATT&CK® Global Matrix

The MITRE ATT&CK® Global Matrix analyzes and displays in an easy and understandable way all the detected incidents in your network in a time frame of your choosing. It builds a table showing you how these incidents are distributed by incidence, and a heatmap that provides this information in a clear and visual manner, and most importantly, will lead you directly to the entries for each of these attacks an techniques on the MITRE ATT&CK® Framework so you can learn about effective methods to deal with each. This visualization is built based on your organization's compromise situation and will provide you with valuable insight about your unique threat landscape. 

This custom-made matrix will allow you to understand the specific circumstances of your network. You’ll learn about the most common and effective strategies to address and mitigate the attacks you're receiving, and incorporate critical intelligence into your defense strategy during different stages and procedures. 
Now, let's take a look at some of the key benefits of this feature. 

Key Benefits

  1. Tailored to the circumstances of your company: The MITRE ATT&CK® Global Matrix uses data from your company's incidents in a specified timeframe to build a matrix that reflects the unique reality of your organization. You will be able to see the types of incidents that affect your organization curated in a single view and displayed by distribution and relevance. This way, you will be able to gather intelligence and consult the most relevant and valuable resources and strategies for your network's circumstances.
  2. Focus your team's efforts efficiently: This curated view will allow you to focus your organization's efforts, knowledge, and resources in the most effective and efficient fashion. The MITRE ATT&CK® Global Matrix provides the most approximate overview of the current reality of your network's cybersecurity state with quick access to the largest knowledge base of adversary tactics and techniques, with proven strategies on how to handle and mitigate them.
  3. Critical threat intelligence at a glance: This visualization puts vital intelligence on your network's circumstances at your disposal with a few clicks. You can also reduce the scope of the matrix by time, if you're interested in learning about the confirmed incidents and attacks in a specific timeframe, be it a week, a month or a year. You can generate the Global Matrix that you need based on the demands of the situation you are facing. 

Use Cases

The MITRE ATT&CK® Global Matrix can be very useful in a variety of situations; however, we are going to focus on three common use cases where an organization can obtain the most value out of this feature. 

Budgeting and Priorities

Long gone are the days where cybersecurity priorities and budgets are defined by the latest trendy acronym or the noise of the market. Having a source of intelligence tailored around your organization's particular circumstances can be really useful when allocating resources and professionals to your defense and mitigation strategies. The information displayed by the matrix, along with the references and strategies that can be accessed through it, can provide you with a degree of certainty of the incidents that represent the most risk to your network, and the detection and mitigation procedures that have been successful in similar situations. You can use this information to assign the appropriate amount of resources to the right procedures and create an efficient and organized strategy suited to the reality of your company. 

Let's assume we have generated a MITRE ATT&CK® Global Matrix for a given company. Based on the information in our matrix, we can tell for a fact that adversaries targeting the company are primarily focusing on specific tactics, techniques, and procedures (TTPs), let's call them x, y and z. With that in mind, these would be the questions we should ask ourselves and the playbook we should follow.  
  1. Does my cybersecurity stack have a technology that covers TTPs x, y, and z? 
  2. Is there an ongoing project in my organization's cybersecurity team to cover TTPs x, y, and z?
  3. Is there a point in place in my organization's cybersecurity roadmap to cover TTPs x, y, and z?
  4. Do I need any new technologies to cover TTPs x, y, and z?
Budgeting and priorities playbookBudgeting and priorities playbook

After following this playbook and answering these questions, you'll be in an informed position to capture the required budget, and adjust the priorities of your organization's projects.  

Adapt Defense to the Threat Landscape

The intel provided by the MITRE ATT&CK® Global Matrix can be used not only to improve the efficiency of your defense strategy, but its effectiveness as well. This visualization allows you to obtain a detailed view of the incident types your organization faces in specific timeframes, which means that you can do a conscientious analysis of the adjustments and improvements your defense strategy requires. By accessing the resources and strategies found in the MITRE ATT&CK framework, you will be able to pinpoint weaknesses and improvement opportunities, as well as appropriate alternatives to make said improvements based on factual data.

Let's do the same exercise as in the first use case and assume we have generated a MITRE ATT&CK® Global Matrix for our company. Based on the information in our matrix, we can tell for a fact that adversaries targeting the company are primarily focusing on some specific TTPs; however, one stands out among them based on relevance and distribution, let's call it TTP x. With that in mind, these would be the questions we should ask ourselves and the playbook we should follow.
  1. Does my stack have technologies capable of effective detection and mitigation procedures according to the MITRE ATT&CK Framework, and if I do, have I configured them effectively? 
  2. Have I implemented any available Lumu Out-of-the-box integrations to optimize my automated data collection, sec-ops, and response processes against TTP x?
  3. Was TTP x on my organization's radar before seeing it in the MITRE ATT&CK® Global Matrix? 
  4. If it was, is my team working on any projects to address TTP x? 
  5. Do I need to include any new technologies in my cybersecurity stack to mitigate the impact of TTP x or is it a matter of properly configuring my current stack?
Adapt defense to the threat landscape playbookAdapt defense to the threat landscape playbook

After following this playbook and answering these questions, you'll be able to make informed decisions to improve your organization's cyber-defense capabilities.  

Prioritize Cybersecurity Testing

The MITRE ATT&CK® Global Matrix provides you with factual data of your network's cybersecurity status, which you in turn can use to create testing procedures. Knowing which attacks and techniques are most effective against your defense strategy will help with setting up fact-based testing scenarios, as well as Red Team vs Blue Team dynamics to assess the effectiveness of your cybersecurity scheme continually. You can also make use of the resources and techniques found in the MITRE ATT&CK framework in these procedures since they are based on real-life scenarios to create robust testing environments and processes. 
Once again, let's assume we have generated a MITRE ATT&CK® Global Matrix for our company. Based on the information in our matrix, we can tell for a fact that adversaries targeting the company are primarily focusing on specific TTPs, let's call them x, y, and z. With that in mind, these would be the questions we should ask ourselves and the playbook we should follow.
  1. Do my testing procedures include scenarios that cover the use of TTPs x, y, and z? 
  2. Are there any plans in my testing roadmap to cover TTPs x, y, and z?
  3. If there are, should I alter my roadmap's priorities based on the relevance of TTPs x, y, and z according to the MITRE ATT&CK® Global Matrix?
  4. Based on the MITRE ATT&CK Framework, Am I using TTPs x, y, and z as effectively as possible in my Red vs Blue team scenarios’ factual data ?
  5. Do I have access to the most effective technologies for detection and mitigation of TTPs x, y, and z for my organization's testing scenarios?
 
Prioritize cybersecurity testing playbookPrioritize cybersecurity testing playbook

After following this playbook and answering these questions, you'll be able to make informed decisions to improve your organization's cybersecurity testing scenarios.

MITRE ATT&CK® Global Matrix Filters

Filtering the data shown in the MITRE ATT&CK® Global Matrix is simple and straightforward. 
1. Simply, go to the MITRE ATT&CK® Global Matrix section on the Lumu Portal by heading to the Intelligence dropdown on the side panel, then, click on the corresponding option. 


2. Now, look for the filters in the upper left portion of the MITRE ATT&CK® Global Matrix section and select the preferred time frame and labels for the query you wish to make. 


These are some of the available filters:
  1. Time frame: Here, you will find different periods of time that you can use to filter the data shown on the matrix. You will find filters along the lines of This week, This month, This year, etc. and Last week, Last Month, Last Year, etc. The filters that go by the first convention, start on the first day of the mentioned period, for instance, This Week, starts on Monday and ends until the day the query is done. The filters that go by the second convention, start on the first day of the mentioned period until the last, for example, Last Year would go from January 1st of last year until the end of December 31st, not the day the query is made. 
  2. Label: Using this filter, you can include in your query all incidents tagged under the selected labels. If you haven't done so, we reiterate the importance of using labels to classify your traffic efficiently and effectively.
  3. Business Relevance: This filter can be found under labels. It will include in the query all incidents under the selected business relevance label. Remember a label's business relevance is selected during the creation of the label. It can correspond to High, Medium, or Low. 
3. Once selected, the incident distribution below will be updated and will display the corresponding data and links to the MITRE ATT&CK Framework for each of these tactics and techniques. 


The heatmap will also be updated with the selected data and display the queried incidents as shown below:


4. By clicking on any of the presented TTPs, you'll be able to access a description of the incident as well as a link to the corresponding entry on the MITRE ATT&CK Framework for further reference:



        • Related Articles

        • MITRE ATT&CK Matrix

          The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix ...
        • Incidents

          Effective incident analysis is at the core of proficient cybersecurity operation, for that reason, the Lumu Portal offers a centralized and intuitive way to manage your incidents, track their statuses, and review which incidents have been solved—for ...
        • Compromise Overview

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Lumu Playback

          The cybersecurity industry has developed numerous methods to defend against zero-day threats and emerging attacks. However, many attacks still slip through undetected due to the increasingly sophisticated evasion tactics employed by cybercriminals. A ...
        • Analytics View

          Lumu’s Illumination Process is the core of Continuous Compromise Assessment ® by Harnessing the power of AI for threat hunting without the time and resource-intensive training that traditional methods require. In this process, network metadata is fed ...