Understanding the ATT&CK Navigator
The MITRE ATT&CK Navigator is a free, browser-based visualization tool that transforms the abstract complexity of MITRE ATT&CK into intuitive, color-coded matrices. Rather than reading through hundreds of techniques in tables, the Navigator displays techniques visually, enabling rapid comprehension of vast amounts of information.
The Navigator wasn't created by MITRE initially but rather by a team of security researchers who recognized that ATT&CK's power was underutilized because it was difficult to visualize. MITRE recognized the value and now maintains it as the official ATT&CK visualization platform.
The tool operates as a web application at navigator.mitre.org. No installation required—simply visit the website to start creating visualizations.
The Navigator's power lies in its flexibility. You can color techniques to represent different aspects: which techniques you can detect, which you're vulnerable to, which a specific threat group uses, etc. This flexibility enables diverse use cases.
Accessing and Using the Navigator
Navigate to navigator.mitre.org in your browser. The interface displays the current ATT&CK matrix by default, showing all tactics as columns and techniques as cells within each tactic.
The interface defaults to the enterprise matrix but supports:
- Enterprise: Windows, macOS, Linux
- Mobile: iOS and Android
- Cloud: Cloud-specific techniques
- ICS: Industrial control systems
Select the appropriate matrix for your analysis.
Color-Coding Techniques
The Navigator's core feature is color-coding. Click any technique cell to change its color. Color codes help categorize techniques by various attributes.
Common color schemes:
- Detection capability: Red for techniques you can't detect, yellow for partial detection, green for full detection
- Threat group activity: Color each technique used by a specific threat group, showing their overall capability
- Vulnerability status: Red for techniques you're vulnerable to, green for mitigated
- Priority: Green for low priority, yellow for medium, red for high priority
You're not limited to predefined color schemes. Develop custom schemes matching your needs.
Creating Custom Layers
Layers are saved visualizations you can create and share. Create a new layer to save your color-coded techniques.
To create a layer:
- Click "Create New" tab
- Name your layer
- Color techniques as desired
- Click save
- Download as JSON for sharing or storage
Layers capture your analytical work for future reference and team sharing.
Pre-Built Layers
The Navigator includes many pre-built layers created by security researchers and organizations:
Threat group layers: Pre-colored with techniques used by specific threat groups (APT1, FIN7, etc.)
Industry layers: Techniques commonly used against specific industries
Detection layers: Techniques supported by specific detection tools
Campaign layers: Techniques used in specific cyber campaigns
Access these pre-built layers to get started immediately without creating from scratch.
Layer Collaboration
Layers can be shared with your team by exporting them as JSON files. Team members can import these layers into their own Navigator instances.
Create a shared repository of layers for your organization:
- Detection coverage layers
- Threat group technique mappings
- Priority technique layers
- Vulnerability assessments
This shared repository becomes institutional knowledge about your threat landscape.
Matrix Views
The Navigator supports multiple ways of viewing ATT&CK matrices:
Heatmap view: Techniques are colored continuously from cool (low impact) to hot (high impact). This helps visualize which techniques are critical.
Gradient view: Similar to heatmap but with more granular color transitions.
Tactic view: Focuses on tactics rather than individual techniques, providing high-level overview.
Search view: Enables searching for specific techniques, groups, or tools.
Group Tracking
The Navigator includes profiles of known threat groups with their documented techniques pre-colored. Select a threat group to visualize their known technique usage.
This is invaluable for:
- Threat intelligence analysis: Understanding a specific group's capabilities
- Defensive prioritization: Focusing on techniques used by groups targeting your industry
- Incident attribution: Comparing observed activity to group profiles
Detecting Technique Coverage
Use the Navigator to visualize your detection coverage:
- Create a new layer called "Detection Coverage"
- Color techniques you can detect green
- Color techniques you cannot detect red
- Save the layer
- Review the visualization to identify gaps
The visual representation makes coverage gaps obvious. If an entire tactic is red, that's a major gap.
Comparing Multiple Layers
The Navigator enables overlaying multiple layers for comparison:
- Create or load multiple layers
- Adjust the opacity of layers to see through them
- Identify techniques covered by multiple layers
- Find coverage differences between layers
This comparison helps identify:
- Redundant coverage (same technique detected by multiple tools)
- Coverage gaps (technique covered by no tools)
- Tool-specific coverage (which tools detect what)
Navigator Customization
Create custom Navigator instances for different contexts:
Executive reporting: Create layers showing high-level threat landscape relevant to leadership. Use terminology and visualizations they understand.
Team training: Create layers for training new team members. Color code based on complexity or importance.
Incident response: Create layers showing what techniques the suspected threat group uses. This guides investigation focus.
Defensive planning: Create layers showing vulnerabilities and detection gaps. Use this for budget requests and planning.
Exporting and Sharing
Export layers as JSON for storage or sharing:
{
"name": "Our Detection Coverage",
"description": "Techniques we can currently detect",
"version": "4.0",
"domain": "mitre-enterprise",
"techniques": [
{
"techniqueID": "T1083",
"color": "#2d8a5a",
"comment": "File Discovery - detected by endpoint monitoring"
}
]
}
Share these JSON files with team members who can import them into their Navigator instances.
Navigator Mobile Experience
The Navigator works on mobile devices but is optimized for desktop. The large matrix is difficult to navigate on small screens.
Consider creating summary documents with key techniques highlighted for mobile sharing.
Limitations and Considerations
The Navigator is primarily a visualization tool, not an analysis engine. It doesn't automatically identify which techniques you're vulnerable to—you must manually assess and color.
The Navigator doesn't track changes over time. Create dated versions of layers to track evolution of your coverage or threat landscape.
Pre-built threat group layers are only as current as their sources. Threat groups evolve, gaining new techniques and discarding old ones. Keep group layers updated.
Using Navigator in Threat Intelligence
Security analysts use the Navigator for threat intelligence analysis:
- Import a threat group's known techniques
- Identify gaps in your defenses against that group
- Prioritize defensive improvements
- Create incident response playbooks for likely techniques
This structured analysis is more effective than unstructured threat research.
Navigator in Incident Response
During incident response, use the Navigator to:
- Document observed techniques in the current incident
- Compare observed techniques to threat group profiles
- Predict likely next steps based on threat group patterns
- Identify which defenses failed and should be improved
This structured response prevents important analysis from being overlooked.
Advanced Features
The Navigator supports several advanced features:
Lookup feature: Search for specific techniques and groups to quickly find relevant information.
Create custom layers offline: Export to JSON, edit in your text editor, import back.
Tactic filtering: Focus on specific tactics rather than the entire matrix.
Multi-select: Select multiple techniques at once to color them together.
Integration with Other Tools
Some SIEM platforms and endpoint detection platforms integrate with the Navigator, enabling:
- Automatic coloring of techniques based on detected activity
- Syncing of detection rules to technique mappings
- Real-time coverage visualization
Check your tool's documentation for Navigator integration.
Community Contributions
The security community contributes layers to public repositories. Browse community-created layers for inspiration or ready-made visualizations for your context.
Best Practices
Start with pre-built threat group layers. Rather than coloring from scratch, import layers for relevant threat groups.
Create multiple layers for different purposes rather than one massive layer. A detection layer, a threat layer, a priority layer, and a vulnerability layer are easier to manage separately.
Update your layers regularly. As your detection capabilities improve or threats evolve, update your layers to reflect reality.
Share your layers with colleagues and the broader security community. Contributing to the community improves everyone's defenses.
Document your layers thoroughly. Include comments explaining your color scheme and methodology.
Conclusion
The MITRE ATT&CK Navigator transforms abstract technique lists into visual representations you can analyze and communicate. Color-code techniques to represent detection coverage, threat group capabilities, or vulnerabilities. Create, share, and collaborate on layers that document your threat landscape. Use pre-built layers for quick insights, then customize for your specific needs. The Navigator is essential for any organization serious about understanding their threat environment and defending systematically against the techniques adversaries actually use.
