MITRE ATT&CK Navigator

Tactics are adversary objectives (why), techniques are methods (how). 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Each tactic has multiple techniques. Example: Persistence (tactic) → Create Account (technique) → Domain Account (sub-technique). Use tactics for strategic planning, techniques for detection rules, sub-techniques for specific indicators.

ATT&CK-based hunting workflow: 1) Select threat actor/campaign (APT29, Ryuk ransomware). 2) Review associated techniques from ATT&CK. 3) Develop hypotheses (if technique used, what logs/artifacts?). 4) Create detection queries (SIEM, EDR). 5) Hunt across environment. 6) Document findings. 7) Update detections. Example: T1003 OS Credential Dumping → search for LSASS access, registry hives, suspicious PowerShell. Map detections to techniques for coverage visibility.

ATT&CK Navigator is web-based tool for visualizing ATT&CK coverage. Features: color-code techniques (detected, not detected), layer overlays (compare defenses), export matrices, annotate techniques. Use cases: gap analysis (what techniques not detected?), tool evaluation (which techniques does EDR detect?), threat modeling (which APT techniques apply?), detection prioritization. JSON export for sharing. Version: supports all ATT&CK matrices (Enterprise, Mobile, ICS). Official tool from MITRE.

Detection mapping identifies which techniques your controls detect. Process: 1) Inventory security tools (EDR, SIEM, IDS, AV). 2) Review detection rules/signatures. 3) Map each detection to ATT&CK technique. 4) Score confidence (high/medium/low detection). 5) Visualize in Navigator (color-code). 6) Identify gaps. 7) Prioritize new detections. Example: Sysmon Event 10 (process access) → maps to T1003.001 (LSASS Memory). Frameworks: Detection as Code (Sigma), ATT&CK Navigator layers.

Sub-techniques are specific implementations of broader techniques. Added in 2020 to increase granularity. Example: T1003 OS Credential Dumping has sub-techniques: T1003.001 LSASS Memory, T1003.002 Security Account Manager, T1003.003 NTDS, etc. Helps: precise detection engineering, reduce false positives, better threat reporting. Format: T####.### (technique.sub-technique). Not all techniques have sub-techniques. Use for: detailed mapping, specific IOC creation, incident attribution.

Red team ATT&CK integration: 1) Select target techniques based on scenario (APT emulation, ransomware). 2) Plan attack chain (Initial Access → Persistence → Lateral Movement → Impact). 3) Use ATT&CK for tool selection (which tools implement technique?). 4) Document techniques used during engagement. 5) Map results to ATT&CK for report (show gaps). 6) Test blue team detections per technique. Tools: Atomic Red Team (automated tests), Caldera (C2), Red Canary Atomic tests.

Data sources identify logs/telemetry needed to detect techniques. Examples: Process Monitoring (Sysmon, EDR), Network Traffic (NetFlow, PCAP), Windows Event Logs (Security, System), File Monitoring (FIM), Cloud Audit Logs (CloudTrail, Azure Monitor). Each technique lists required data sources. Use for: logging strategy, tool requirements, detection feasibility. ATT&CK v10+ includes data components (specific log events). Example: T1003 needs Process Access (Sysmon Event 10), Windows Event 4656.