Using the ATT&CK Matrix in real-time to understand threats and attacks

The MITRE ATT&CK Framework is widely recognized as instrumental in providing a common language and framework for describing attack techniques and effectively sharing information across organizations. However, we’re just starting to see the potential benefits this matrix can provide when integrated directly into security tools.

Uptycs recently announced a major release of its product that functionally and visually aligns detection results with the MITRE ATT&CK Matrix. They claim to have mapped more than 500 detection events to ATT&CK tactics and techniques, allowing them to visualize related detection signals on the matrix. While this humble rubric is little more than rows and columns, useful data can be gleaned from a quick glance.

Screenshot of Uptycs user interface

The matrix is organized in columns. As we follow these columns, left to right, we step through the natural stages of an attack, generally in the order they would appear on a timeline as the attack progressed. The matrix begins with reconnaissance. It then works through initial access techniques, which, if successful lead to persistence, exploration and lateral movement. Eventually, the matrix reaches the attacker’s endgame, which could be a ransom note, data exfiltration or simple destruction.

At a glance, the analyst can see the general stage of the attack as well as the quantity of the different attack techniques involved. This visual information is useful, as it can speed up understanding in a way that simple, text-based information can’t achieve. The power of this visualization is that it can reduce the amount of time necessary to make decisions leading to the containment and eradication of the attack. In addition, the accompanying process graph makes it possible to more quickly understand and analyze malware behavior.

We’ve come a long way from what once passed for cybersecurity visualizations. Walk into the average SOC and you might see Wargames-inspired global maps showing attack traffic in real-time. Not terribly useful for the analyst, but looked great for visitors on a tour of the SOC. Fast forward only five years and data scientists have become an integral part of most product teams, leading to more effective use of dashboards, charts, and visualizations.

MITRE ATT&CK is an excellent example of how the industry has matured into pragmatic techniques and tactics driven threat detection.

MITRE Attack Matrix for Enterprise screenshot

How far we’ve come in such a short time! To learn more about Uptycs and how they can provide your organization with improved security visibility for your endpoints, visit securityweekly.com/uptycs.