MITRE ATT&CK | Analysis | About

You can analyse MITRE ATT&CK with heat maps. Heat maps are representations that show MITRE ATT&CK classifications heat levels, i.e. the amount of times each classification is assigned to the entities in the heat map. Heat levels are expressed through color, meaning the more often a classification is assigned to entities in the heat map, the deeper its color.

The heat maps are organized in one of three ATT&CK Matrices that MITRE developed for different industries.

Permissions

• To be able to create & customize heat maps, your user must have a role with the modify attack permission.

• To view heat maps, the read attack permission suffices.

Note that the heat maps will only display associations with entities that your user is allowed to see.

Working with heat maps

• Create new heat maps

• Customize existing heat maps

ATT&CK Matrices

MITRE has created matrices that include and order the ATT&CK TTPs in heat maps for different industry contexts. EclecticIQ Intelligence Center supports the following matrices:

• Enterprise: this matrix caters to intelligence classification in corporate and governmental organizations.

• ICS (Industry Control Systems): this matrix caters to intelligence classification in production and manufactoring organizations.

• Mobile: this matrix caters to intelligence classification in the context of utilizing or compromising cellular network access and personal devices. It covers both Android and IOS.

Heat levels

Classifications (TTPs assignments to entities) are are assigned a heat level based on the number of entities they are assigned to. Heat levels can be calculated in one of three ways:

• Non-aggregated

• Aggregated

• Aggregated (including zero-scoring classifications)
  This is the default scoring method.

In the MITRE ATT&CK Analysis, you can switch scoring methods.

Non-aggregated

A classification’s non-aggregated heat level equals the number of entities it is assigned to.

Aggregated

Aggregated heat level applies only to techniques and tactics that aren’t assigned to any classifications (i.e. their own heat level is 0).

A technique aggregated heat level is equal to the average of the heat levels of its sub-techniques.

A tactic’s aggregated heat level is equal to the average of the aggregated heat levels of its techniques.

Sub-techniques have no aggregated heat level.

Because aggregated heat levels rely on averages, it divides the sum of the heat levels of all classifications that belong to a tactic or technique by the number of classifications with a non-zero heat level.

Aggregated heat level example

• A technique isn’t assigned to any entities.

• It has six sub-techniques.

• One of the sub-techniques are assigned to six entities.

• Two of the sub-techniques are assigned to three entities.

• Three of the sub-techniques are not assigned to any entities.

In this case, the sum heat level equals 6 + 3 + 3 + 0 + 0 + 0 = 12 There are three sub-techniques with heat levels, meaning the aggregated heat level of the technique equals 12 / 3 = 4.

Aggregated (including classifications with no heat level)

When aggregating while including classifications with no heat level, classifications that aren’t assigned to entities are still included in the count for the division in the average calculation.

Aggregated scoring example (including classifications with no heat level)

• A technique isn’t assigned to any entities.

• It has four sub-techniques.

• One of the sub-techniques are assigned to six entities.

• Two of the sub-techniques are assigned to three entities.

• Three of the sub-techniques are not assigned to any entities.

The sum assigned entity heat level equals 6 + 3 + 3 + 0 + 0 + 0 = 12 There are three sub-techniques with heat levels and three sub-techniques with no heat levels. This means that when counting the classifications with no heat level, the aggregated heat level equals 12 / 6 = 2.