Heatmap Analysis | About

Intelligence Center supports multiple threat and adversary frameworks that codify tactics, techniques, and procedures (TTPs) used by malicious actors. These frameworks provide structured knowledge bases based on real-world observations to help you understand and analyze threats to your organization.

Supported Frameworks

Intelligence Center currently supports:

• MITRE ATT&CK: A knowledge base of adversary tactics and techniques based on real-world observations. See https://attack.mitre.org/ for more information.

• DISARM: A framework for analyzing and tracking disinformation campaigns and techniques. See https://www.disarm.foundation/framework for more information.

Classifications

You can learn more about classifications.

Framework classifications can be analyzed with heatmaps. Heatmaps are visual representations that show classification heat levels—the frequency with which each classification is assigned to entities in the heatmap. Heat levels are expressed through color, meaning the more often a classification is assigned to entities in the heatmap, the deeper its color.

Available Matrices

Heatmaps are organized according to matrices developed for each framework. Different matrices may be available depending on the framework and its industry or domain focus.

MITRE ATT&CK Matrices

MITRE has created matrices that include and order the ATT&CK TTPs in heat maps for different industry contexts. EclecticIQ Intelligence Center supports the following matrices:

• Enterprise: This matrix caters to intelligence classification in corporate and governmental organizations.

• ICS (Industrial Control Systems): This matrix caters to intelligence classification in production and manufacturing organizations.

• Mobile: This matrix caters to intelligence classification in the context of utilizing or compromising cellular network access and personal devices. It covers both Android and iOS.

DISARM Matrix

DISARM Red provides a matrix focused on disinformation and influence operations.

Permissions

• To be able to create & customize heatmaps, your user must have a role with the modify attack permission.

• To view heatmaps, the read attack permission suffices.

Note that the heatmaps will only display associations with entities that your user is allowed to see.

Working with heatmaps

• Create new heatmaps

• Customize existing heatmaps

Export heatmaps

You can export a heatmap by opening it and selecting , hovering over Export, and then selecting the format you’d like to export in. Available format are:

• JSON

• CSV

• PNG

Only classifications that are assigned at least once are included in the export.

Heat levels

Classifications (TTPs assignments to entities) are assigned a heat level based on the number of entities they are assigned to. Heat levels can be calculated in one of three ways:

• Non-aggregated

• Aggregated

• Aggregated (including zero-scoring classifications)
  This is the default scoring method.

In the Heatmap Analysis view, you can switch scoring methods.

Non-aggregated

A classification’s non-aggregated heat level equals the number of entities it is assigned to.

Aggregated

Aggregated heat level applies only to techniques and tactics that aren’t assigned to any classifications (i.e. their own heat level is 0).

A technique aggregated heat level is equal to the average of the heat levels of its sub-techniques.

A tactic’s aggregated heat level is equal to the average of the aggregated heat levels of its techniques.

Sub-techniques have no aggregated heat level.

Because aggregated heat levels rely on averages, the calculation divides the sum of heat levels of all child classifications by the number of child classifications with a non-zero heat level.

Aggregated heat level example

Consider a technique that isn’t directly assigned to any entities but has six sub-techniques:

• One sub-technique is assigned to 6 entities

• Two sub-techniques are assigned to 3 entities each

• Three sub-techniques are not assigned to any entities

In this case, the sum heat level equals 6 + 3 + 3 + 0 + 0 + 0 = 12

There are three sub-techniques with non-zero heat levels, meaning the aggregated heat level of the parent technique equals 12 / 3 = 4.

Aggregated (including classifications with no heat level)

When aggregating while including classifications with no heat level, classifications that aren’t assigned to entities are still included in the count for the division in the average calculation.

Aggregated scoring example (including classifications with no heat level)

Using the same scenario as above:

• A technique isn’t assigned to any entities

• It has six sub-techniques

• One sub-technique is assigned to 6 entities

• Two sub-techniques are assigned to 3 entities each

• Three sub-techniques are not assigned to any entities

The sum assigned entity heat level equals 6 + 3 + 3 + 0 + 0 + 0 = 12

There are six sub-techniques total (three with heat levels and three with no heat levels). When counting classifications with no heat level, the aggregated heat level equals 12 / 6 = 2.