Just Released! Version 2 of the ATT&CK™ Navigator

May 21, 2018
Cyber Threat Intelligence: Post by Richard Struse

Back in March I wrote about our initial release of the ATT&CK Navigator – an open-source tool designed to help users explore and use the ATT&CK knowledge base. Work has continued on the Navigator and we’re happy to announce the release of Version 2! Thank you to everyone who submitted issues and provided feedback.

In this post I’m just going to focus on the major new features we added – if you want the complete list of everything we added (or changed) there is a summary at the end of this blog post. For complete details consult the release notes. The major enhancements in Version 2 of the Navigator are:

  • Layer export to SVG
  • Enhanced ability to select and operate on multi-tactic techniques
  • Support for getting ATT&CK content from a TAXII™ 2 server
  • Ability to customize the Navigator UI via URL parameters

Export to SVG

One of the most frequent requests we’ve received is for the ability to export an image of a layer from the Navigator. Most people want to include layer images in slide decks or reports, but at least some said that they wanted to be able to print out huge versions of the matrix and hang them on the walls of their SOC (that sounds cool ☺). Exporting is simple – once you have a layer you want to export, just click the Camera icon and a new tab will open up in the Navigator where you can customize the exported image, including the dimensions, font sizes, header info and legend placement. Here’s an example of the April 2018 ATT&CK release content exported as an SVG:

Click to enlarge

Operating on Multi-tactic Techniques

Some of the techniques within ATT&CK appear under multiple tactic categories – we call these "multi-tactic techniques". A couple of examples of multi-tactic techniques are “Bypass User Account Control” (T1088) and "AppInit DLLs" (T1103). Version 1 of the Navigator treated these techniques as a monolith – if you color-coded "AppInit DLLs" red for example, that color was applied to all instances of the technique. In version 2 you now have a choice as the Navigator supports the ability to toggle between two modes for multi-tactic techniques. In one mode, the Navigator continues to operate as it did in Version 1 – if you select and operate on a multi-tactic technique, your operations apply to all instances of that technique in the matrix. In the other mode, each technique is treated as an independent entity, meaning that you can color-code, score or comment on each instance of the technique separately. Look for the Lock icon in the tool bar.

Navigator Now Supports TAXII 2

This month we announced that the ATT&CK knowledge base is now accessible via the TAXII 2 protocol. Version 2 of the Navigator now supports retrieving the STIX 2 ATT&CK content from a TAXII 2 server. By default, the Navigator is configured to connect to MITRE’s TAXII server but you can change the configuration to retrieve the ATT&CK content from whatever TAXII 2 server you specify. This makes it easier for organizations to deploy local instances of the ATT&CK knowledge base and Navigator.

Navigator URL Customization

In Version 2 you can use parameters passed in via the URL to customize many aspects of the Navigator appearance and controls in addition to specifying the URL of a layer to open. This makes it easy to pass around links to layers (such as this one) that when clicked will launch the Navigator and automatically open that layer. Note that in addition to automatically opening the layer we recently published visualizing the changes in our last content update, we’ve also customized the Navigator UI, removing most of the controls. This is useful when you want to embed layers in other web pages, for example.  The full list of Navigator URL parameters can be found here under "features".

Other Additions and Changes

  • Updated layer file format to support new features
  • Ability to set tactic row background color
  • “Super-mini” view mode (techniques rendered as small squares)
  • Ability to define a color legend
  • Ability to clear all annotations (color, score, comments) on selected techniques
  • Ability to add custom menu entries to the right-click menu for techniques

Summary

These are just some of the many improvements we’ve made to the Navigator. I encourage you to give it a try and let us know what you think. To report bugs or if you want to suggest new features, use the GitHub issue tracker. And of course, we encourage you to make your own additions and improvements to the Navigator and then send us a pull request so we can share those with the entire community.

If you have any questions or comments about the Navigator or what we're doing in cyber threat intelligence overall, please feel free to please send us an e-mail or message on Twitter.

Happy Navigating!

Learn More from our Cyber Bloggers!

Enjoy hearing about the latest cyber trends and strategies? MITRE's Cyber Connections & Directions collection keeps you up to date on big-picture trends and strategies. We invite you to sort by topic or view the entire collection.