The ATT&CK™ Navigator: A New Open Source Project

March 5, 2018
Cyber Threat Intelligence: Post by Richard Struse

As my colleague John Wunder described recently, MITRE is making a series of investments in the ATT&CK framework. We're working to make the content in ATT&CK easier to discover and use, and one of the ways we're doing that is with a new open source web application we call the ATT&CK™ Navigator.

The ATT&CK Navigator provides basic navigation and annotation of the ATT&CK for Enterprise, ATT&CK for Mobile, and the PRE-ATT&CK™ matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic. You can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do. The Navigator doesn't care—it just allows you to manipulate the cells in the matrix (by color coding, adding a comment, assigning a numerical value, etc.).

The principal feature of the Navigator is the ability for users to define layers—custom views of an ATT&CK matrix—for example, showing just the techniques for a particular platform, highlighting techniques a specific adversary has been known to use, creating heat maps for heavily used techniques, or visualizing defensive coverage. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator. For people interested in the latter, we've included some sample code that generates Navigator layer files from a variety of data sources.

The source code for the ATT&CK™ Navigator can be found here. Use the GitHub issue tracker to let us know of any bugs or other issues you encounter. And we encourage pull requests if you've extended the Navigator in some cool way and want to share it back to the larger community. We've released the Navigator under a commercial-friendly license—Apache2—and we hope that you'll find the tool useful.

To make it even easier to get started, we have a hosted instance of the Navigator code that you can try out. Point your browser here for Enterprise and here for Mobile (PRE-ATT&CK content is automatically included in both). The Navigator runs completely in the browser, so there is nothing to install or configure. While we intend to keep the Navigator simple and focused on helping people make use of the knowledge in ATT&CK, in the coming months we'll be adding a few new features and enhancements. Feel free to suggest new features, or better yet, implement them yourself and send us a pull request.

If you have any questions or comments about the Navigator or what we're doing in cyber threat intelligence overall, please feel free to please send us an e-mail or message on Twitter.