MITRE ATT&CK is free, continuously updated, and extremely useful for testing your organisation's security posture against real-world threat actor tactics, techniques and procedures (TTP). 

But there's a catch. How do you map threat actor TTPs from your environment onto the database in ATT&CK?

Most organisations don't. In one survey, 84% of respondents said they do not have a thorough mapping to ATT&CK within their organisations. 

If this describes you or your organisation, read on. 

This short guide shows you the MITRE ATT&CK mapping tools you can use to do faster, more accurate ATT&CK mapping. 

How to Do MITRE ATT&CK Mapping 

As of the publication of this blog, MITRE ATT&CK details 14 tactics, 196 techniques, 411 sub-techniques, 138 groups, 22 campaigns, and 740 pieces of software. MITRE also keeps updating the framework, i.e., an April 2023 update resulted in over 100 changes. 

To keep up, you need to have an evolving understanding of the data you have and the ATT&CK framework itself. 

Per CISA's excellent guide to MITRE ATT&CK mapping to Cyber Threat Intelligence (CTI) reports, mapping to ATT&CK starts with looking for unusual or suspicious behaviour in your data. Then, you need to research this behaviour using online sources such as vendor reports (like this one) to see if it matches any known adversary behaviours. 

After you've done your research, try to match the behaviours you observe to tactics (find the "why”) and techniques (the "how") listed in the ATT&CK framework. Ideally, you should also be able to identify sub-techniques, but this requires a high level of content.

A best practice is to do ATT&CK mapping as a team and peer review your findings. 

You can also map raw data to ATT&CK using a similar process but with logs, malware signatures, and network activity instead. 

However, while you can theoretically map to ATT&CK using the MITRE ATT&CK framework and CTI, in order to visualise, communicate and act on the results of your ATT&CK mapping, you need an ATT&CK mapping tool.

MITRE ATT&CK Mapping Tools 

These three ATT&CK mapping tools give you a decision tree for figuring out what behaviour maps to which TTPs. They also provide a way to show others what your ATT&CK coverage looks like.

TRAM (Threat Report ATT&CK Mapper)

TRAM is an open-source tool that uses AI to reduce the time it takes to identify adversary TTPs in cyber threat intelligence reports. It uses Large Language Models (LLMs) to read reports and suggest how they could map onto MITRE ATT&CK. 

TRAM uses a similar technology to CHAT GPT to read and annotate CTIs and match their text to MITRE ATT&CK. However, as of the publication of this blog, TRAM only predicts 50 of the over 600 ATT&CK (sub-) techniques.

Use TRAM for rapid MITRE ATT&CK mapping.  

Decider

Developed by the US Central Intelligence Security Agency (CISA), Decider guides you through a series of questions to help you figure out what tactics, techniques, or sub-techniques are present in your environment. 

Decider is a web application that you can also host internally for customised use and is compatible with Enterprise ATT&CK versions 11.0 and 12.0.

Use Decider for comprehensive MITRE mapping and as a companion to CISA's Mapping guide. 

MITRE ATT&CK Navigator

MITRE ATT&CK Navigator is not a decision-making tool in the same sense as TRAM or Decider but a visualisation tool. 

Acting as an interactive version of the MITRE ATT&CK framework that you can download, colour in, comment and share as an SVG or image, it helps you see how different types of attacks relate to each other and your data.

MITRE ATT&CK Navigator is useful for quickly identifying security gaps, planning defences, and sharing insights into coverage gaps (especially with non-technical decision-makers).

Use Navigator to communicate your mapping findings.

SenseOn Automatically Maps to Mitre ATT&CK

According to CISA's MITRE ATT&CK mapping best practices guide: 

"Without adequate contextual technical details to sufficiently describe and add insight into an adversary's behaviour, there is little value to ATT&CK mapping.”

Essentially, CISA is saying there is no point in trying to map your environment to MITRE ATT&CK without context.

By bringing data from endpoints, networks and users into a single universal data type, SenseOn not only delivers this context but also automatically maps what's happening in your environment to ATT&CK in the cases (alerts) it surfaces to analysts. 

With SenseOn, an analyst can click through different attack stages, automatically mapping events onto ATT&CK techniques and tactics with a link back to the MITRE ATT&CK site to learn more about the behaviour being observed and the next steps they should take. 

Contact us today to learn more about how SenseOn helps with ATT&CK mapping.