Understand threat coverage with the MITRE ATT&CK matrix

Supported in:

This document describes how to use the MITRE ATT&CK matrix dashboard in Google Security Operations. The matrix helps you understand your organization's security posture against the MITRE ATT&CK framework. It also helps you find gaps in your threat coverage and prioritize your security tasks.

Understand tactics and techniques

In the MITRE ATT&CK framework, tactics and techniques are two fundamental concepts used to categorize adversary behavior.

  • Tactic: High-level goal that an attacker is trying to achieve. For example, common tactics include Initial Access (getting into the network), Persistence (staying in the network), and Exfiltration (stealing data).

  • Technique: The specific method used to achieve a tactic. For example, an attacker might use the Phishing technique to gain Initial Access tactic. Each tactic has different techniques that an adversary could use.

The following tactics are displayed in the MITRE ATT&CK matrix:

MITRE ATT&CK tactic Description
Collection Gather data.
Command and control Contact controlled systems.
Credential access Steal login and password information.
Defense evasion Avoid detection.
Discovery Figure out your environment.
Execution Run malicious code.
Exfiltration Steal data.
Impact Manipulate, interrupt, or destroy systems and data.
Initial access Gain entry to your environment.
Lateral movement Move through your environment.
Persistence Maintain foothold.
Privilege escalation Gain higher-level permissions.
Reconnaissance Gather information to use in future malicious operations. This tactic displays in the matrix only when the PRE platform is selected in your user preferences.
Resource development Establish resources to support malicious operations. This tactic displays in the matrix only when the PRE platform is selected in your user preferences.

Common use cases

This section lists some common use cases for using the MITRE ATT&CK matrix.

Respond to a new threat advisory

  • Scenario: the Cybersecurity and Infrastructure Security Agency (CISA) issues an alert about a new ransomware attacking your industry.

  • User goal: a detection engineer needs to know if their current security rules can detect the specific tactics, techniques, and procedures (TTPs) used by this new threat.

  • Steps:

    1. The engineer opens the MITRE ATT&CK matrix.

    2. They filter the matrix to highlight the techniques mentioned in the CISA alert (for example, T1486: Data Encrypted for Impact, T1059.001: PowerShell).

    3. They notice that the matrix shows that PowerShell is well-covered, but Data Encrypted for Impact is a critical gap with "No Coverage".

  • Outcome: the engineer finds a high-priority gap in their defenses. They can now create a new detection rule to cover the ransomware behavior.

Tune and improve existing detections

  • Scenario: after a recent security incident, a security engineer needs to improve the quality of the detections that were triggered.

  • User goal: the engineer wants to see all data points for a specific technique. This helps them decide if their existing rules are using the best data sources and logic.

  • Steps:

    1. The engineer opens the matrix and clicks the technique T1003: OS Credential Dumping.

    2. The Details view shows the two rules for this technique.

    3. They notice both rules use older command-line logs. However, the data source widget shows that their new EDR tool provides higher-fidelity data for this technique.

  • Outcome: the engineer finds a clear way to improve detection quality. They can now create a new, more robust rule using the EDR data. This leads to fewer false positives and a better chance of catching complex credential dumping attacks.

Before you begin

For your custom rules to appear in the matrix and count toward threat coverage, you must map them to one or more MITRE ATT&CK techniques.

To do this, add a technique key to the rule's metadata section. The value must be a valid MITRE ATT&CK technique ID or multiple IDs as a comma-separated string.

Example: metadata: technique="T1548,T1134.001"

New rules appear in the matrix within a few minutes.

Access the MITRE ATT&CK matrix

To access the MITRE ATT&CK matrix, do the following:

  1. Log in to Google SecOps.

  2. From the navigation menu, click Detection > Rules & Detections.

  3. Navigate to the MITRE ATT&CK Matrix tab.

The MITRE ATT&CK matrix appears.

Use the MITRE ATT&CK matrix

The matrix displays MITRE ATT&CK tactics as columns and techniques as cards within those columns. Each technique card is color-coded to indicate the current status and depth of your detection coverage for that technique.

Refine the coverage calculation

To refine the coverage calculation, use the lists for Rule type, Live status, and Alerting status to refine your coverage calculations.

Search for techniques

Use the search bar to find a specific technique by name (for example, Windows Command Shell) or ID (for example, T1059.003), log types, or MITRE data source.

View technique details and log sources

Click any technique card to open the technique details side panel. This panel provides information about the technique and your organization's ability to detect it.

The panel contains the following information:

MITRE description: the official description of the technique from the MITRE ATT&CK framework.

Associated rules: a list of all the associated rules for that technique.

Log sources: log sources that correspond to the MITRE data sources for the technique that have actively sent data in the past 30 days.

Export data

Click Export to download the current matrix view as a JSON file. This file is compatible with the official MITRE ATT&CK navigator tool for further analysis.

Need more help? Get answers from Community members and Google SecOps professionals.