About the MITRE Dashboard
- Watch the visual story about MITRE Dashboard
The MITRE ATT&CK framework is a globally-accessible knowledge base and comprehensive matrix of adversarial Tactics and Techniques based on real-world observations. The MITRE Dashboard provides a holistic view of different types of cloud activities that may be compromised in the infrastructure of cloud services, such as AWS, Salesforce, Box, Office 365, and more.
The ATT&CK framework helps the Security Operations Center (SOC) analyst investigate and visualize the threat progression or “Kill-Chain” for executed and potential threats and prevents the progression of a cloud data breach. The security response team can then identify and remediate cloud data breaches in the organization.
Skyhigh CASB maps Threats, Anomalies, and Incidents with the MITRE ATT&CK framework and displays them in the Dashboard to provide an investigation tool for SOC analysts.
To access it, go to the Dashboards > MITRE Dashboard.
All supported Services are consolidated on this page, or you can choose to view the Threats, Anomalies, and Incidents occurring in just one Service. You can view the Tactics and Techniques in the Matrix view, or use Insights and Filters to find the information you need.
The MITRE ATT&CK Matrix: Cloud page provides the following information:
- Search. Use the Omnibar to search for values and options.
- Insights. Displays the available Threat Types with the Executed and Potential Threat counts.
- Filters. Select options on the Filters tab to scope down your search. The following options are available:
- Service Name. The name of the cloud service.
- Threat Type. The name of the threat type.
- Status. The MITRE Threat status available are:
- Executed Threat. Threats that caused risk to your cloud service security.
- Potential Threat. Threats that have the potential to cause risk to your cloud service security. It is recommended to look into the Potential Threats to reduce the impending risk.
- Top 20 Users. Top 20 users who are impacted by the attacks.
- Date Picker. Use the Date Picker to specify a date range to display data.
- Executive Summary. The Executive Summary displays an at-a-glance view of the current count of Threats, Anomalies, Incidents, types of incidents, and Detected Techniques with severity.
- Under Incidents, click More to expand and view more incident types. These are the incident types supported in MITRE:
- Config Audit
- File Integrity Incident
- Cloud Access Policy
- Connected Apps
- DLP
- Image Hardening
- Malware Policy Violation
- Shadow/Web DLP
- Vulnerability
- Under Incidents, click More to expand and view more incident types. These are the incident types supported in MITRE:
- Detected Techniques. If any incident is detected for a technique in Skyhigh CASB, then a severity is computed for the detected techniques. The detected techniques are categorized based on the severity of the associated incidents.
- Maroon. High
- Red. Medium
- Orange. Low.
- Yellow. Warning.
- Blue. Info Severity.
ATT&CK Matrix
The ATT&CK Matrix represents the relationship between attacker Tactics and Techniques:
- Tactics. A tactic describes the objective, or why the adversaries are performing the attack. In the ATT&CK Matrix, the table header represents tactics.
- Technique. A technique describes how adversaries achieve their tactical objectives. For example, what are the various technical ways performed by attackers to achieve the goal? In the ATT&CK Matrix, the table cell represents techniques.
Tactics
To achieve the tactical objective, multiple techniques are used. ATT&CK matrix defines the following tactics used in a cyberattack:
Tactics | Description |
---|---|
Initial Access | The adversary is trying to get into your network. |
Execution | The adversary is trying to run malicious code. |
Persistence | The adversary is trying to maintain its foothold. |
Privilege Escalation |
The adversary is trying to gain higher-level permissions. |
Defense Evasion |
The adversary is trying to avoid being detected. |
Credential Access |
The adversary is trying to steal account names and passwords. |
Discovery |
The adversary is trying to figure out your environment. |
Lateral Movement |
The adversary is trying to move through your environment. |
Collection |
The adversary is trying to gather data of interest to their goal. |
Command and Control | The adversary is trying to communicate with compromised systems to control them. |
Exfiltration |
The adversary is trying to steal data. |
Impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. |
Techniques
The techniques describe how an adversary performs an action to achieve a tactical objective. The ATT&CK Matrix has multiple techniques in each tactic category and these techniques provide the following use cases to achieve a secured outcome.
- Detects the exact adversarial behavior.
- Proposes mitigation measures to harden your cloud security and to reduce the risk of the attack.
- Investigate and apply remediate action for the detected incident causing risk.
Detected Techniques
When an incident is detected for a technique in Skyhigh CASB, a severity is computed for the detected techniques. The detected techniques are categorized based on the severity of the incidents. Each detected technique is interactive and leads to more detailed explanations.
To view the details of the detected techniques:
- Click any technique on the ATT&CK Matrix table to view the Technique Cloud Card. For example, you can click one of the techniques under the Initial Access category such as Trusted Relationship to learn how an attacker gained access to an organization's third-party partners' account and shows the details of compromised Connected Apps.
- Next, click the Connected Apps Mini Card to view an extended cloud card that displays the restricted details of Connected Apps.
- Then click the link to the specific restricted Connected App to see an extended view of the compromised Connected Apps incident.
- Info severity details allow you to investigate and apply a remediation action. As a remediation action, select and assign the Owner and Status from the menu.
NOTES:
- As a remediation action for the Incident Types, Threats, and Anomalies, assign Owner and Status from the menu.
- For Incidents Types, you can apply remediation action on the MITRE Dashboard > associated incidents Extended Cloud Card or you can also apply remediation action on the Policy Incidents page. For details, see Policy Incidents Cloud Card.
- For Threats, you can apply remediation action on the MITRE Dashboard > Extended Cloud Card or you can also apply remediation action on the Threat page. For details, see Threat Cloud Card.
- For Anomalies, you can apply remediation action on the MITRE Dashboard > Extended Cloud Card or you can also apply remediation action on the Anomaly page. For details, see Anomaly Cloud Card.
The Technique Cloud Card provides the following information:
- Technique Name. The specific name of the technique.
- Severity. The techniques are classified based on the severity levels (High/Medium/Low/Warning /Info Severity) of the incidents.
- Description. A paragraph describes how the adversaries gain access to the network and interpret the possible ways of breaching the security data. You can use this information to better understand what the attack represents and why it may indicate a risk to your data security.
NOTE: Mini Cards represent the security status of the incident types, threats, and anomalies. If your incident types, threats, and anomalies are secured, the text appears as None with a green checkmark. If your incidents are at risk, then a horizontal bar is displayed with the incidents count. The color of the horizontal bar signifies the severity levels of the incidents.
- Mini Cards. Eleven Mini Cards appear on the first Cloud Card. Click a Mini Card to view detailed information about incidents that are causing a risk to your cloud services. The following are the categories of Mini Cards:
- DLP. The count shows the number of DLP incidents that are compromised.
- Config Audit. The count shows the IaaS configuration audit incidents that are compromised.
- Vulnerability. The count shows container vulnerability incidents.
- Connected Apps. The count shows that the third-party applications connected to your services are compromised.
- Anomaly. The count shows the anomalies against the cloud services that are reported.
- Threat. The count shows the threats against the cloud services that are reported.
- File Integrity Incident. The count shows the operating systems or application software files that are compromised.
- Malware Policy Violation. The count shows the incidents that are compromised and violated the Malware Policy.
- Cloud Access Policy. The count shows the number of incidents that are compromised and violated the Cloud Access Policy.
- Shadow/Web DLP. The count shows the number of incidents that are compromised and violated the Shadow/Web DLP policy.
- Image Hardening. The count shows the number of vulnerable incidents compromised during Image Hardening.
- What you can do. The primary steps are provided to reduce the risk of the attack. These mitigation steps are based on the selected technique and the steps may vary for different techniques.
- Sub-techniques. The specific technique to adversary actions.
- Users. The users who are impacted by the attacks. To view the list of users, click Users.
- Resources. You can view the non-compliant Resource ID. To view the Resource IDs, click Resources.