In the process of creating this new visualization, we went through a lot of different iterations, and we realized that some of the resources and visualizations we developed might be useful for the community. Below we’ll discuss a little bit about the process we used to make the visualizations, as well as cover a few of our “runner-ups” that didn’t quite make the grade. We’re also releasing the code we used to make these visualizations on our public GitHub page, which you can download and modify to create your own.

Creating the Visualization

It’s pretty easy to create visualizations from ATT&CK data — since ATT&CK is already represented in STIX2, we can just write Python scripts to extract the relationships we care about (whichever they are), and then port them over to a graph-drawing library to render the data. The hard part here was to properly visualize the data; I tried first to work with some Python libraries but couldn’t get quite the kind of visualization I was looking for. Talking with the team, Katie recommended we check out RAWGraphs, which turned out to work very smoothly.

After experimenting some, we ended up having the following process:

1. Ingest ATT&CK in STIX2 format from the MITRE TAXII2 server.

2. Parse out the relevant data that we want to visualize.

3. Output a CSV file containing the appropriate relationships.

4. Load (copy/paste) the data into RAWGraphs.

5. Choose the right visualization, including specific parameters.

The Simple Case: Tactics and Techniques

To keep things simple, we did a visualization that just showed the tactics linking out to the techniques in the tactic. This one visualized neatly using the Circular Dendrogram option:

Tactics linked to techniques. For a high quality version, click here.

While this looks nice, it didn’t add much content-wise; it was just another way to visualize the same information already displayed in the ATT&CK matrix.

Techniques, Groups, and Software

To try to make things more interesting, we thought it would be cool to have a visualization that brought in the top-level ATT&CK objects — techniques, groups, and software. To test this, we wrote a quick script that output techniques connected to the software that can execute those techniques, to the groups that use that software:

There’s potential here, but clearly there was too much to represent. To try to make it more legible, we scoped it to only include collection techniques:

All collection techniques linked to the software implementing those techniques, and the groups using that software. For a high quality version, click here.

Much better! This restricted version looks interesting, is legible, and hits on most of the important ATT&CK data pieces. Still, while this is nice, it didn’t have that wow! factor that we were looking for; we wanted something that people could look at that was not just appealing but could maybe even help them.

Beyond the Dendrogram: Using Permissions

Going over the ATT&CK data model, I looked for a few things that might be a little more off-the-beaten path when it comes to visualization, and I saw the required permissions field of the technique object. This field holds what permissions an adversary must have if they want to execute the specific technique, leading to a fun question — how do required permissions stack up across different tactics? To try to approach this, I wrote a script to count the number of techniques that needed a minimum permission level within each tactic, putting the output into a Sunburst chart on RAWGraphs:

Minimum permissions as they relate to tactics. For a high quality version, click here.

This one was my favorite so far — it pictorially represented how the techniques within each tactic had varying levels of required permissions. Looking at the chart, we can see that persistence techniques are pretty split between requiring administrator, SYSTEM, or user privileges, whereas discovery techniques typically only needed user permissions to run. As an added bonus, using the Sunburst chart type gave us some variety, and some interesting color schemes. This chart definitely met the interesting qualification we were looking for, but it still didn’t feel like something that would provide something actionable.

Permissions for Defense Evasion

When looking at the technique data model, I noticed another interesting field: defenses evaded. This field — when applicable — would link each technique to the specific defense that technique could evade. What if we used this conjunction with permission information?

Permissions mapped to defenses and techniques that can evade those defenses with the specified permission. For a high quality version, click here.

This concept visualized great with the Circular Dendrogram option. Plus, it was immediately useful: people could look at it and say “what permissions do I have?,” go one-hop out and ask “what defense do I want to evade?” and then choose a technique to evade that specific defense that only needed the permissions they already had. This met most of our criteria, but we still felt like it really wasn’t the right one.

What We Went With: Data Sources and Techniques

Using data sources some way was our first choice from the beginning, but we weren’t sure the right way to visualize them: initially we wanted to include all of the data sources, but no matter how we sliced it, the resulting graph was always just too busy. Eventually we settled on finding a set that seemed both appealing and useful, and were pleased with the results:

The final visualization, linking a set of data sources to the techniques that they can be used to detect. For a high quality version, click here.

This one not only came out well both visually and from a utility perspective –each of the data sources mapped to similar numbers of techniques so that none seem over-represented, many different techniques are represented, and the chart also conveys data that could be useful to defenders. Plus, we also thought this visualization could inspire others to make their own charts of their favorite data sources.

(for anyone interested in how we got to these 12 data sources for inclusion: I ended up writing a script that, given a total number of data sources to include, would find the set of data sources with minimal technique-coverage variance, but that also linked out to at least 100 different techniques. The code we’re releasing has this set hard-coded in, but I’d love to see others find ways to computationally determine the best sets to visualize!)

Interested in Making Your Own Visualizations?

To accompany this blog post and the roadmap itself, we’re releasing the source code used to generate the CSV files used with RAWGraphs to create the figures in this post. The script provides lots of examples, and should be helpful to anyone who wants to make their own chart.

Have a favorite?

Let us know! Tweet us at @MITREattack or send us an email at attack@mitre.org.