Fortinet black logo

New Features

Home FortiAnalyzer 7.4.0 New Features
7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

MITRE ATT&CK matrices for Enterprise and ICS 7.4.1

MITRE ATT&CK matrices for Enterprise and ICS 7.4.1

Note

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

The MITRE ATT&CK® and MITRE ATT&CK® ICS panes have been added in FortiAnalyzer 7.4.1.

MITRE (MIT Research Establishment) ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a matrix that helps to identify the objective of cyber attacks and the techniques that they may use. The matrix uses tactics as column headers, and there are several techniques under each tactic. The Enterprise matrix consists of 16 tactics, and the ICS matrix consists of 12 tactics.

In FortiAnalyzer, the MITRE ATT&CK matrices provide information related to the attacks identified by the associated events and incidents. These panes also provide the coverage information of event handlers defined to identify the attacks.

The OT Security Service is required for FortiAnalyzer to use all functionality in the MITRE ATT&CK® ICS pane. For more information about this service, see the FortiAnalyzer Datasheet.

This topic includes the following information:

To configure MITRE ATT&CK information in event handlers:

  1. When creating a basic or correlation event handler, select the MITRE Domain:

    • N/A (default)

    • Enterprise

    • ICS

  2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the dropdown.

    This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of techniques or sub-techniques based on the rules that will be defined for the event handler.

The MITRE Domain and MITRE Tech ID columns have been added to the table views in Incidents & Events > Handlers > Basic Handlers and Incidents & Events > Handlers > Correlation Handlers. Existing default event handlers have also been updated with a MITRE Domain and MITRE Tech ID where appropriate.

To include MITRE ATT&CK information in an incident:

  1. When creating an incident, select the MITRE Domain:

    • N/A (default)

    • Enterprise

    • ICS

  2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the dropdown.

    This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of techniques or sub-techniques based on the incident details.

The MITRE Domain and MITRE Tech ID can also be included for incidents via the Create Incident and Update Incident playbook task actions. In the example below, the MITRE Domain can be selected when Action = Create Incident.

The MITRE Domain and MITRE Tech ID columns have been added to the table view in Incidents & Events > Incidents.

To use the MITRE Domain or MITRE Tech ID as part of a playbook trigger:

When configuring an INCIDENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a filter condition.

Similarly, when configuring an EVENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a filter condition.

To use the Attack tab for a MITRE ATT&CK matrix in FortiAnalyzer:
Note

Incidents & Events > MITRE ATT&CK® > Attack is used for the examples below, but the same information applies for Incidents & Events > MITRE ATT&CK® ICS > Attack when you have an OT Security Service license in FortiAnalyzer.

The Attack tab provides incident and event information associated with each technique in the matrix.

If there are events associated with the technique, an icon and count displays on the tile. A separate icon and count displays for the associated incidents as well.

You can refresh the matrix or view the attacks in the specific time range by using the time filter in the toolbar. In the example below, there are 182 events and 107 incidents associated with the Compromise Infrastructure technique in the last 10 weeks.

Mouse over a tile to display a tooltip with the number of events and/or incidents under each sub-technique. In the example below, the Botnet sub-technique has 182 events and 1 incident, while the Serverless sub-technique has 106 incidents.

Click a tile with associated events or incidents to open a pane for that technique. In this pane, you can toggle between table views for associated Events and Incidents.

The table view for Events associated with the technique includes the following columns:

Column

Description
Event Handler The event handler that generated the event(s).
Severity The severity of the event(s).
Technique The technique or sub-technique related to the event(s).

Affected Endpoints

The number of affected devices.

Click the count for affected endpoints to open another pane with the list of endpoints found in the events.

Event Count

The event count related to that event handler and technique or sub-technique.

Click the event count to open Incidents & Events > Event Monitor in a new tab. The Event Monitor is filtered by the selected handler and time range from the matrix. Note that the Event Monitor now includes columns for the MITRE Domain and MITRE Tech ID.

The table view for Incidents associated with the technique includes following columns:

Column

Description
Severity The severity of the incident(s).
Description The description for the incident.
Technique The technique or sub-technique related to the incident(s).

Affected Endpoints

The number of affected endpoints.

Click the count for affected endpoints to open another pane with the list of endpoints found in the incidents.

Incidents

The incident count related to that technique or sub-technique.

Click the incident count to open the Incidents pane in a new tab. It is filtered by incidents of the selected technique.

To use the Coverage tab for a MITRE ATT&CK matrix in FortiAnalyzer:
Note

Incidents & Events > MITRE ATT&CK® > Coverage is used for the examples below, but the same information applies for Incidents & Events > MITRE ATT&CK® ICS > Coverage when you have an OT Security Service license in FortiAnalyzer.

The Coverage tab displays the number of event handlers associated with each technique in the matrix. This helps you to determine gaps in coverage where more event handlers could be configured to identify related attacks. The top of the pane displays the overall coverage. In the example below, the coverage is 121 Event Handlers - 42% Coverage.

When a basic or correlation event handler is associated with a technique, it will be included as part of the coverage for that technique. The tile displays an icon and count for associated event handlers. Mouse over the tile to display the information in a tooltip. This includes the total event handler count and a breakdown of the count for each sub-technique, if they are available.

In the example below, the tooltip displays three event handlers associated with the Scanning IP Blocks sub-technique and one associated with the Wordlist Scanning sub-technique.

Click a tile with coverage to open a table view of event handlers for that technique. The table includes the following columns:

Column

Description
State

The state of the event handler: Enabled or Disabled.
Event Handlers

The name of the event handler.

Description The description of the event handler.

Technique

The technique or sub-technique(s) associated with the event handler. If there are multiple sub-techniques associated with the event handler, the count will be provided in this column. Click the count to display which sub-techniques are associated with the event handler.

Click an event handler name in the table to view the event handler configuration. You can edit the Status, MITRE Domain, and MITRE Tech ID from this pane, if needed. After updating the coverage for an event handler, refresh the MITRE ATT&CK® matrix to display the changes.

MITRE ATT&CK® ICS without an OT Security Service license:

If you do not have an OT Security Service license for FortiAnalyzer, the MITRE ATT&CK® ICS pane will display a notificaiton that the license is missing.

The Attack tab will not display any event or incident counts for the techniques in the matrix.

The Coverage tab will display the event handler counts for the techniques, but you will not be able to click the tiles to view their information or perform any actions.

Previous
Next

MITRE ATT&CK matrices for Enterprise and ICS 7.4.1

Note

This information is also available in the FortiAnalyzer 7.4 Administration Guide:

The MITRE ATT&CK® and MITRE ATT&CK® ICS panes have been added in FortiAnalyzer 7.4.1.

MITRE (MIT Research Establishment) ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a matrix that helps to identify the objective of cyber attacks and the techniques that they may use. The matrix uses tactics as column headers, and there are several techniques under each tactic. The Enterprise matrix consists of 16 tactics, and the ICS matrix consists of 12 tactics.

In FortiAnalyzer, the MITRE ATT&CK matrices provide information related to the attacks identified by the associated events and incidents. These panes also provide the coverage information of event handlers defined to identify the attacks.

The OT Security Service is required for FortiAnalyzer to use all functionality in the MITRE ATT&CK® ICS pane. For more information about this service, see the FortiAnalyzer Datasheet.

This topic includes the following information:

To configure MITRE ATT&CK information in event handlers:

  1. When creating a basic or correlation event handler, select the MITRE Domain:

    • N/A (default)

    • Enterprise

    • ICS

  2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the dropdown.

    This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of techniques or sub-techniques based on the rules that will be defined for the event handler.

The MITRE Domain and MITRE Tech ID columns have been added to the table views in Incidents & Events > Handlers > Basic Handlers and Incidents & Events > Handlers > Correlation Handlers. Existing default event handlers have also been updated with a MITRE Domain and MITRE Tech ID where appropriate.

To include MITRE ATT&CK information in an incident:

  1. When creating an incident, select the MITRE Domain:

    • N/A (default)

    • Enterprise

    • ICS

  2. If Enterprise or ICS is selected for the MITRE Domain, you can then select the MITRE Tech ID(s) from the dropdown.

    This dropdown is an organized list of all the tactics and techniques in the matrix. You can select any number of techniques or sub-techniques based on the incident details.

The MITRE Domain and MITRE Tech ID can also be included for incidents via the Create Incident and Update Incident playbook task actions. In the example below, the MITRE Domain can be selected when Action = Create Incident.

The MITRE Domain and MITRE Tech ID columns have been added to the table view in Incidents & Events > Incidents.

To use the MITRE Domain or MITRE Tech ID as part of a playbook trigger:

When configuring an INCIDENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a filter condition.

Similarly, when configuring an EVENT_TRIGGER for a playbook, you can select MITRE Domain or MITRE Tech ID as a filter condition.

To use the Attack tab for a MITRE ATT&CK matrix in FortiAnalyzer:
Note

Incidents & Events > MITRE ATT&CK® > Attack is used for the examples below, but the same information applies for Incidents & Events > MITRE ATT&CK® ICS > Attack when you have an OT Security Service license in FortiAnalyzer.

The Attack tab provides incident and event information associated with each technique in the matrix.

If there are events associated with the technique, an icon and count displays on the tile. A separate icon and count displays for the associated incidents as well.

You can refresh the matrix or view the attacks in the specific time range by using the time filter in the toolbar. In the example below, there are 182 events and 107 incidents associated with the Compromise Infrastructure technique in the last 10 weeks.

Mouse over a tile to display a tooltip with the number of events and/or incidents under each sub-technique. In the example below, the Botnet sub-technique has 182 events and 1 incident, while the Serverless sub-technique has 106 incidents.

Click a tile with associated events or incidents to open a pane for that technique. In this pane, you can toggle between table views for associated Events and Incidents.

The table view for Events associated with the technique includes the following columns:

Column

Description
Event Handler The event handler that generated the event(s).
Severity The severity of the event(s).
Technique The technique or sub-technique related to the event(s).

Affected Endpoints

The number of affected devices.

Click the count for affected endpoints to open another pane with the list of endpoints found in the events.

Event Count

The event count related to that event handler and technique or sub-technique.

Click the event count to open Incidents & Events > Event Monitor in a new tab. The Event Monitor is filtered by the selected handler and time range from the matrix. Note that the Event Monitor now includes columns for the MITRE Domain and MITRE Tech ID.

The table view for Incidents associated with the technique includes following columns:

Column

Description
Severity The severity of the incident(s).
Description The description for the incident.
Technique The technique or sub-technique related to the incident(s).

Affected Endpoints

The number of affected endpoints.

Click the count for affected endpoints to open another pane with the list of endpoints found in the incidents.

Incidents

The incident count related to that technique or sub-technique.

Click the incident count to open the Incidents pane in a new tab. It is filtered by incidents of the selected technique.

To use the Coverage tab for a MITRE ATT&CK matrix in FortiAnalyzer:
Note

Incidents & Events > MITRE ATT&CK® > Coverage is used for the examples below, but the same information applies for Incidents & Events > MITRE ATT&CK® ICS > Coverage when you have an OT Security Service license in FortiAnalyzer.

The Coverage tab displays the number of event handlers associated with each technique in the matrix. This helps you to determine gaps in coverage where more event handlers could be configured to identify related attacks. The top of the pane displays the overall coverage. In the example below, the coverage is 121 Event Handlers - 42% Coverage.

When a basic or correlation event handler is associated with a technique, it will be included as part of the coverage for that technique. The tile displays an icon and count for associated event handlers. Mouse over the tile to display the information in a tooltip. This includes the total event handler count and a breakdown of the count for each sub-technique, if they are available.

In the example below, the tooltip displays three event handlers associated with the Scanning IP Blocks sub-technique and one associated with the Wordlist Scanning sub-technique.

Click a tile with coverage to open a table view of event handlers for that technique. The table includes the following columns:

Column

Description
State

The state of the event handler: Enabled or Disabled.
Event Handlers

The name of the event handler.

Description The description of the event handler.

Technique

The technique or sub-technique(s) associated with the event handler. If there are multiple sub-techniques associated with the event handler, the count will be provided in this column. Click the count to display which sub-techniques are associated with the event handler.

Click an event handler name in the table to view the event handler configuration. You can edit the Status, MITRE Domain, and MITRE Tech ID from this pane, if needed. After updating the coverage for an event handler, refresh the MITRE ATT&CK® matrix to display the changes.

MITRE ATT&CK® ICS without an OT Security Service license:

If you do not have an OT Security Service license for FortiAnalyzer, the MITRE ATT&CK® ICS pane will display a notificaiton that the license is missing.

The Attack tab will not display any event or incident counts for the techniques in the matrix.

The Coverage tab will display the event handler counts for the techniques, but you will not be able to click the tiles to view their information or perform any actions.

Previous
Next