MITRE ATT&CK® Coverage Map

The MITRE ATT&CK® Coverage Map page provides a comprehensive visualization of how the Cisco Breach Protection Suite protects your organization against the tactics and techniques represented by the MITRE ATT&CK® Matrix for Enterprise. The product coverage mapping data is provided by Cisco Talos and it is associated with the detection content for the following Cisco products that are included in the Cisco Breach Protection Suite:

  • XDR Native (Network, Cloud, Identity, and Endpoint)

  • Secure Email Threat Defense

  • Secure Endpoint

  • Secure Malware Analytics

  • Secure Network Analytics

Note: Having visibility into a technique does not ensure detection or protection against all occurrences of the technique and the coverages shown in the map does not reflect your specific product configurations or settings.

Choose Control CenterMITRE Coverage Map in the left navigation menu to open the MITRE ATT&CK® Coverage Map page and view the tactics and techniques that are covered by the Cisco Breach Protection Suite products. By default, the coverage map displays the tactics and techniques for the Cisco products that are integrated with Cisco XDR in your organization. You can filter the coverage map to display products that are not integrated for a comprehensive view of the coverage your organization would have if you integrate more Cisco products.

The tactics are listed in the top row and all the associated technique cards are listed alphabetically under each tactic. For more information on tactics and techniques, see MITRE ATT&CK Matrix for Enterprise. The number of techniques covered by the selected products are indicated under the tactic and each technique card underneath displays the total number of supported products selected for the technique, the number of incidents that are impacted by the technique, and the color-coded risk score for the technique. Hover over the product badge to display a detailed list of selected products covered by the technique and you can hover over the risk score to display the severity of the risk. For more information on the risk scores, see Color and Icon Key. Click a tactic or technique card to open the tactic or technique drawer for a high-level summary of the tactic or technique in one place, including a list of products covered and a list of XDR Native sources that provide coverage for the tactic or technique, if applicable.

The status of the integration is displayed below each product check box (Integrated or Not Integrated). If a product is not integrated in Cisco XDR, you can configure the integration on the Integrations page. For more information on adding an integration, see Integrations.

XDR Native represents the Cisco XDR native telemetry that is sent from the following sources: Network, Cloud, Identity, and Endpoint. You can integrate network, cloud, and identity sources in Cisco Secure Cloud Analytics. For more information, see Cisco Secure Cloud Analytics. The Network Visibility Module data is sent to Cisco XDR from the Endpoint source if you install the default deployment on your endpoints. For more information on installing the default deployment and viewing endpoints data, see Default Deployments.

Note: The coverages that are indicated on the coverage map do not reflect the Secure Cloud Analytics and Network Visibility Module configurations in your environment. Ensure that you verify your configurations in Secure Cloud Analytics and Client Management.

When you click a tactic, the tactic drawer opens where you can quickly view more information on the selected tactic, including product coverages and a list of incidents that are impacted by the selected tactic.

The tactic drawer displays the following information about the tactic:

Tactic name and ID

The MITRE ATT&CK® tactic ID is displayed below the tactic name. For details on the tactic IDs, see Enterprise Tactics.

Risk Score

The risk score for the tactic indicates the probability of financial impact if the MITRE ATT&CK pattern is not mitigated--the higher the score, the higher the probability of impact. The risk score is the detection risk used to calculate the priority score for incidents and it is an internal calculation by Cisco's data science team based on the analysis of over 100,000 incidents costing customers upwards of 1 billion dollars.

The risk score is color-coded based on the score and you can hover over the risk score to view the severity of the risk. For more information, see Color and Icon Key.

Product Coverage

The products that are checked in the coverage map and covered by the current tactic are listed in the Selected coverage area. The Additional Cisco coverage area displays products that are unchecked in the coverage map but they are covered by the current tactic.

All the products in the Product coverage area are listed with the status of the integration in Cisco XDR and product links to learn more about the products. The sources listed next to XDR Native indicate the Cisco XDR sources that are covered by the current tactic.

Description

Expand the panel to view the description of the tactic. The description is provided by MITRE ATT&CK®. For a list of all the tactic descriptions, see Enterprise Tactics.

Incidents

Expand the panel to view the five most recent incidents that are impacted by the current tactic, with the creation date and the status of the incident listed for each incident. The total number of incidents for the tactic is also displayed. Click the incident link to open the incident detail in a new tab or click View all to open the Incidents page with a filtered list of incidents that are impacted by the current tactic in a new tab.

View on the MITRE ATT&CK® website

Click the link to open the MITRE ATT&CK® website in a new tab for more information on the current tactic.

To close the drawer, click the (Close) icon in the upper right corner.

When you click a technique card, the technique drawer opens where you can quickly view more information on the selected technique, including product coverages and a list of incidents that are impacted by the selected technique.

The technique drawer displays the following information about the technique:

Technique name, ID, and tactics

The MITRE ATT&CK® technique ID and related tactics are displayed below the technique name. For details on the technique codes, see Enterprise Techniques.

Risk Score

The risk score for the technique indicates the probability of financial impact if the MITRE ATT&CK pattern is not mitigated--the higher the score, the higher the probability of impact. The risk score is the detection risk used to calculate the priority score for incidents and it is an internal calculation by Cisco's data science team based on the analysis of over 100,000 incidents costing customers upwards of 1 billion dollars.

The risk score is color-coded based on the score and you can hover over the risk score to view the severity of the risk. For more information, see Color and Icon Key.

Product Coverage

The products that are checked in the coverage map and covered by the current technique are listed in the Selected coverage area. The Additional Cisco coverage area displays products that are unchecked in the coverage map but they are covered by the current technique.

All the products in the Product Coverage area are listed with the status of the integration in Cisco XDR and product links to learn more about the products. The sources listed next to XDR Native indicate the Cisco XDR sources that are covered by the current technique.

Adversaries

Expand the panel to view a list of adversaries that use the current technique. The adversaries that are checked in the Adversary Filters drawer and use the current technique are listed in the Filtered Adversaries area. The Additional Adversaries area displays adversaries that are unchecked in the Adversary Filters drawer but they use the current technique.

The number of selected adversaries for the current technique out of the total number of filtered adversaries is displayed next to Filtered Adversaries. The total number of additional adversaries that are not selected is displayed next to Additional Adversaries.

Description

Expand the panel to view the description of the technique. The description is provided by MITRE ATT&CK®. For a list of all the technique descriptions, see Enterprise Techniques.

Sub-techniques

Expand the panel to view a list of the sub-technique IDs and names for the current technique. The total number of sub-techniques supported by the technique is displayed next to the title.

Incidents

Expand the panel to view the five most recent incidents that are impacted by the current technique, with the creation date and the status of the incident listed for each incident. The total number of incidents for the technique is also displayed. Click the incident link to open the incident detail in a new tab or click View all to open the Incidents page with a filtered list of incidents that are impacted by the current technique in a new tab.

View on the MITRE ATT&CK® website

Click the link to open the MITRE ATT&CK® website in a new tab for more information on the current technique.

To close the drawer, click the (Close) icon in the upper right corner.

You can filter the MITRE ATT&CK coverage map by product, risk score, and incident creation date, and adversaries to narrow the techniques displayed on the coverage map.

In the Product Coverages area, check the check boxes next to the integrations to filter the tactics and techniques covered by the selected integrations that are displayed on the page.

By default, the check boxes for the integrated products and all the XDR Native sources are checked. Check the check boxes next to the products that are not integrated to view the possible tactics and techniques that can be covered if you integrate more Cisco products. For more information on integrating products, see Integrations.

All the sources under the XDR Native check box are automatically checked by default, displaying the coverage information for all the sources that send telemetry data to Cisco XDR. To filter the sources, click the Select sources drop-down list and check or uncheck the check boxes next to the sources you want to include or exclude on the page.

The risk scores, including the color-coded severity of the risk scores, are displayed on the technique cards in the coverage map. You can filter the techniques based on the severity level of the risk score displayed on the technique cards (Critical, High, Medium, Low, Unknown, or All risk scores). For details on the severity, see Color and Icon Key.

Click the Minimum risk score drop-down list and choose the minimum severity of the risk score you want displayed in the coverage map. Only techniques with a risk score greater or equal to the selected severity will be shown. All risk scores is selected by default.

The number of incidents promoted and impacted by the tactics and techniques during the specified date range are displayed on the technique cards. By default, the number of incidents promoted and impacted within the last year is displayed. You can narrow the number of incidents based on the specific time frame using the incident created date drop-down list in the upper right corner of the Product Coverages area.

Click the Incident created date drop-down list and choose the date range for the number of incidents you want displayed on the technique cards and the list of incidents displayed in the tactic or technique drawer. For example, choose Last 30 days if you want to display the number of incidents that were promoted and impacted by the tactics and techniques in the last 30 days.

To display a detailed list of incidents for a specific tactic or technique, click the tactic or technique card and the incidents are listed in the technique drawer.

The Adversary Filters area allows you to filter the techniques in the coverage map by the MITRE ATT&CK adversaries and threat groups. Adversaries are known threat actors that are tracked by MITRE ATT&CK. For more information, see MITRE ATT&CK Groups. Filtering by adversaries allows you to view the techniques used by the adversary groups and whether the selected products protect you against the techniques used by the adversary groups.

Click Select adversaries to open the Adversary Filters drawer for a list of the adversary names, IDs, associated groups, industries targeted by the adversary, and countries targeted by the adversary. Check the check boxes next to the adversaries to filter the coverage map to display the techniques that are used by the selected adversary groups. The total number of adversaries available and the number of adversaries selected are displayed next to the Country drop-down list.

Search Adversaries

Use the Search text box in the upper portion of the drawer to narrow the display of adversaries. Enter the search criteria in the Search text box to search for adversaries by name, threat group ID, or associated groups. The adversaries that match your search criteria are displayed in the list below.

Filter Adversaries by Industry

You can filter the list of adversaries by industries that are targeted by the adversary groups. The industry data is extracted from the description of the adversary from MITRE ATT&CK.

In the Adversary Filters drawer, click the Industry drop-down list and check the check boxes next to the industry to filter the adversaries that are displayed in the drawer. The number of techniques that target the industry is listed next to each industry. Check the Unknown check box if you want to filter the list of adversaries by industries that have not been identified.

Filter Adversaries by Country

You can filter the list of adversaries by countries that are targeted by the adversary groups. The country data is extracted from the description of the adversary from MITRE ATT&CK.

In the Adversary Filters drawer, click the Country drop-down list and check the check boxes next to the country to filter the adversaries that are displayed in the drawer. The country code and the number of techniques that target the country is listed next each country. Check the Unknown check box if you want to filter the list of adversaries by countries that have not been identified.

Adversary Heatmap

After you select the adversaries, the Adversary heatmap radio button is selected by default and the color of the technique cards in the coverage map is updated to red, indicating the number of adversaries that uses each technique. For more information on the different shades of red, click the (Information) icon next to the Adversary Heatmap radio button to display a legend.

Click the Product coverage radio button to apply a purple color to the technique cards, indicating that the products selected in the Product Coverages area protect you against the techniques used by the selected adversaries.

The Techniques Covered chart displays the percentage of techniques covered by the products checked in the Product Coverages area. Hover over the percentage to display the number of techniques covered out of the total number of techniques available. The number of techniques do not include duplicate techniques displayed under the row of tactics in the coverage map.

The chart is updated as you check and uncheck the product check boxes in the Product Coverages area.