Identify overlapping TTPs when multiple groups are selected (intersection weight)

[davecan]

When selecting multiple threat groups from the multi-select dropdown it would be helpful if the TTP cell selected showed how many threat groups from the selection use that particular TTP.

For example, if a user selects 5 threat groups and a particular TTP is used by 3 of those it would be helpful to identify for that TTP that 3 groups use this. Essentially identifying the intersection weight of a TTP across threat groups.

This helps prioritize defenses since we can identify a set of threat groups we want to focus our defenses against and the tool will show us which TTPs are more commonly used by that set of groups.

[isaisabel]

Hi @davecan,

While this is certainly a neat idea, I'm don't think the implementation of this feature is feasible in the ATT&CK Navigator due to how the multi-select interface works. Selections in the Navigator are not distinguished in where they originate from — a selection ultimately from multi-select is exactly the same as a selection by clicking a cell in the matrix. Therefore tracking which multi-selections have been used previously to display usage in the UI isn't really possible without a major redesign and re-implementation of the selection portion of the Navigator.

---

However, I do think that your use case could be easily accomplished by a layer file where the "score" is the number of using groups and the comment is the names of the using groups. It would be reasonably easy to write a script which parses the STIX data on our MITRE/CTI repo to generate a layer file showing usage by your specific groups. We have several example layer-generation scripts in the works on our attack-scripts repo which demonstrate how one might generate a layer from the STIX data. Several of these example scripts are already very close to what you'd need:

1. bear_APT.py creates a layer showing which techniques are used by groups with the word "bear" in the aliases. The output layer has the using groups as a comment on each technique. You could pretty easily replace the "bear" filter and replace it with a filter to select the groups you're concerned.
2. software_execution.py creates a layer showing techniques used by software. Its output layer includes scores representing the number of software using the given technique, as well as the software names in the comment. This could easily be adapted alongside the bear_APT script to show groups with comments and scores showing usage.

Please note that the above layer scripts are built to use data from the sub-techniques beta. They can easily be adapted to use the non-beta data by changing the URL from which the STIX is pulled from https://raw.githubusercontent.com/mitre/cti/subtechniques/enterprise-attack/enterprise-attack.json to https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json

---

Another option would be to download usage layers for individual groups from the ATT&CK Website. These layers have a score of 1 for used techniques, so you could easily sum those scores using the "create layers from other layers" interface to get a "total usage" score. Unfortunately there's no easy way to determine which groups are involved if you just have the count in a score, but it's better than nothing.

Please let me know if you have any questions.