-Some examples of the weighting function using various parameters are given below:
-
-
-Normalizing prevalence scores
-
-Since only a few techniques make up a large majority of all sightings, we need to be careful about accounting for these outliers when we put the prevalence scores on a zero-to-one scale.
-
-
-This is a histogram of the distribution of prevalence scores across all techniques for which we have attack times. Note that there are a few techniques that have a prevalence score that is FAR greater than the scores for every other technique. If we normalize the scores using the min-max normalization described above, those few techniques would get a score somewhere around 0.8-1.0, while the vast majority of techniques would get a score close to zero.
-
-For now, we can take care of this by scaling according to a specified โpercentile cutoff.โ For example, if we set the cutoff equal to 0.9, then techniques that have a score in the 90th percentile and above (i.e. in the top 10% of techniques) will receive a score equal to 1, while techniques that are below the 90th percentile will be scaled using the score of the 90th percentile as the โmax.โ
-
-Limitations
-
-There are several important considerations when reading the Sightings results. First and foremost, there was a limited number of contributors. This means our data does not provide a comprehensive view of the threat landscape. There are techniques not present in our dataset which may be relevant to organizations depending on their environment and relative risk.
-
-The data received was limited to the visibility of the companies who graciously contributed their data to the Sightings Ecosystem. Each contributor has different visibility because of demographics of their customer base, the location of their sensor technology (e.g., external to the network or on an email server), and their relative ability to detect specific activity. We hoped to overcome these limitations by recruiting a large number of contributors, but our limited number means there remains a visibility bias in our results.
-
-Our results are further limited by how our contributors map techniques to ATT&CK. Depending on when techniques are mapped in an incident investigation and how formalized the mapping process is, it is not unrealistic to think that several Sightings may have been mis-mapped.
-
-Aggregating data from multiple contributors also impacted our results. When we aggregated the data, we lost context on the adversaries and detections. We did not have deep insight into how the techniques are detected, which meant that we struggled to determine whether an increase in activity was caused
-by increased adversary activity or by improved detections.
-
-# Choke Point
-
-Choke Point: a specific technique where many other techniques converge or diverge, and eliminating that specific technique would cause disruption to an adversary
-
-## Why do we want to include Chokepoints
-
-Analyzing chokepoints can assist defenders to pinpoint critical techniques needed to be successful in an attack. These techniques serve as the common denominator amongst in otherwise disparate attacks. For instance, T1047 (WMI) can serve as a choke point because there are a many other techniques that can be executed after an adversary executes WMI. Defending against malicious WMI usage can limit the potential attack path that an adversary might have used.
-
-## Executive Summary
-
-The MITRE team subjectively analyzed open-source threat reports and cyber incidents to identify techniques that had many techniques achieve multiple objectives, and common techniques that had many other techniques leading up to it and happening after it. We created one-to-many, many-to-one, and many-to-many mappings to help us find out choke points. MITRE ATT&CK Tactics were first used to narrow scope and help determine likelihood of chokepoint techniques. The team defined preceding and subsequent techniques for each chokepoint. Total count of preceding and subsequent techniques are assigned an attribute. The attribute is the confidence level, confidence level is the techniqueโs probability to offer more avenues for a successful attack.
-
-Future Recommendations: In depth chokepoint analysis may require ML/AI components to visualize and predict all viable paths an attacker could take. An attack graph would display a representation of paths an adversary has successfully achieved a goal. At a high level, a type of representation would resemble a web where techniques branch out and co-occurrences can be identified. The attack graph can implement userโs implemented controls to better define what pathways are more likely to be explored by an attacker
-
-Limitations: The method we used to find choke points is highly subjective. Our analysis was done by manually examining each technique, searching for references in CTI, and identifying before and after techniques. For some techniques,
-
-## Framing the Analysis
-
-To help limit the scope of techniques to review, the team first looked at MITRE ATT&CK Tactics that could potentially produce low Choke Point confidence levels. Tactics at the beginning and end of a cyber kill chain would not have many before and after techniques to produce high probability of an effective attack flow. Techniques under the Reconnaissance and Resource Development Tactics received a baseline of 0:1 to indicate at least one technique would take place after them. Techniques under the Impact Tactic received a baseline of 1:0 indicating at least one technique had taken place prior to them. Impact techniques are scoped as the adversaries cumulative objective so follow-on techniques were not considered. All other Tactics received a 1:1 baseline as at least one technique would occur before and after their facilitation.
-
-The MITRE team considered choke point to be the middle technique where many other techniques could go into and come out of in an attack flow proceeding.
-
-MITRE Technique T1055: Process Injection is a great example of many techniques calling Process Injection as the next technique in succession for the cyber attack then proceeding to any number of other techniques afterwards.
-
-MITRE Technique T1491: Defacement is a great example of how only one technique could funnel into another and there wouldnโt be a following technique after Defacement.
-
-By utilizing the same equation as Actionability, this allows us to understand and interpret the confidence level of choke point and to set parameters. This method is much clearer to see what the inputs are and how changing them will change the output. This method also does not make any assumptions about the structure of the connections between techniques beyond the data that was initially used.
-
-### Proposal for the choke point metric:
-
-The chokepoint formula for a technique is written as 
-Here ๐ฅ๐ and ๐ฅ๐ are the number of before and after techniques for the technique in question, while ๐ข๐ and ๐ข๐ are their โutilityโ functions. Finally, ๐ค๐ and ๐ค๐ are the weights for before and after techniques, which are define further below using relative weighting ratios.
-
-### Utility functions
-
-
-For each potential chokepoint, we have two attributes: the number of before techniques it has, and the number of after techniques it has. In order to combine them, we define โutilityโ functions ๐ข๐ and ๐ข๐ for # before and # after, respectively. These functions define the "value" of different values have the form
-
-Where ๐ฅ is the value of some attribute (ex: # of before techniques), and ๐ข๐๐๐๐ and ๐๐๐ค๐๐ are the upper and lower "cutoffs" for that attribute. Values below the lower cutoff have zero utility, values above the upper cutoff have maximum utility. We set these to the smallest "useful" number of before or after techniques
-
-[note: the upper cutoff should be no larger than the largest value for its attribute, and the lower cutoff should be no lower than the smallest value for its attribute.]
-
-Examples of potential utility functions are illustrated below:
-
-
-### Attribute weighting
-
-
-We define the weights ๐ค๐ and ๐ค๐ by a "weighting ratio" which is set by asking how many after techniques is "worth" one before technique:
-
-If you want them to be weighted equally, set this equal to 1. If you want before techniques to be worth 1.2 after techniques, set this equal to 1.2. Below is how to go from this ratio to the actual weights ๐ค๐ and ๐ค๐.
-
-First, we find the un-normalized weights ๐คโฒ๐ and ๐คโฒ๐. Set
-
-Then normalize so that they add up to 1 to get the actual weights:
-
- Here is how the expression for ๐คโฒ๐ and ๐คโฒ๐ was derived:
- The chokepoint formula is 
-if ๐๐๐ค๐๐๐ โค ๐ฅ๐ โค ๐ข๐๐๐๐๐ and ๐๐๐ค๐๐๐ โค ๐ฅ๐ โค ๐ข๐๐๐๐๐ (i.e. they are both in the main "linear domain") then we can write this as 
-In order to be weighted according to the ratio we specified, the weights ๐ค๐ and ๐ค๐ should be set so that the following relation is satisfied:
-
-the derivatives of ๐ถ are:
-
-When we plug these into the above relation, we see that the relation to be satisfied becomes
-
- So we can set ๐ค๐:=1 and use the above relations to find a value for ๐ค๐.
-
-### Plotting Chokepoint
-
-
-We can make a scatter plot of the number of before and after techniques among the potential chokepoints:
-
-And we can overlay this with a contour plot of the actual chokepoint function (patches of the same color have roughly the same chokepoint score)
-
- and we can compare this with a plot of what the chokepoint function would look like had we not used utility functions to scale the number of before and after techniques
- 
-
-# Actionability
-
-Actionability: The opportunity for a defender to detect or mitigate against each ATT&CK technique based on publicly available analytics and security controls.
-
-## Why do we want to include Actionability
-
-Itโs important to understand how a defender can take action to protect themselves against a specific technique. Depending on the amount of publicly available detections and mitigations per technique, this allows the defender the ability respond to an incident faster, or to prevent the incident all together.
-
-### Finding Actionability:
-
-
-We broke down actionability into two categories: detections and mitigations.
-
-For detections, we reviewed several publicly available analytic resources and mapped each of them to ATT&CK. The repositories we used were MITREโs Cyber Analytic Repository, Elastic, Sigma HQ's rules , and Splunk Detections.
-
-For mitigations, we reviewed security controls from two publicly available repositories and mapped each of them to ATT&CK. The repositories we used were CIS Critical Security Controls and NIST 800-53 Security Controls.
-
-We then made a total count of all detections and mitigations available for each ATT&CK technique. Techniques that have a greater amount of detections and mitigations are weighted more heavily than those with a lower amount. If a technique has a limited number of ways to detect or protect against it, we believe defending against those techniques will provide diminishing returns and more attention should be placed elsewhere.
-
-For instance, T1014 (rootkit) has zero detections or mitigations in the repositories that we referenced. Since rootkits are better identified by heuristics and forensics than analytics and security controls, a disproportionate amount of resources would need to be used to detect or prevent against them. Those resources could be better allocated defending against techniques that are more easily detected, but just as dangerous.
-
-There are a few limitations to this methodology. First, we did not search each repository to see if each analytic or control was still valid or if there were duplicates. Second, we did not differentiate for analytics that are similarly related. For instance, an analytic looking for Powershell executing an encoded command and one for Powershell executing Mimikatz would both count for T1053 (command and scripting interpreter). We tried to account for these limitations by setting upper bounds. After a certain point, the value of each additional analytic and control does not provide the same value to the defender. Because of this, any detections and controls over 100 and 55, respectively, do not change the weighted list.
-
-Finally, we recognize that for some, defending against rootkits, or other similarly stealthy techniques, is just as, if not more, important than other techniques. We tried to account for this by allowing users to choose which analytics and controls should be included in the weighted list.
-
-We then made a total count of all detections and mitigations available for each ATT&CK technique. Techniques that have a greater amount of detections and mitigations are weighted more heavily than those with a lower amount. If a technique has a limited number of ways to detect or protect against it, we believe defending against those techniques will provide diminishing returns and more attention should be placed elsewhere.
-
-
-You can see there are quite a few outliers, especially for detections. Keep in mind that there are known to be duplicates, so there is likely some double counting.
-
-## Framing the Analysis
-
-This approach is based on techniques for "Multiple-criteria decision-making."
-
-Attribute Utilities
-
-Each technique has two attributes for determining actionability: the number of available detections, and the number of available mitigations. In order to combine them into a single score, we'll need to normalize using a "utility" function ๐ข for each of these attributes. This will map the value of an attribute to a number between 0 and 1 which indicates how much that value contributes to actionability.
-
-For simplicity and interoperability, We would recommend using a piecewise linear utility function, like this: 
-Here, ๐ฅ is the value of some attribute (ex: # mitigations), ๐ข๐๐๐๐ and ๐๐๐ค๐๐ are the upper and lower "cutoffs" for that attribute. Values below the lower cutoff have zero utility, values above the upper cutoff have maximum utility.
-
-For example, if 130 detection methods are not much more "valuable" than 100, then we may consider specifying an upper cutoff of 100 for detections. Conversely, if 10 detection methods isn't much more valuable than 0 methods then we might set the lower cutoff to be 10. Moreover, using cutoffs like this will prevent cases where a technique has a very large number of detections but absolutely no mitigations might still get a high actionability score.
-
-[notes: upper cutoff should be no larger than the largest value for its attribute, and lower cutoff should be no lower than the smallest value for its attribute]
-
-Bottom line: For each attribute (# detections and # mitigations), set the lower cutoff to the smallest value that "usefully" contributes to actionability (default to the lowest value), and set the upper cutoff to the largest value that "usefully" contributes to actionability (default to something close to the largest value).
-
-These cutoffs need to be specified for multiple reasons:
-
-- In order to combine mitigations and detections into a single function, they must both be on the same scale. If we were to scale them according to the smallest and largest values for each, then the scaling would be determined by the (likely double-counted) outliers
-- Prevent a technique with no mitigations but many detections from receiving an inflated actionability score
-- Prevent the weighting from changing when new data (potentially a very large outlier) gets added
-For my example scores I'm using cutoffs of 0 and 100 for detections, and 0 and 55 for mitigations.
-
-Examples of potential utility functions are illustrated below:
-
-
-### Defining Attribute Weighting
-
-
-We then define weights for each of the attributes to rank their importance. Once we have the weights defined, the Actionability score is computed as:
-
- so in our case with number of detections and number of mitigations as our attributes, it will be:
- 
-Where ๐ฅ๐ and ๐ฅ๐ are the raw counts of detections and mitigations, ๐ค๐ and ๐ค๐ are their weights, and ๐ข๐ and ๐ข๐ are their utility functions.
-
-Since we are using utility functions, we need to be careful with how we define the weights.
-
-Bottom line: to make sure the weights have a "physical" meaning, we will define them using weighting ratios
-
-If we want 1 mitigation to be worth 2 detections, then we'd set  =2. This method can be extended to problems with more than two attributes.
-
-### How to Get Weights from Weighting Ratios (Optional Reading)
-
-The actionability formula is:
-
-(i.e. they are both in the main "linear domain") then we can write this as
-
-If we want each mitigation to be worth two detections, then we should set the ๐ค๐ and ๐ค๐ so that the following relation is satisfied (if the ratio is changed, then you would change the 2 here to whatever the new ratio is):
-
-the derivatives of A are:
-
-When we plug these into the above relation, we see that the relation to be satisfied becomes
-
-So we can set ๐ค๐:=1 and use the above relations to find a value for ๐ค๐.
-
-Then, to ensure actionability ranges from zero to one, we just need to normalize the weights so that they add up to one (i.e. we want ๐ค๐ + ๐ค๐ = 1.) We can do this by dividing each un-normalized weight by the sum of all weights:
-
-where ๐คโฒ๐ and ๐คโฒ๐ are the values of ๐ค๐ and ๐ค๐ before normalizing.
-
-### What if we have more than two attributes? (Optional Reading)
-
-
-For actionability we may want to incorporate some weighting for the number of ATT&CK datasources each technique has. Furthermore, this method might be used for one of the other scores, which may have more than two attributes. It is not too difficult to generalize this to work with three or more attributes.
-
-Suppose we have 5 attributes, named ๐, ๐, ๐, ๐, and ๐, and each attribute has an upper and lower cutoff. The steps to defining their weights are:
-
-This is a contour plot of actionability scores -- patches of the same color have (roughly) the same value of actionability
-
-- Actionability ranges from zero to one. This will make things much easier when it comes time to combine the scores from actionability, chokepoint and so on.
-- You can see that the highest score that a technique with no mitigations can have is about 0.45
-
-Here's what actionability would look like if we didn't use utility functions to scale detections and mitigations. We can see that actionability is now unbounded, which will make things difficult to combine later on. Also, even if a technique has zero mitigations, it could still recieve a high actionability score if its detections is high enough.
-
diff --git a/README.md b/README.md
index 5db091a..fbd30dd 100644
--- a/README.md
+++ b/README.md
@@ -1,133 +1,70 @@
# Top ATT&CK Techniques
-Top ATT&CK Techniques provides defenders with a systematic approach to
-prioritizing ATT&CK techniques. Our open methodology considers technique
-prevalence, common attack choke points, and actionability to enable defenders to
-focus on the ATT&CK techniques that are most relevant to their organization.
+Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing
+MITRE ATT&CKยฎ techniques. Our methodology considers technique prevalence, common
+attack choke points, and actionability to enable defenders to focus on the ATT&CK
+techniques that are most relevant to their organization.
**Table of Contents:**
- [Getting Started](#getting-started)
-- [Overview](#overview)
-- [Limitations](#limitations)
- [Getting Involved](#getting-involved)
- [Questions and Feedback](#questions-and-feedback)
-- [How Do I Contribute?](#how-do-i-contribute)
- [Notice](#notice)
## Getting Started
-To get started, try using the web-based calculator. If you want to go deeper, review the
-methodology and consult the Excel calculator spreadsheet to see the underlying data and
-computations.
-
-| Resource | Description |
-| ------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- |
-| [Web Calculator](https://top-attack-techniques.mitre-engenuity.org/) | A web-based calculator for building customized priority lists of techniques tailored to your needs. |
-| [Methodology](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/Methodology.md) | An overview of the algorithms and analysis that went into creating the calculator. |
-| [Excel Calculator](https://github.com/center-for-threat-informed-defense/top-attack-techniques/raw/main/Calculator.xlsx) | The Excel version of the Top ATT&CK Techniques calculator. |
-| [Excel Calculator README](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/Calculator.md) | Guidance for using the Top ATT&CK Techniques Excel calculator. |
-
-## Overview
-
-The Top ATT&CK Techniques Calculator makes it easy to build customized lists of
-high-priority ATT&CK techniques lists. The prioritization is based on a
-[methodology](./Methodology.md) that incorporate technique prevalence, choke point
-analysis and actionability.
-
-
-
-Users can create a top 10 technique list tailored to their
-organization. The user inputs include filters for the operating system, security
-controls, detection analytics, and modifiers for process and network monitoring
-coverage. The calculator displays the top 10 techniques and provides the option
-to export every technique in v14 of ATT&CK in JSON format.
-
-
-
-Along with giving defenders a tool to help prioritize techniques, the project
-wanted to put our methodology to practical use and produce a top 10 list that
-was focused on a specific topic. A ransomware list was selected because
-ransomware is wide-reaching, indiscriminate, and relevant. This list is the
-Centerโs assessment of which techniques a defender should prioritize to protect
-themselves against a ransomware attack.
-
-To create this ransomware list, the projectโs methodology was used and
-supplemented by adding a separate component that is specific to the Centerโs
-ransomware analysis. To feed this component, CTI (Cyber Threat Intelligence)
-reporting on 22 different ransomware families was reviewed and extracted
-techniques that were used during ransomware attacks. The more times a technique
-was seen across the 22 groups, the higher the weight.
-
-## Limitations
-
-ATT&CK was never created with the intent of assigning values to each technique.
-It is a compendium of things adversaries have done and gives defenders a common
-lexicon. Therefore, quantifying the data within ATT&CK is a bit precarious. This
-project applied discrete values to abstract ideas and generated a weighted score
-for every technique.
-
-The data used for this analysis was hardly perfect, which led to some flawed
-inputs. Flawed inputs lead to flawed outputs, which means that this top 10 list
-should not be seen as a declaration that you only need to defend against the top
-10 techniques. This list should serve as a starting point for a more holistic
-approach to systematically improving defensive capabilities.
-
-There are certainly gaps and errors with our approach, but in the Center, we are
-always trying to advance the state of threat-informed defense. This is our first
-attempt at creating a methodology to prioritize ATT&CK techniques and we plan to
-make improvements. To do that, we need your feedback. Please share with us what
-is working, what isnโt working, and how we can make this more beneficial to you.
+The website hosts all of the resources for this project. The website is linked below
+along with some shortcuts to important pages on the website.
+
+| Resource | Description |
+| ----------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
+| [Web Site](https://top-attack-techniques.mitre-engenuity.org/) | The website hosts the calculator, methodology, and ransomware top 10 list. |
+| [Ransomware Top 10](https://top-attack-techniques.mitre-engenuity.org/top-10-lists) | A curated top 10 list created by our expert ATT&CK analysts. |
+| [Calculator](https://top-attack-techniques.mitre-engenuity.org/calculator) | An interactive calculator for producing your own, customized top 10 lists. |
+| [Methodology](https://top-attack-techniques.mitre-engenuity.org/methodology) | An overview of the algorithms and analysis that power the calculator. |
## Getting Involved
There are several ways that you can get involved with this project and help
advance threat-informed defense:
-- **Review the methodology, use the calculator, and tell us what you think.**
- We welcome your review and feedback on the calculator and our methodology.
-- **Help us prioritize improvements.** Let us know where we can improve. Your
- input will help us prioritize improvements.
-- **Share your use cases.** We are interested in hearing from you about your use
- cases and ideas. Tell us how you leveage the Top ATT&CK Techniques resources
- and share your ideas for improving upon this foundation.
+- **Review the Ransomware Top 10 list.**
+ If ransomware is a threat that your organization is tracking and working to mitigate, consult our Ransomware Top 10 list align your effort with our analytical process.
+- **Make your own top 10 list.** Use the calculator to create your own customized top 10
+ list of ATT&CK techniques.
+- **Spread the word.** If you find Top ATT&CK Techniques valuable, share your experience
+ with your industry peers.
## Questions and Feedback
-Please submit issues for any technical questions/concerns or contact
-ctid@mitre-engenuity.org directly for more general inquiries.
-
-Also see the guidance for contributors if are you interested in contributing or
-simply reporting issues.
-
-## How Do I Contribute?
+Please submit [issues on
+GitHub](https://github.com/center-for-threat-informed-defense/top-attack-techniques/issues)
+for any technical questions or requests. You may also contact
+[ctid@mitre-engenuity.org](mailto:ctid@mitre-engenuity.org?subject=Question%20about%20top-attack-techniques)
+directly for more general inquiries about the Center for Threat-Informed Defense.
-We welcome your feedback and contributions to help advance our methodology.
-Please see the guidance for contributors if are you interested in [contributing
-or simply reporting issues.](/CONTRIBUTING.md)
-
-Please submit
-[issues](https://github.com/center-for-threat-informed-defense/top-attack-technique/issues)
-for any technical questions/concerns or contact ctid@mitre-engenuity.org
-directly for more general inquiries.
+We welcome your contributions to help advance Top ATT&CK Tehcniques in the form
+of [pull
+requests](https://github.com/center-for-threat-informed-defense/top-attack-techniques/pulls).
+Please review the [contributor
+notice](https://github.com/center-for-threat-informed-defense/top-attack-techniques/blob/main/CONTRIBUTING.md)
+before making a pull request.
## Notice
-Copyright 2022 MITRE Engenuity. Approved for public release. Document number
-CT0047
+ยฉ 2022, 2024 MITRE Engenuity. Approved for public release. Document number(s) CT0047.
-Licensed under the Apache License, Version 2.0 (the "License"); you may not use
-this file except in compliance with the License. You may obtain a copy of the
-License at
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
+file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
-Unless required by applicable law or agreed to in writing, software distributed
-under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-CONDITIONS OF ANY KIND, either express or implied. See the License for the
-specific language governing permissions and limitations under the License.
-
-This project makes use of ATT&CKยฎ
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the specific language governing
+permissions and limitations under the License.
-[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
+This project makes use of ATT&CKยฎ: [ATT&CK Terms of
+Use](https://attack.mitre.org/resources/terms-of-use/)
diff --git a/index.html b/index.html
index b9373f2..fece48d 100644
--- a/index.html
+++ b/index.html
@@ -2,7 +2,16 @@
-
+
+
diff --git a/public/favicon-dark.ico b/public/favicon-dark.ico
new file mode 100644
index 0000000..3278f5f
Binary files /dev/null and b/public/favicon-dark.ico differ
diff --git a/public/favicon-light.ico b/public/favicon-light.ico
new file mode 100644
index 0000000..3359b0f
Binary files /dev/null and b/public/favicon-light.ico differ
diff --git a/public/favicon.ico b/public/favicon.ico
deleted file mode 100644
index df36fcf..0000000
Binary files a/public/favicon.ico and /dev/null differ
diff --git a/scripts/update_techniques.js b/scripts/update_techniques.js
index 04acb1f..8fec731 100644
--- a/scripts/update_techniques.js
+++ b/scripts/update_techniques.js
@@ -18,8 +18,9 @@ const DESTINATION_FILE = "src/data/Techniques.json";
tid: r.getCell(1).value,
name: r.getCell(2).value,
description: r.getCell(3).value,
- url: r.getCell(4).hyperlink,
- tactics: r.getCell(8).value.toString().split(", "),
+ url: r.getCell(4).hyperlink
+ ? r.getCell(4).hyperlink
+ : r.getCell(4).value,
detection: r.getCell(9).value,
platforms: r.getCell(10).value.toString().split(", "),
data_sources: r.getCell(11).value
@@ -47,9 +48,9 @@ const DESTINATION_FILE = "src/data/Techniques.json";
if (r.number > 1) {
const m = {
mid: r.getCell(1).value,
- name: r.getCell(2).value,
- description: r.getCell(3).value,
- url: r.getCell(4).hyperlink,
+ name: r.getCell(3).value,
+ description: r.getCell(4).value,
+ url: r.getCell(5).hyperlink,
};
mitigations.push(m);
}
diff --git a/src/assets/logo-horizontal-white.png b/src/assets/ctid-logo-horizontal-white.png
similarity index 100%
rename from src/assets/logo-horizontal-white.png
rename to src/assets/ctid-logo-horizontal-white.png
diff --git a/src/assets/logo-horizontal-white.svg b/src/assets/logo-horizontal-white.svg
new file mode 100644
index 0000000..a55c3a6
--- /dev/null
+++ b/src/assets/logo-horizontal-white.svg
@@ -0,0 +1,11 @@
+
diff --git a/src/assets/logo-line-white.svg b/src/assets/logo-line-white.svg
new file mode 100644
index 0000000..c5b0a3b
--- /dev/null
+++ b/src/assets/logo-line-white.svg
@@ -0,0 +1,11 @@
+
diff --git a/src/assets/logo-vertical-white.svg b/src/assets/logo-vertical-white.svg
new file mode 100644
index 0000000..7198d6c
--- /dev/null
+++ b/src/assets/logo-vertical-white.svg
@@ -0,0 +1,11 @@
+
diff --git a/src/components/CalculatorFilters.vue b/src/components/CalculatorFilters.vue
index 3f3df78..bed4d88 100644
--- a/src/components/CalculatorFilters.vue
+++ b/src/components/CalculatorFilters.vue
@@ -5,16 +5,16 @@
:header="calculatorStore.filterProperties[group].label">
-
- Top ATT&CK Techniques
-
-
- The Center for Threat-Informed - Defense is a non-profit, privately funded research and development organization. Our mission is - to advance the state of the art and the state of the practice in threat-informed defense globally. -
-
-
+
+ ![Top Attack Techniques]()
+
+
+ + The Center for Threat-Informed + Defense is a non-profit, privately funded research and development organization. Our + mission is to advance the state of the art and the state of the practice in threat-informed defense + globally. +
+
+
Related Projects
-Related Projects
+Description
- -Subtechniques
@@ -15,49 +15,44 @@
Subtechnique Description
- +Mitigations
-
{{ mitigation.mid }} - {{ mitigation.name }}
-{{ mitigation.description }}
+
Detections
-- {{ subtechnique.detection }} -
+Mitigations
-
-
- +
-
{{ mitigation.mid }} - {{ mitigation.name }}
-{{ mitigation.description }}
+
Detections
-- {{ this.technique.detection }} -
+References
@@ -76,18 +71,13 @@ export default defineComponent({ props: { technique: {} }, - data() { - return {}; - }, - computed: { - description() { - const text = this.technique.description.replaceAll("{{ technique.tid }} {{ technique.name }}How to Use the Calculator
-Top ATT&CK Techniques is your resource. Tell us about the challenges you face - as - a defender and let us offer some suggestions you may not have thought about. A Top ATT&CK Techniques - Specialist - will address your query and respond promptly.
+Instructions for using Top ATT&CK Techniques. If you run into any issues with the + calculator or this website, use the links below to send us feedback. +
Which ATT&CK Version is the calculator using?
-The calculator was built using ATT&CK Version 14.0
+The calculator was built using ATT&CK Version {{ calculatorStore.attackVersion }}
Can the user import their own data?
The user cannot input their own data into the calculator. However, if you go to our Github you will find our excel document that you can manipulate for local use.
@@ -43,9 +41,8 @@The filters section is located on the left side of the Calculator tab. Filters were created to allow - the - user to eliminate certain techniques that do not apply to their environment. Each filter is made up of - components that we used to create our methodology. Each component is mapped to one or more ATT&CK + the user to eliminate certain techniques that do not apply to their environment. Each filter is made up + of components that we used to create our methodology. Each component is mapped to one or more ATT&CK technique. If a user deselects each component for a specific technique, then that technique will be removed from pool of available techniques. Each filter was implemented at the subtechnique level, if applicable.
@@ -55,20 +52,16 @@ selected/deselected, depending upon the environment. If only Windows machines exist, selecting Windows will remove all techniques that are that do not apply to Windows.For instance, under NIST 800-53, the Configuration Management (CM) Control Family is an option. If - someone - works in Incident Response, they might have less interest in ATT&CK techniques that can be mitigated - with - CM. Deselecting controls within CM will remove CM as a contributing factor in the final technique list. - If - a technique contains ONLY CM, that technique will be removed. If a technique contains CM AND others, - that - technique will remain, unless the other mitigations are deselected, as well. If no controls are - selected, - they will all be included by default. The same process was applied to the detection analytics, except - due - to the large volume, we grouped these by the repository from which they came, e.g. SigmaHQ.
+ someone works in Incident Response, they might have less interest in ATT&CK techniques that can be + mitigated with CM. Deselecting controls within CM will remove CM as a contributing factor in the final + technique list. If a technique contains ONLY CM, that technique will be removed. If a technique contains + CM AND others, that technique will remain, unless the other mitigations are deselected, as well. If no + controls are selected, they will all be included by default. The same process was applied to the + detection analytics, except due to the large volume, we grouped these by the repository from which they + came, e.g. SigmaHQ.
+
Monitoring components allow the user to modify the weight of each technique, based on their inputs. - There - are four levels of monitoring: None, Low, Medium, and High. Each level increases the weight of a - technique - by a fixed amount. The lower the level of monitoring, the higher the increase. + There are four levels of monitoring: None, Low, Medium, and High. Each level increases the weight of a + technique by a fixed amount. The lower the level of monitoring, the higher the increase.
There are five monitoring components: Network, Process, File, Cloud, and Hardware. These components came from data sources that are found in MITRE ATT&CK. By modifying a specific component, any technique that can be detected by that component will have its weight changed. If a user has a lower level of - monitoring - for a specific component, techniques that can be detected with that component will receive a higher - weight. The same is true for the inverse: higher monitoring results in a lower weight. For instance, - Windows Management Instrumentation (WMI) can be detected by process monitoring. If a user has a low - amount - of process monitoring, WMI will become a higher priority technique. This should help the user figure out - if they have a gap that would prevent them from catching WMI usage.
+ monitoring for a specific component, techniques that can be detected with that component will receive a + higher weight. The same is true for the inverse: higher monitoring results in a lower weight. For + instance, Windows Management Instrumentation (WMI) can be detected by process monitoring. If a user has + a low amount of process monitoring, WMI will become a higher priority technique. This should help the + user figure out if they have a gap that would prevent them from catching WMI usage.
+
Step 2: Explore Your Results
@@ -107,19 +97,18 @@After hitting "Generate Results,โ a top 10 list will appear. For each technique in the list, all the information from the ATT&CK page is populated. Users can see a description, subtechniques, - mitigations, - and detections. + mitigations, and detections.
The trash can icon next to each technique allows the user to remove that technique from their top 10 - list, - which will be replaced by the 11th technique.
+ list, which will be replaced by the 11th technique.Users can download the entire ranked list of techniques in JSON format by clicking the โDownload All Top Techniquesโ button.
+
- Top ATT&CK Techniques -
- -
+
+
+
Top ATT&CK Techniques provides defenders with a systematic approach to prioritizing ATT&CK techniques. Our open methodology considers - technique prevalence, common attack choke points, and actionability + technique prevalence, common ATT&CK choke points, and actionability to enable defenders to focus on the ATT&CK techniques that are most relevant to their organization.
Want to Learn More?
-The methodology page outlines the rationale behind the ATT&CK technique scores and ranking. A techniqueโs score is calculated by @@ -47,7 +46,7 @@
The help page contains the answers to common questions and issues
that may pop up for users of Top ATT&CK Techniques. It also has a
@@ -76,6 +75,8 @@ import CalculatorSvg from "@/assets/calculator.svg";
import ListSvg from "@/assets/list.svg";
import BookSvg from "@/assets/book.svg";
import HelpSvg from "@/assets/help.svg";
+import LogoVertical from "@/assets/logo-vertical-white.svg";
+import LogoHorizontal from "@/assets/logo-horizontal-white.svg";
import { useCalculatorStore } from "@/stores/calculator.store";
import TopTenWrapper from "@/components/TopTenWrapper.vue";
@@ -88,6 +89,7 @@ export default defineComponent({
ListSvg,
BookSvg,
HelpSvg,
+ LogoVertical, LogoHorizontal
};
},
computed: {
@@ -100,4 +102,12 @@ export default defineComponent({
});
-
+
diff --git a/src/views/MethodologyPage.vue b/src/views/MethodologyPage.vue
index 351e68b..bc13994 100644
--- a/src/views/MethodologyPage.vue
+++ b/src/views/MethodologyPage.vue
@@ -2,11 +2,10 @@
A prioritized list of MITRE ATT&CK techniques should be actionable and driven
- by threat intelligence. The Centerโs methodology is composed of three different components - Actionability,
- Choke
- Point, and Prevalence. Algorithms for each component were created to determine a techniqueโs weight within a
- specific component, and then each component weight is combined to give an overall weight. Our top 10 lists of MITRE ATT&CK techniques are designed to be actionable and
+ driven
+ by threat intelligence. The Centerโs methodology is composed of three different components: Actionability,
+ Choke Point, and Prevalence. Explore the most prevalent techniques for different categories, determined by our ATT&CK analysts
+ Browse top 10 lists compiled by our ATT&CK experts and tailored to specific threats such as
+ ransomware.
Methodology
- Top 10 Lists
-