1. Overview

Prisma Cloud’s monitoring section includes a dashboard for the MITRE ATT&CK framework. The ATT&CK dashboard helps you to contextualize runtime audits, manage them, and generate risk reports.

MITRE ATT&CK is a knowledge base of tactics and techniques that adversaries use to attack applications and infrastructure. It’s a useful framework for threat-informed defense, where a deep understanding of adversary tradecraft can help protect against attacks.

The ATT&CK framework has two key concepts:

  • Tactics - An adversary‚Äôs technical goals.

  • Techniques - How those goals are achieved.

The relationship between tactics and techniques is presented as a matrix. One tactic in the matrix is called Persistence. After establishing a foothold in your environment, adversaries want to reliably return to it. Adversaries use a number of techniques to achieve persistence, such as Account Manipulation and Event Triggered Execution.

2. Cloud Native threat matrix

Prisma Cloud protects cloud native applications running in Kubernetes clusters, serverless functions, Containers-as-a-Service offerings, and virtual machines. The Cloud Native threat matrix covers the different techniques that impact cloud native applications across all these environments. It’s composed from ATT&CK for Linux, recent community efforts around ATT&CK for Containers and Kubernetes, and a few techniques from Prisma Labs. The Cloud Native threat matrix is the foundation for the ATT&CK dashboard.

3. ATT&CK dashboard

The ATT&CK dashboard serves as a portal to the raw events in the Monitor > Events view. All Prisma Cloud audits are mapped to the tactics and techniques in the ATT&CK framework. For example, when Defender detects a crypto miner in your environment, we map the audit to the Resource Hijacking technique under the Impact tactic.

The ATT&CK dashboard collates audits, maps them to the tactics and techniques, and presents the data visually in the ATT&CK matrix. Each card in the matrix shows a count of events. Higher counts represent a higher severity issues. Filters let you slice and dice the data to inspect specific segments of your environment. The dashboard:

  • Presents a real-time view of tactics and techniques being employed by adversaries.

  • Identifies weaknesses in your defenses. Use the counts to prioritize work to fortify defenses for the techniques favored by adversaries.

  • Provides raw data for risk reports for management.

Audits from the following subsystems flow into the ATT&CK dashboard:

  • Container runtime audits.

  • Host runtime audits.

  • Serverless runtime audits.

  • App-Embedded runtime audits.

  • WAAS audits.

  • Kubernetes audits.

  • Admission (OPA) audits.

  • Custom runtime rule audits for builtin system checks only. Currently, you cannot specify tactic and technique for user-defined custom runtime rules.

To see the ATT&CK dashboard, open Console, and go to Monitor > ATT&CK. The following screenshot highlights the main components in the dashboard:

attack dashboard

1. Filter - Filter data in the dashboard by:

  • Impacted technique.

  • Date: View events that occurred in the past 24 hours, 7 days, 30 days, or 3 months.

  • Collection: View data for just some segment of your environment (e.g., a production cluster).

2. Tactics - Tactics are listed across the top row of the matrix. A count shows the sum of all events for all corresponding techniques in the category. Each column lists the techniques that can be used to achieve the tactic.

3. Techniques - Lists of techniques that can be used to achieve a tactic. The color of the card is based on the event count for a technique. If there is one or more events for a technique, the card is colored red. Otherwise, if there are no events, the card is gray.

Clicking on an impacted technique card opens a dialog that shows all relevant audits for the technique.

The following screenshot shows the dialog for the Privileged Container card. The dialogs are organized as follows:

  • Description.

  • Audit source filter (pick from the drop-down list).

  • Table of relevant audits.

attack explore card
Syslog messages contain tactic and technique information for all relevant audits.

4. Investigating incidents

As you monitor your environment, you’ll can see tactics and techniques are applied consistently across views. Tactics and techniques are shown in Monitor > ATT&CK, Monitor > Events, and Monitor > Runtime > Incident explorer.

attack tactics techniques

5. Surfacing impacted techniques

When investigating an incident, you’ll want to focus on the segment of your environment that has been impacted. Use the filter box to focus your view of the data.

One important filter is Impacted techniques. Without the filter, all technique cards are displayed.

attack unfiltered dashboard

With the filter, only techniques that have been detected are displayed. In the following screenshot, we’ve narrowed the data to:

  • Audits within the past seven days.

  • Containers in the frontend collection, which are exposed to the Internet, and likely where the attack started.

  • Attack techniques used by the adversary.