Cyber Effects Matrix

This view allows you to map your playbooks to the corresponding intersections between the MITRE Tactics and Techniques (arranged in the Cyber Threat Framework Phases) and Defender Responses to show your coverage across the spectrum. You can assign playbooks and add notes to any cell.

DarkLight 3.6 contains information from the April 2018 update to the Mitre ATT&CK™ definitions. It also contains information from the NIST Special Publication 800-160 VOLUME 2 (Draft) from March 2018.

© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

The Cyber Effects Matrix perspective is accessed by choosing Window→Show Perspective and choosing Cyber Effects Matrix.

The left column categorizes the MITRE ATT&CK Tactics and Techniques into the four stages of the ODNI Cyber Threat Framework.

  • Click on a Tactic to see more details about it in the first two tabs of the lower-left panel.
  • Click on the triangle next to a Tactic to open the row and show the Techniques.
  • Click on a Technique to see its Description, Mitigation, Groups, and Software

The table and right lower panel represent the Defender's responses and effects on the adversary.

  • Click on a Tactic cell to see a roll-up of all of the playbooks that are assigned to the Techniques in that Tactic.
  • With a Tactic open, click on a Technique cell to see or assign playbooks to that Technique in that column. You can also add a note for any cell in the table.
  • Each cell can be assigned a Low/Medium/High effectiveness rating, which will color the cell red/orange/green, respectively. If you set an effectiveness rating on a Topic cell, you will be prompted if you want to add that same rating to all techniques inside that topic. Note, that several techniques are in multiple topics. Changing the rating for a technique in one cell also changes it for anywhere else that technique exists.
  • The Definitions tab shows information about the selected Defender Effect column

  1. Enable Filter: Check this to filter down the list of Techniques in the matrix, based on the last configuration used
  2. Configure: Click this to open the filter preferences dialog
  3. Lifecycle Stage Filter: Check the Lifecycle Stages to show in the matrix (Default is all checked)
  4. Platform Filter: Some Techniques specify which platform they apply to. Check the platforms you want to show. The "No Platform" option shows Techniques that do not specify a platform. (Default is all checked)
  5. Group/Software Filter Bar: Type in a name or alias of a group (or software) to narrow the list down to just the items that match. Delete any text from the filter bar to show the full list again.
  6. Show Details of Group/Software Item: Click any single Group or Software item in the list and its details will be shown in the box below. Only one item can be shown at a time.
  7. Filter Group/Software: Place a checkmark next to any groups or software items you would like to limit the matrix to. These selections are combined with an OR (e.g., APT18 OR Skeleton Key OR menuPass) (Default is none checked)
  8. Reset to Default: Click this link to set the dialog back to its defaults (show everything)
  9. OK: Click OK to save the filter configuration and filter the rows (Techniques) of the matrix.

  1. Select the cell you want to modify (Adversary Technique vs. Defender Technique)
  2. In the bottom-right panel, click the Add/Remove Playbooks button
  3. In the dialog that appears, check the box next to any playbook(s) you want to assign
    1. Note that the filter at the top of this dialog will let you filter the list by playbook name.
  4. Click the OK button to save your changes
    1. A playbook icon will appear in the cell with the number of playbooks assigned next to it

  1. Select the cell you want to modify (Adversary Technique vs. Defender Technique)
  2. In the bottom-right panel, type your note into the text box (resource shown in the example: Deception as Detection)
  3. Click the Save button to save your changes
    1. A Note icon will appear in the cell to indicate a note has been added (only if the cell does not have any playbooks assigned)

Where the data is stored

Nerdy Note: The assignments and notes are stored in a JSON file in the workspace, and can be moved manually between workspaces if necessary. The data file is in <workspace>\config\application\cem\ and has a .data extension. Only one data file should be in this folder.
  • help/cyber-effects-matrix
  • Last modified: 2018/08/25 00:32