Coverage Map

The MITRE ATT&CK Coverage Map by Kaspersky shows technique coverage by Kaspersky solutions. We measure it along two axes:

• Depth is how well a solution detects a given technique.
• Width is the share of techniques for which the solution has at least one detection rule.

Inputs for depth:

1. Rules score: how many rules in the solution can detect the technique.
2. Solution capability score: how well the solution is suited to detect the technique.

Rule score

The number of rules varies between solutions and across techniques within the same solution. Different techniques may require different counts for complete detection in a given solution. In some cases, multiple rules add no qualitative gain over a single well-designed rule. We therefore do not use the raw count as is and derive depth with solution capabilities in mind.

Solution capability score

This estimates a solution’s potential to detect a specific technique based on purpose, visibility, and functional features. Example: for T1003 OS Credential Dumping, an EDR has high potential because it works on process telemetry. An NDR has lower potential for the same technique since its visibility is network activity.

Capability scale:

• 0.0—Out of scope
• 0.3—Minimal visibility
• 0.7—Partial visibility
• 1.0—High visibility

SIEM (KUMA) specifics

We assume logs from EDR, NDR, and Sandbox are not ingested into KUMA, so contributions of these solutions are shown separately.

Depth

The final depth score combines rule coverage and capability score, then is normalized to 0.0–1.0. For gradient visualization it can be mapped to 8 discrete levels.

Width

Technique width is binary per technique: if the solution has at least one rule for a technique, the value is 1, otherwise 0. The width percentage is the share of techniques with at least one rule.

The MITRE ATT&CK Coverage Map by Kaspersky page allows you to analyze the effectiveness of selected solutions in detecting and mitigating specific adversary techniques. The MITRE ATT&CK matrix contains information about known tactics and techniques, along with their classification within the framework. Tactic: the goal that an adversary wants to achieve. Technique: the action (or actions) that an adversary performs to achieve a goal. Sub-technique: the method (or methods) an adversary uses to carry out a particular technique.

At the top of the page, an overall coverage percentage is displayed. You can select from the following Kaspersky solutions to explore how they address specific techniques:

• SIEM—Kaspersky SIEM, an advanced SIEM solution powered by AI and supported by excellent Threat Intelligence.
• NDR—Kaspersky Anti Targeted Attack (KATA), a comprehensive anti-APT solution that protects against complex threats with NDR capabilities.
• Sandbox—Kaspersky Anti Targeted Attack (KATA), a comprehensive anti-APT solution that protects against complex threats with integrated Kaspersky Sandbox.
• EDR—Kaspersky Next EDR Expert, offering strong protection against complex and targeted threats through advanced detection, full visibility and customizable response options.

When you first open the MITRE ATT&CK Coverage Map by Kaspersky page, all available solutions are selected by default, and the maximum coverage percentage is displayed. The matrix visualization and coverage percentage update in real-time based on your selections.

You can click on a solution to select or deselect it: unselected solutions are marked with a rocket icon (). By interactively adjusting solution combinations, you can model different security scenarios and strategically plan your defenses in alignment with the MITRE ATT&CK framework.

The core of the page features a graphical representation of the MITRE ATT&CK matrix. Each technique tile is color coded to indicate the level of coverage (up to 8) by selected solutions.

For each covered technique, the following information is displayed in tooltips:

• A list of solutions that include technologies for detecting techniques/sub-techniques and selected in the Solutions filter.
• A list of solutions not selected in the Solutions filter but that also include technologies capable of detecting a particular technique/sub-technique. Choosing these solutions will increase the overall coverage level.
• For all solutions, the tooltip displays the numerical value representing the technique coverage depth. This value reflects both the technique detection technologies used and the number of detection rules implemented for each technique.

In the MITRE ATT&CK matrix, you can perform the following actions:

• Click the icon to view more information about technique or sub-technique.
• Click to view a list of sub-techniques for a certain technique. The number of related sub-techniques (both total and covered by selected Kaspersky solutions) is also displayed.
• Click any item name to navigate to the corresponding page with detailed information.
• Click the icon to hide techniques not covered by the selected Kaspersky solutions, or click the icon to display all techniques.
• Click the icon to expand all sub-techniques, or the icon to collapse them.
• Click the icon to switch the matrix to full-screen mode.

Users with Premium Access to Kaspersky Threat Intelligence Portal can create a threat landscape mapped on the MITRE ATT&CK matrix for their organization. You can request access to the threat landscape feature by clicking the Unlock for your organization button. You can also watch a demo video about the threat landscape feature of the Premium Kaspersky Threat Intelligence Portal by clicking the arrow near the button and then clicking Watch a demo.

In this section Techniques About threat landscape (Premium Access)

Page top