Data Analysis Tool
The ATT&CK Evaluations results data contains a wealth of information to allow readers to better understand how capabilities work. At the same time, we recognize that getting a quick, high level understanding of a tool’s performance is difficult. To address this, we developed and released Joystick, an ATT&CK Evaluations data analysis tool.
Joystick allows users to graphically explore the ATT&CK Evaluations results. We have initially released functionality to enable users to prioritize the detection categories that matter most to them. After selecting the detection categories of greatest interest, users are presented a timeline view of the Operational Flow, clearly showing where that type of detection(s) occurred.
Some example questions that you can use Joystick to answer:
- Does a vendor have broad coverage, or are their detections focused around a couple of techniques?
- Where in the Operational Flow did detections occur?
- Which steps had telemetry?
- Which steps had some detection logic applied (e.g., not telemetry or none)?
- Which steps were tainted/correlated?
- How did this vendor perform in their initial evaluation (e.g., no configuration changes)?
We will be extending the types of analysis that can be performed with Joystick, but if you have specific needs or requests, please reach out to the ATT&CK Evaluations team.