Skip to main content

Dashboards - Attack Dashboard

HackNotice Support
Updated

Overview

The HackNotice Attack Dashboard provides a tactical view of how ransomware groups operate by mapping known ransomware Tactics, Techniques, and Procedures (TTPs) directly to the MITRE ATT&CK® framework.

Displayed in a heatmap-style layout, this dashboard allows customers to see which MITRE techniques are actually being used in real ransomware attacks, filtered by timeframe, ransomware gang, industry, and geography.

Unlike static ATT&CK mappings or theoretical threat models, the Attack Dashboard is driven by observed ransomware activity. Every technique shown reflects real-world attacks that occurred within the selected filters, giving security teams a practical, evidence-based view of attacker behavior.

Value to Customers

The Attack Dashboard helps organizations move from abstract threat models to operational adversary intelligence. By visualizing ransomware TTPs in the context of real incidents, customers can:

  • Understand how ransomware gangs are gaining access, executing payloads, and maintaining persistence

  • Identify which MITRE techniques matter most to their industry or region

  • Prioritize detections, controls, and hardening efforts based on active attacker behavior

  • Align security tooling and response playbooks with current ransomware tradecraft

  • Support executive, IR, and purple team conversations with clear, defensible data

This dashboard is especially valuable for threat intelligence, SecOps, IR, and GRC teams looking to tie ransomware risk directly to the MITRE ATT&CK framework.

attack-dash-1.png

Dashboard Filters

The Attack Dashboard uses the same filter logic as the Ransomware Dashboard, ensuring a consistent experience across HackNotice.

All filters are additive, meaning each selection further narrows the dataset to show only ransomware attacks that match all selected criteria.

Available Filters

Date Range
Use the date picker to select a custom start and end date. The ATT&CK heatmap will refresh to show only techniques associated with ransomware attacks that occurred within that timeframe.

Ransomware Gang
Select a specific ransomware group to view only the MITRE techniques observed in attacks attributed to that gang. Only one gang can be selected at a time.

Industries (NAICS – 2-Digit Codes)
Multi-select top-level NAICS industries to focus on ransomware TTPs observed against victims in those sectors.

Regions
Multi-select geographic regions to restrict results to ransomware attacks impacting those locations.

Note: As with the Ransomware Dashboard, you may apply either an Industry filter or a Region filter, but not both at the same time.

Filter Example

If you select:

  • A 6-month date range

  • The ransomware gang Akira

  • The Finance and Insurance industry

The dashboard will display only the MITRE ATT&CK techniques that Akira used in ransomware attacks against finance and insurance organizations during that period.

Understanding the ATT&CK Heat Map

MITRE ATT&CK Stages

The dashboard is organized by MITRE ATT&CK tactical stages, including (but not limited to):

  • Reconnaissance

  • Resource Development

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Lateral Movement

  • Command and Control

  • Exfiltration

  • Impact

Each column represents a tactical stage, and each tile represents a MITRE technique (T-code) associated with ransomware activity.

Heat Map Intensity

The color intensity of each technique tile reflects how frequently that technique appears across ransomware attacks matching your selected filters.

  • Darker tiles indicate techniques that are more commonly observed

  • Lighter tiles indicate lower-frequency usage

This allows teams to quickly spot dominant attack patterns without digging into individual incidents.

Hide Unused Techniques

The “Hide unused techniques” toggle removes any MITRE techniques that have no associated ransomware attacks for the current filter selection.

This is useful when narrowing in on:

  • A single ransomware gang

  • A specific industry

  • A short time window

Enabling this option creates a cleaner, more focused view of only the techniques that are actively in use.

Viewing Sub-Techniques

Many MITRE techniques include more granular sub-techniques.

  • Click the plus (+) button next to any main T-code tile to expand and view its sub-techniques.

  • Sub-techniques follow the same heatmap logic and reflect real ransomware activity tied to your current filters.

This allows deeper analysis of exact execution methods, such as specific phishing variants, credential abuse paths, or persistence mechanisms.

attack-dash-2.png

How This Complements the Ransomware Dashboard

While the Ransomware Dashboard answers “Who is attacking whom, where, and how often?”, the Attack Dashboard answers “Exactly how are they doing it?”

Together, these dashboards provide:

  • Strategic visibility into ransomware trends

  • Tactical insight into attacker tradecraft

  • A direct bridge between ransomware intelligence and MITRE ATT&CK–aligned defense planning

Summary

The HackNotice Attack Dashboard transforms ransomware intelligence into actionable MITRE ATT&CK insight. By grounding ATT&CK techniques in observed ransomware attacks — filtered by gang, industry, geography, and time — organizations gain a clear, defensible understanding of how adversaries are actually operating today.

This enables smarter prioritization, stronger detections, and more confident response across both security operations and executive decision-making.

Related articles

Comments

0 comments

Article is closed for comments.