Overview

The HackNotice Attack Dashboard provides a tactical view of how ransomware groups operate by mapping observed adversary behavior to the MITRE ATT&CK® framework.

Displayed in a heat map-style layout, this dashboard allows customers to analyze attacker activity across MITRE tactics using multiple perspectives; including Tactics, Techniques, and Procedures (TTPs), detection strategies, mitigations, and security control frameworks.

Unlike static ATT&CK mappings or theoretical threat models, the Attack Dashboard is driven by observed ransomware activity. Every technique or control shown reflects real-world attacks that occurred within the selected filters, giving security teams a practical, evidence-based view of attacker behavior.

Value to Customers

The Attack Dashboard helps organizations move from abstract threat models to operational adversary intelligence. By visualizing ransomware activity across both ATT&CK techniques and defensive frameworks, customers can:

• Understand how ransomware gangs are gaining access, executing payloads, and maintaining persistence

• Identify which MITRE techniques matter most to their industry or region

• Map active threats directly to detection strategies, mitigations, and control frameworks

• Prioritize detections, controls, and hardening efforts based on real attacker behavior

• Align vendor assessments and compliance efforts with observed threats

• Support executive, IR, SecOps, and GRC conversations with clear, defensible data

This dashboard is especially valuable for threat intelligence, SecOps, IR, and GRC teams looking to bridge adversary behavior with defensive and compliance frameworks.

Dashboard Filters

The Attack Heatmap uses the same filter logic as the Ransomware Dashboard, ensuring a consistent experience across HackNotice.

All filters are additive, meaning each selection further narrows the dataset to show only ransomware attacks that match all selected criteria.

Available Filters

Date Range
Select a custom timeframe to analyze attack activity. The ATT&CK heatmap will refresh to show only techniques associated with ransomware attacks and APT group activity that occurred within that timeframe.

Ransomware Gang
Filter to a specific threat actor group (multi-select).

Industries (NAICS – 2-Digit Codes)
Multi-select top-level NAICS industries to focus on ransomware TTPs observed against victims in those sectors.

Regions
Multi-select geographic regions to restrict results to ransomware attacks impacting those locations.

Note: As with the Ransomware Dashboard, you may apply either an Industry filter or a Region filter, but not both at the same time.

Filter Example

If you select:

• A 6-month date range

• The ransomware gang Akira

• The Finance and Insurance industry

The dashboard will display only the MITRE ATT&CK techniques that Akira used in ransomware attacks against finance and insurance organizations during that period.

Heatmap View Options

The Attack Heatmap can be viewed through multiple lenses using the dropdown selector. While the layout remains aligned to MITRE ATT&CK tactical stages, the content of each card updates based on the selected perspective.

Available Views

TTPs (Default)
Displays MITRE ATT&CK techniques (T-codes) observed in ransomware attacks.

→ This is the traditional ATT&CK heatmap view.

Detection Strategies
Maps ATT&CK techniques to detection strategies, helping teams understand how to identify attacker behavior in real time.

Mitigations
Maps ATT&CK techniques to MITRE mitigation controls (M-codes), providing direct guidance on how to prevent or reduce risk.

SIG CORE
Displays ATT&CK techniques with expandable mappings to SIG CORE vendor assessment questions.

→ Enables direct alignment between threats and vendor questionnaires

NIST
Displays ATT&CK techniques with mappings to NIST CSF v2.0 controls.

→ Supports alignment with regulatory and security program requirements

ISO 27001
Displays ATT&CK techniques with mappings to ISO 27001 controls (e.g., A.14.1.2).

→ Helps connect real threats to ISO-based compliance efforts

Why This Matters

These additional views allow customers to:

• Translate real-world attacker behavior into defensive actions

• Map threats directly to compliance frameworks

• Build risk-based vendor assessments

• Align security controls with active adversary activity

This bridges the gap between threat intelligence, security operations, and GRC.

Understanding the ATT&CK Heat Map

MITRE ATT&CK Stages

The dashboard is organized by MITRE ATT&CK tactical stages, including:

• Reconnaissance

• Resource Development

• Initial Access

• Execution

• Persistence

• Privilege Escalation

• Defense Evasion

• Credential Access

• Lateral Movement

• Command and Control

• Exfiltration

• Impact

Each column represents a tactical stage. The cards within each column represent techniques, controls, or questions depending on the selected view.

Heat Map Intensity

The color intensity of each card reflects how frequently that item appears across ransomware and APT group attacks matching your filters.

• Lighter tiles → Higher frequency (more commonly observed)
• Darker tiles → Lower frequency

The color intensity of each card reflects how frequently that item appears across ransomware attacks matching your filters; without having to dig into individual incidents.

Advanced Filtering

Hide Unused Techniques

The “Hide unused techniques” toggle removes any items with no associated activity for the current filters.

Hide Items by Victim Count

A more advanced filter allows you to refine results based on impact:

“Hide items with victim count below [X]”

• Enter a numeric value to hide any cards with fewer victims than the threshold

• Focuses the view on high-impact, high-frequency attack activity

• Useful for prioritizing most relevant threats

Viewing Additional Details

Expandable Content

Depending on the selected view, cards may include expandable content:

• TTPs - Sub-techniques associated with the TTP

• SIG CORE - Question sections and verbiage associated with the TTP card (i.e. E.1.4)

• NIST - NIST control categories associated with the TTP card (i.e. AC-3)

• ISO27001 - ISO controls categories associated with the TTP card (i.e. A.14.1.2)

Click the “+” button to expand additional details.

Drill Into the Attack Matrix

Customers can click directly on any card to navigate into the Adversary Attack Matrix for deeper analysis, including:

• Full technique breakdowns

• Associated threat actors

• Related detections and controls

👉 See: Adversary Attack Matrix Knowledge Base Article

How This Complements the Ransomware Dashboard

While the Ransomware Dashboard answers:

“Who is attacking whom, where, and how often?”

The Attack Dashboard answers:

“Exactly how are they doing it—and how should we defend against it?”

Together, these dashboards provide:

• Strategic visibility into ransomware trends

• Tactical insight into attacker tradecraft

• Direct mapping to detections, mitigations, and compliance frameworks

Summary

The HackNotice Attack Dashboard transforms ransomware intelligence into actionable security insight.

By extending beyond MITRE ATT&CK techniques to include detection strategies, mitigations, and control frameworks such as SIG CORE, NIST, and ISO 27001, organizations can directly connect real-world adversary behavior to defensive action and compliance requirements.

This enables:

• Smarter prioritization

• Stronger detections

• Better-aligned controls

• More effective vendor risk management

All grounded in real, observed ransomware activity.