What is ATT&CK?
ATT&CK is knowledge base of adversarial techniques based on real-world observations. ATT&CK focuses on how adversaries interact with systems during an operation, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
Read the ATT&CK 101 Blog post for more information on the basics of ATT&CK and check the short video below.
Key Concepts
ATT&CK is a model that attempts to systematically categorize adversary behavior. The main components of the model are:
- Tactics, represents “why” or the reason an adversary is performing an action
- Techniques, represents “how” adversaries achieve tactical goals by performing an action
- Sub-techniques, a more specific or lower-level description of adversarial behavior
- Procedures, specific implementation or in-the-wild use the adversary uses for techniques or sub-techniques
ATT&CK is organized in a series of technology domains, the ecosystem an adversary operates within. Currently, there are three technology domains:
- Enterprise, representing traditional enterprise networks and cloud technologies
- Mobile for mobile communication devices
- ICS for industrial control systems
Within each domain are platforms, which may be an operating system or application (e.g. Microsoft Windows). Techniques and sub-techniques can apply to multiple platforms.
For more information on the principles behind ATT&CK, its creation, and its ongoing maintenance, read the . For additional information focused on ATT&CK for ICS, including the unique elements and commonalities with ATT&CK, read the .
Last updated April 2024
Last updated April 2024
How can I use ATT&CK?
The following four use cases are the most common way that users report applying ATT&CK to their work.
Detections and Analytics
ATT&CK can help cyber defenders develop analytics that detect the techniques used by an adversary.
Getting Started with ATT&CK: Detection and Analytics Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three different levels of sophistication. (June 2019)
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities. (June 2017)
ATT&CKing the Status Quo Presentation
The latter part of this presentation provides an introduction to using ATT&CK to create analytics. Slides are also available. (August 2018)
View more resources about Detections and Analytics
Threat Intelligence
ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.
Getting Started with ATT&CK: Threat Intelligence Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three different levels of sophistication. (June 2019)
ATT&CKing Your Adversaries Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections. (August 2019)
Blog posts on threat intelligence
These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence. (September 2018)
View more resources about Threat Intelligence
Adversary Emulation and Red Teaming
ATT&CK provides a common language and framework that red teams can use to emulate specific threats and plan their operations.
Getting Started with ATT&CK: Adversary Emulation and Red Teaming Blog Post
This blog post describes how you can get started using ATT&CK for adversary emulation and red teaming at three different levels of sophistication. (July 2019)
Do-It-Yourself ATT&CK Evaluations to Improve Your Security Posture Presentation
This presentation explains how defenders can improve their security posture through the use of adversary emulation by performing their very own ATT&CK Evaluations. (June 2019)
APT ATT&CK - Threat-based Purple Teaming with ATT&CK Continued Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections. (May 2019)
View more resources about Adversary Emulation and Red Teaming
Assessment and Engineering
ATT&CK can be used to assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.
Getting Started with ATT&CK: Assessments and Engineering Blog Post
This blog post describes how you can get started using ATT&CK for assessments and engineering at three different levels of sophistication. (August 2019)
Lessons Learned Applying ATT&CK-Based SOC Assessments
This keynote presentation discusses a process to gauge a SOC’s detective capabilities as they relate to ATT&CK, including MITRE’s practical experiences and lessons learned. (June 2019)
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities. (June 2017)
View more resources about Assessment and Engineering
Learn more about the Use Cases through the Sp4rkcon Presentation: Putting MITRE ATT&CK into Action with What You Have, Where You Are and the .
For additional ATT&CK topics and to explore presentations and training:
How should I not use ATT&CK?
ATT&CK is just as much about the mindset and process of using it as much as it is the knowledge base itself. When it comes to information security, the threats we face, new technologies, and the adaptability of goal-based adversaries, we cannot consider filling out a checklist as “done”.
Don’t try to achieve 100% coverage. Every organization faces its own unique cyber threat. Not every tactic or technique will apply to everyone. Prioritize ones that are most relevant to you and ensure you are prepared for them.
Don’t shout “Bingo” when you have one technique. Just because you have identified a single way an adversary has done a technique, doesn’t mean it’s time to declare success and color a box green. Adversaries have multiple ways they can perform most techniques. Look for and understand other ways a technique may be accomplished.
Don’t limit yourself to the matrix. Remember the ATT&CK matrix only documents observed real-world behaviors. Adversaries may have a series of other behaviors they use that have not been documented yet. To get a full picture of threats your organization faces, (1) Leverage your own intelligence sources, (2) create and document your own observed techniques, and (3) don’t limit yourselves to behaviors, a timely indicator can catch an adversary.
ATT&CK Navigator
Use it to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more. For more information on how to use Navigator, ATT&CK Navigator Use Case for Threat Intelligence.
Community
Stay informed on the latest updates and engage with the ATT&CK Community through Medium, Slack, and Twitter.
