
MITRE ATT&CK
MITRE ATT&CK® is a knowledge base that helps model cyber adversaries' tactics and techniques—and then shows how to detect or stop them.
Cyber adversaries are shapeshifters: notoriously intelligent, adaptive, and persistent. They learn from every attack, whether it succeeds or fails. They can steal personal data, damage business operations, or disrupt critical infrastructure.
But there is a lot we can learn from cyber adversaries. And that’s where MITRE comes in. We developed MITRE ATT&CK®, a globally accessible knowledge base of adversary behavior.
ATT&CK is freely available to everyone—including the private sector, government, and the cybersecurity product and service community—to help develop specific threat models and methodologies. The ATT&CK knowledge base outlines common tactics, techniques, and procedures used by cyber adversaries. In doing so, ATT&CK provides a common language for defenders to have conversations about emerging threats and develop effective defensive strategies.
Along with the ATT&CK Matrix for Enterprise, we also provide specific guidance for cloud, Windows, macOS, mobile, and industrial control systems.
- [Narrator] It's been reported that once an organization
is breached, adversaries typically lurk on networks
for months before being detected.
How did they get in?
How are they moving around?
What are they doing?
So, where do you start?
MITRE's ATT&CK framework describes
how adversaries penetrate networks
and then move laterally, escalate privileges,
and generally evade your defenses.
ATT&CK looks at the problem from the perspective
of the adversary.
What goals they are trying to achieve,
and what specific methods they use.
ATT&CK organizes adversary behaviors
into a series of tactics, specific technical objectives
that an attacker wants to achieve.
Some examples of tactics include defensive evasion,
lateral movement, and exfiltration.
Within each tactic category,
ATT&CK defines a series of techniques.
Each technique describes one way an adversary
may try to achieve that objective.
There are multiple techniques within each tactic
because adversaries may use different methods based
on their own expertise or things like the availability
of tools, or how your systems are configured.
Each technique to find an attack
includes a description of the method used by the adversary,
the systems or platforms it applies to,
and where known,
what specific adversary groups
use this technique.
Techniques also describe ways to mitigate the behavior,
along with any published references
to the technique being employed.
ATT&CK helps you understand how adversaries might operate
so you can plan how to detect or stop that behavior.
Armed with this knowledge,
you can better understand the different ways
an adversary prepares for launches
and executes their attacks.
Another important use
of ATT&CK is to help you detect an adversary's actions.
The ATT&CK framework includes resources designed
to help you develop analytics
that detect the techniques used by an adversary.
ATT&CK also maintains a library
of information about selected adversary groups
and the campaigns they've conducted.
And since ATT&CK is based on real-world observations,
it allows you to correlate specific adversaries
and the techniques they've used.
Because adversaries often use different techniques
to attack different platforms and technologies,
the ATT&CK framework is divided into a series
of technology domains.
Domains currently covered by ATT&CK include,
enterprise networks with Windows
and Linux operating systems and mobile devices.
The ATT&CK framework can help your organization
better understand the techniques specific adversaries
are likely to use.
Information you can use to evaluate your defenses
and strengthen them where it matters most.
MITRE is building a community around ATT&CK
so that experts in different domains
and technologies can come together to refine
and extend the knowledge contained in the framework.
And because MITRE is a not-for-profit organization operating
in the public interest,
we can provide a conflict-free environment
to create collect, share, and manage this information,
making it available to everyone.
Learn more about ATT&CK and what else we're doing
in cyber threat intelligence.
MITRE, We solve problems for a safer world.
Building a Community Around Threat-Informed Defense
ATT&CK isn’t just a knowledge base. We’re building a community of cyber professionals from government, academia, and the private sector. ATT&CK users from 226 different countries contribute real-world observations and learn from the tactics and techniques identified in the matrix.
The ATT&CK team continues to expand and update the framework to help defenders reduce vulnerabilities, understand known behaviors, and recognize threats before adversaries carry out their objectives.
MITRE EngenuityTM, our tech foundation that collaborates with the private sector on challenges that demand public interest solutions, is helping to support the growth of the ATT&CK and threat-informed defense communities:
- The Center for Threat-Informed Defense™ brings together sophisticated security teams from leading organizations around the world to conduct and share research that improves the collective ability to prevent, detect, and respond to cyber attacks.
- MITRE Engenuity ATT&CK® Evaluations help cybersecurity vendors improve their offerings and provide defenders with insights into a product’s capabilities and performance. Evaluations follow a rigorous, transparent methodology, using a collaborative, threat-informed purple-teaming approach to evaluate solutions within the context of ATT&CK.
- MITRE ATT&CK DefenderTM offers a “living certification” approach that validates mastery of using MITRE ATT&CK to improve threat-informed defenses. MAD training is free.
What Is Threat-Informed Defense?
Laurie Giandomenico: So Rich, maybe you could talk to folks about threat-informed defense and specifically what we mean by that.
Richard Struse: So at MITRE, we are talking about threat-informed defense as the systematic application of a deep understanding of adversary tradecraft and technology, the kind of information that's in MITRE's ATT&CK framework and using that to improve your ability to protect against, detect or mitigate adversary behavior and attacks.
Giandomenico: I think what's neat about that is that it actually stems from how we thought about defense all along over the last 60 years. And that's really where we came from, right? And now we are applying it to cyber.
Struse: Absolutely, and one of the great things about threat-informed defense and ATT&CK is that it really does arise from that practical need that we've had here at MITRE to try to understand
what adversaries are doing, how they're operating, can we detect them? And so it's applying some of these really basic principles, but doing it in a repeatable, systematic way that's really had great impact.