Introduction to MITRE ATT&CK® Project

MITRE ATT&CK® Framework

What is MITRE ATT&CK®?

ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has two parts: ATT&CK for Enterprise, which covers behaviors against enterprise IT networks and the cloud, and ATT&CK for Mobile, which focuses on behaviors against mobile devices.

      • Techniques – represents “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
      • Tactics – represents the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal, the reason for performing an action. For example, an adversary may want to achieve credential access.
      • Procedures – are the specific implementations the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using Powershell to inject into lsass.exe to dump credentials by scarping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the “Procedure Examples” section of the technique pages.

MITRE started ATAT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that APTs use against Windows enterprise networks. It arose from the need to document adversary behaviors for use in the MITRE research project known as FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.

MITRE Homepage

MITRE Matrices

MITRE Tactics

MITRE Techniques

MITRE Data Sources