ATT&CK is knowledge base of adversarial techniques based on real-world observations. ATT&CK focuses on how adversaries interact with systems during an operation, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
Read the ATT&CK 101 Blog post for more information on the basics of ATT&CK and check the short video below.
For more information on the principles behind ATT&CK, its creation, and its ongoing maintenance, read the ATT&CK Philosophy Paper. For additional information focused on ATT&CK for ICS, including the unique elements and commonalities with ATT&CK, read the ATT&CK for ICS Extension.
ATT&CK can help cyber defenders develop analytics that detect the techniques used by an adversary.
Getting Started with ATT&CK: Detection and Analytics Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three different levels of sophistication. (June 2019)
Finding Cyber Threats with ATT&CK-Based Analytics
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities. (June 2017)
ATT&CKing the Status Quo Presentation
The latter part of this presentation provides an introduction to using ATT&CK to create analytics. Slides are also available. (August 2018)
ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.
Getting Started with ATT&CK: Threat Intelligence Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three different levels of sophistication. (June 2019)
ATT&CKing Your Adversaries Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections. (August 2019)
Blog posts on threat intelligence
These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence. (September 2018)
ATT&CK provides a common language and framework that red teams can use to emulate specific threats and plan their operations.
Getting Started with ATT&CK: Adversary Emulation and Red Teaming Blog Post
This blog post describes how you can get started using ATT&CK for adversary emulation and red teaming at three different levels of sophistication. (July 2019)
Do-It-Yourself ATT&CK Evaluations to Improve Your Security Posture Presentation
This presentation explains how defenders can improve their security posture through the use of adversary emulation by performing their very own ATT&CK Evaluations. (June 2019)
APT ATT&CK - Threat-based Purple Teaming with ATT&CK Continued Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections. (May 2019)
ATT&CK can be used to assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.
Getting Started with ATT&CK: Assessments and Engineering Blog Post
This blog post describes how you can get started using ATT&CK for assessments and engineering at three different levels of sophistication. (August 2019)
Lessons Learned Applying ATT&CK-Based SOC Assessments
This keynote presentation discusses a process to gauge a SOC’s detective capabilities as they relate to ATT&CK, including MITRE’s practical experiences and lessons learned. (June 2019)
Finding Cyber Threats with ATT&CK-Based Analytics
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities. (June 2017)
Learn more about the Use Cases through the Sp4rkcon Presentation: Putting MITRE ATT&CK into Action with What You Have, Where You Are and the Getting Started with ATT&CK eBook.
For additional ATT&CK topics and to explore presentations and training: