ATT&CK is knowledge base of adversarial techniques based on real-world observations. ATT&CK focuses on how adversaries interact with systems during an operation, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
Read the ATT&CK 101 Blog post for more information on the basics of ATT&CK and check the short video below.
For more information on the principles behind ATT&CK, its creation, and its ongoing maintenance, read the ATT&CK Philosophy Paper. For additional information focused on ATT&CK for ICS, including the unique elements and commonalities with ATT&CK, read the ATT&CK for ICS Extension.
ATT&CK can help cyber defenders develop
analytics that detect the techniques used by an adversary.
Getting
Started with ATT&CK: Detection and Analytics Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three
different levels of sophistication. (June 2019)
Finding
Cyber Threats with ATT&CK-Based Analytics
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection
capabilities. (June 2017)
ATT&CKing the Status Quo Presentation
The latter part of this presentation provides an introduction to using ATT&CK to create analytics. Slides
are also available. (August 2018)
ATT&CK gives analysts a common language to
structure, compare, and analyze threat intelligence.
Getting
Started with ATT&CK: Threat Intelligence Blog Post
This blog post describes how you can get started using ATT&CK for detection and analytics at three
different levels of sophistication. (June 2019)
ATT&CKing
Your Adversaries Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into
behaviors that can drive relevant detections. (August 2019)
Blog
posts on threat intelligence
These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence. (September 2018)
ATT&CK provides a common
language and framework that red teams can use to emulate specific threats and plan their
operations.
Getting
Started with ATT&CK: Adversary Emulation and Red Teaming Blog Post
This blog post describes how you can get started using ATT&CK for adversary emulation and red teaming at
three different levels of sophistication. (July 2019)
Do-It-Yourself
ATT&CK Evaluations to Improve Your Security Posture Presentation
This presentation explains how defenders can improve their security posture through the use of adversary
emulation by performing their very own ATT&CK Evaluations. (June 2019)
APT
ATT&CK - Threat-based Purple Teaming with ATT&CK Continued Presentation
This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into
behaviors that can drive relevant detections. (May 2019)
ATT&CK can be used to assess your
organization’s capabilities and drive engineering decisions like what tools or logging you should
implement.
Getting
Started with ATT&CK: Assessments and Engineering Blog Post
This blog post describes how you can get started using ATT&CK for assessments and engineering at three
different levels of sophistication. (August 2019)
Lessons Learned Applying ATT&CK-Based
SOC Assessments
This keynote presentation discusses a process to gauge a SOC’s detective capabilities as they relate to
ATT&CK, including MITRE’s practical experiences and lessons learned. (June 2019)
Finding
Cyber Threats with ATT&CK-Based Analytics
Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection
capabilities. (June 2017)
Learn more about the Use Cases through the Sp4rkcon
Presentation: Putting MITRE ATT&CK into Action with What You Have, Where You Are and the Getting
Started with ATT&CK eBook.
For additional ATT&CK topics and to explore presentations and training: