Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Getting Started



Curious about how ATT&CK might help you?

ATT&CK 101 Blog


Want to dig in and start using ATT&CK?

Enterprise Matrix

Frequently Asked Questions

General


ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: PRE-ATT&CK, which focuses left of delivery and exploit, ATT&CK for Enterprise, which covers initial access/exploit and beyond, and ATT&CK for Mobile, which focuses on mobile devices.


MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.


Tactics represent the “why” of an ATT&CK technique. It is the adversary’s tactical objective: the reason for performing an action.


Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, and adversary may dump credentials to achieve credential access.


Procedures are the exact ways a particular adversary or piece of software implements a technique. These are described by the examples sections in ATT&CK techniques.


Enterprise IT systems covering Windows, macOS, and Linux; mobile devices using Android and iOS.


ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See page 3 of The Design and Philosophy of ATT&CK whitepaper for more details on the various use cases for ATT&CK. Also check out the Resources section of the website and the blog for related projects and other resources.


Content


Quarterly.


Publicly available threat intelligence and incident reporting is the main source of data in ATT&CK. We take what's available in the public and distill out common TTPs. We also use publicly available research on new techniques that closely align with what adversaries commonly do since new TTPs often get used in the wild quickly. For more information see The Design and Philosophy of ATT&CK


Check out our contribute page!

Please contact us before spending a lot of time writing up a new technique/group/software since we always have things in the works and don’t want you to duplicate efforts. For any contributions we add, we’ll run the final product by you and credit you as a contributor. In particular, we’re looking for Mac/Linux contributions.


We try to include most threat reporting but can only get to so much. If you feel information is missing, then help us by contributing to ATT&CK. Reach out to see if we’re already working on the group and review our contribute page for guidance and formatting for group and software submissions.


Resources


Yes! Check out this page: Interfaces for Working with ATT&CK

Staying Informed


Follow @MITREattack on Twitter for news and check out our blog for posts about topics related to ATT&CK.


Legal


Both MITRE ATT&CK™ and ATT&CK™ are trademarks of The MITRE Corporation.
  • Your first references in writing must include "MITRE" preceding "ATT&CK™" - but subsequently should just reference "ATT&CK" (no trademark symbol required).
    • Example of a first reference: MITRE ATT&CK™ is a curated knowledge base and model for cyber adversary behavior...
    • Example of subsequent reference: ATT&CK is useful for understanding security risk against known adversary behavior...
  • A headline should always reference "MITRE ATT&CK" together (never only "ATT&CK™").
  • Always capitalize "ATT&CK" to distinguish it from the surrounding text.
  • Do not modify the trademark, such as through hyphenation or abbreviation. For example, "ATT&CK'd!", "Plan-of-ATT&CK", "ATTK".
  • You may not display the ATT&CK trademark in any manner that implies an affiliation with, sponsorship, or endorsement by MITRE, or in a manner that can be reasonably interpreted to suggest third party content represents the views and opinions of MITRE or MITRE personnel, unless those third parties receive express permission from MITRE.
  • You may not use ATT&CK in your product names, service names, trademarks, logos, or company names.

Yes – ATT&CK is open and available to any person or organization for use at no charge. If you decide to use ATT&CK, then follow the terms of use. If you have further questions, then please reach out to us at attack@mitre.org.

Remember, you may never use MITRE ATT&CK, MITRE, or ATT&CK in a way that implies an endorsement of a product or service. MITRE does not endorse those organizations, individuals, etc. leveraging MITRE ATT&CK in their work. The inclusion of MITRE ATT&CK does not imply endorsement or support from MITRE.