Related Projects

Card image cap
ATT&CK GitHub Organization

The MITRE ATT&CK GitHub organization was created to hold current and future ATT&CK-related content, including this website!

CALDERA

CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.

Card image cap
ATT&CK Navigator GitHub Repository

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices.

CASCADE

CASCADE is a research project at MITRE which seeks to automate much of the investigative work a “blue-team” team would perform to determine the scope and maliciousness of suspicious behavior on a network using host data.

Card image cap
ATT&CK Expressed in STIX

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI).

CAR

The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the ATT&CK™ adversary model.

Related Standardization Efforts

Card image cap
CAPEC

Common Attack Pattern Enumeration and Classification (CAPEC™) is an effort to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about those attacks. Understanding adversary behavior is increasingly important in cybersecurity. Two approaches exist for organizing knowledge about adversary behavior – CAPEC and ATT&CK, each focused on a specific set of use-cases. Please visit the CAPEC and ATT&CK Comparison page that explains the similarities, differences, and relationship between CAPEC and ATT&CK and the role of each in cybersecurity.

The ATT&CK and CAPEC efforts are collaborating to map related details between ATT&CK techniques and CAPEC attack patterns. CAPEC has incorporated an initial mapping of ATT&CK techniques in version 2.8 and related ATT&CK techniques have CAPEC ID references.

Card image cap
MAEC

Malware Attribute Enumeration and Characterization (MAEC™) is a collaborative community-driven effort to define and develop a standardized language for sharing structured information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The characterization of malware using abstract patterns offers a wide range of benefits over the usage of physical signatures. It allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents. Focusing on the attributes and behaviors of malware facilitates detection and analysis of emerging, sophisticated malware threats that circumvent the traditional signature-based and heuristic approaches. Characterizing malware in a standard way supports collaboration across organizations and the identification of common behavior, functionality, and code bases across instances of malware.

There exists alignment and overlap between some of the post-access techniques covered by ATT&CK and the capability and behavior abstractions that are part of MAEC’s standardized characterization of malware behavior. While ATT&CK takes a general approach, remaining agnostic to specific tools adversaries may use, there is still value in relating back to standardized methods of describing certain attributes of malware wherever applicable.