ATT&CK Matrix

From ATT&CK
Jump to: navigation, search

The ATT&CK Matrix provides a visual representation of the adversarial techniques described in the ATT&CK model.

Tactic categories are listed on the top row individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose.

MITRE ATT&CK Matrix - Overview of ATT&CK tactics and techniques

Uses

Defensive Gap Analysis

An organization can use the ATT&CK Matrix as a way to visualize defensive coverage of techniques and identify where gaps exist. Prioritization of building detection and defensive capabilities against techniques can be done based on documented adversary use, with an emphasis on techniques used heavily across multiple adversary groups.

The example below is a notional case where an organization has deployed some amount of host-based sensing and intrusion detection analytics to complement perimeter-focused sensors and is assessing where to invest resources next to cover more techniques. It is not based on an actual enterprise network environment, sensors, or analytic coverage of cyber adversary behavior.

MITRE ATT&CK Matrix Example Use for Defensive Gap Analysis