What is a MITRE ATT&CK?
A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
With an aggressive-sounding name that brings to mind cyberattacks or ransomware, the MITRE ATT&CK® is actually similar to a “shield” against cyberattacks. Created by The MITRE Corporation, a private, not-for-profit company that provides engineering and technical guidance for the United States Air Force, “MITRE ATT&CK® is a [free] globally-accessible knowledge base of adversary tactics and techniques based on real-world observations”.1
The ATT&CK acronym stands for “Adversarial Tactics, Techniques and Common Knowledge, which is the basis for the framework and accompanying ATT&CK knowledge base”.2 A resource that helps enterprises to strengthen their cybersecurity strategies, ATT&CK is often leveraged for the “development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community”.1
The MITRE ATT&CK® framework is leveraged “across multiple fields and disciplines, including intrusion detection, threat hunting, red teaming, security engineering, threat intelligence and risk management”.2
The framework and knowledge base continue to grow as organizations leverage it and then add their own knowledge of cyberthreats to the knowledge base. Contributions like these helpshelp to inform the framework and to foster a stronger overall cybersecurity community online. MITRE notes that “with the creation of ATT&CK, [MITRE] is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity”.1
Cybersecurity is one of MITRE’s focus areas, and the company has stated that cybersecurity research is in the public interest. MITRE has a 50-plus-year history of creating cybersecurity tools, standards, and similar content to benefit the expanded information technology and cybersecurity communities.
In 2013, MITRE launched ATT&CK “to gather this data for a research project on detecting threats in enterprise networks post-compromise, such as after adversaries had broken in, and to document common tactics, techniques and procedures that advanced persistent threats used against Windows enterprise networks”.2
“The [initial ATT&CK] framework has its roots in work MITRE was carrying out for a sponsor organization. The company had asked MITRE to help improve its ability to detect adversaries within its IT environment [that] would require understanding of how adversaries behave once they breach the enterprise perimeter”.3
Creating a testing environment that was named the Fort Meade eXperiment (FMX), MITRE leveraged the company’s network environment to perform “adversary emulation tests that mimicked the behaviors cybercriminals had undertaken in historic attacks”.3
“MITRE ran red team operations on this network, meaning it had designated teams to act as attackers using known techniques to penetrate the network. A blue team then attempted to detect and mitigate these simulated attacks. By simulating the complete cybersecurity landscape from perspective of both the attacker's and the defender's perspective, MITRE formulated the following key insights that it uses as the basis of its ATT&CK framework:
On Halloween (October 31) 2023, MITRE ATT&CK v14 launched as “a release so hauntingly powerful that it [would] send a chill down the spine of even the most formidable adversaries”3 with “detection enhancements, ICS assets, and mobile structured detections”.4
In addition to ATT&CK, MITRE also offers of frameworks including Engage™, D3FEND™, and CALDERA™ and many other cybersecurity tools. These frameworks and tools all support MITRE’s cybersecurity focus and efforts to help increase global cyber defense by providing vital information to thwart network intruders, build resiliency against future attacks, and develop assurance to overcome possible vulnerabilities.
The MITRE ATTACK® framework helps enable threat-informed cyber defense for anyone who leverages it as a resource. It is freely available, so anyone from the cybersecurity product and service community to governments and to the private sector can use it to develop specific threat models and methodologies.
Yasar and Lutkevich offer cite several broad benefits that of the MITRE ATTACK® framework offers:
Using the framework, a business can do the following: