The ATT&CK framework originated from the need to methodically organize and classify adversary actions during structured emulation exercises — think war games — within MITRE's FMX research environment. The FMX served as a live testing ground within the MITRE network for developing and refining detection methods, specifically against Advanced Persistent Threats (APTs).
Researchers looked to enhance post-compromise threat detection by analyzing telemetry data (information collected from remote or inaccessible sources) and behavioral patterns.
ATT&CK facilitated both adversary emulation and defense measurement within the FMX environment. It was initially focused on the Windows environment but has expanded over time to cover other platforms, including Mac, Linux, mobile, cloud, and Industrial Control Systems (ICS).