What is ATT&CK?

An introduction to the MITRE ATT&CK knowledge base — what it covers and how it is structured.

ATT&CK is a knowledge base of adversarial techniques. Unlike prior work in this area, the focus is not on the tools and malware that adversaries use, but on how they interact with systems during an operation.

Four Problems ATT&CK Addresses

  1. Adversary Behavior
  2. Lifecycle Models
  3. Applicability to real environments
  4. Common taxonomy — TTPs must be comparable across different adversary groups using the same terms

ATT&CK categorizes various techniques under different tactics to add context for each technique and explain why an adversary would perform it.

Vocabulary

Tactics

Tactics answer the "why" of an attack technique — the adversary's objective for performing an action.

  1. Reconnaissance — gathering information
  2. Resource Development — establishing resources to support operations
  3. Initial Access — getting into your network
  4. Execution — attempting to run malicious code
  5. Persistence — maintaining a foothold
  6. Privilege Escalation — gaining higher-level permissions
  7. Defense Evasion — avoiding detection
  8. Credential Access — stealing account names and passwords
  9. Discovery — exploring and gaining knowledge of the environment
  10. Collection — gathering data of interest
  11. Command and Control — communicating with and controlling compromised systems
  12. Lateral Movement — moving through your environment
  13. Exfiltration — attempting to steal data

Techniques

Techniques outline how an adversary accomplishes a tactical goal by executing specific actions. They can also answer "what" an adversary gains by performing an action.

The ATT&CK Matrix

The ATT&CK Matrix is a visual representation of the relationship between tactics and techniques. Each column is a tactic; the cells within each column are the techniques that fall under it.