Papers
- Philosophy Paper: This whitepaper provides an in-depth look at why we created ATT&CK, how we update and maintain it, and what the community commonly uses it for.
- Finding Cyber Threats with ATT&CK-Based Analytics: This paper presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities using adversary emulation.
Presentations
-
January 2020This presentation from the SANS CTI Summit explores how automation can be applied to cyber threat intelligence using the Threat Report ATT&CK Mapper (TRAM).
-
October 2019This presentation from the SANS Purple Team Summit looks at moving beyond traditional, rigid adversary emulation by leveraging MITRE ATT&CK.
-
This presentation from BSidesDC covers an overview of ATT&CK and introduces a new tool for automating mapping to it called the Threat Report ATT&CK Mapper (TRAM).
-
October 2019This presentation from Anomali Detect discusses how you can use ATT&CK for threat intelligence, including a process for mapping intelligence to ATT&CK as well as biases to watch out for as you do this. Slides are also available.
-
September 2019This presentation from the RH-ISAC Retail Cyber Intelligence Summit covers all four of the primary ATT&CK use cases, with a focus on detection and analytics, and assessments and engineering.
-
August 2019This presentation from Black Hat walks through the story of a fictional organization in order to explain how different teams can use ATT&CK as a powerful force to improve defenses. Slides are also available.
-
This presentation from BSidesLV covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections. Slides are also available.
-
This keynote presentation from the SANS Security Operations Summit discusses a process to gauge a SOC’s detective capabilities as they relate to ATT&CK, including MITRE’s practical experiences and lessons learned.
-
This presentation from the Annual FIRST Conference presents different methods of using ATT&CK to find dependencies between adversary techniques to support defense.
-
This presentation from the SANS Enterprise Defense Summit explains how defenders can improve their security posture through the use of adversary emulation by performing their very own ATT&CK Evaluations.
-
This presentation from x33fcon takes a deep-dive into using ATT&CK for purple teaming, including lessons learned from ATT&CK Evaluations. Slides are also available.
-
This presentation from Sp4rkcon presents an overview of ATT&CK as well as ideas for how you can put it into action for four use cases. Slides are also available.
-
April 2019This presentation from the SANS Blue Team Summit provides a red teamer’s perspective to show how ATT&CK is a valuable tool to help red and blue teams work together to improve their defenses. Slides are also available.
-
This presentation from the FIRST CTI Symposium discusses how you can use ATT&CK for threat intelligence as well as biases to be aware of as you do that.
-
This presentation from RSA covers an overview of ATT&CK as well as key use cases and tools that can be used to convert it into practice.
-
March 2019This presentation from BSides NOVA explores a number of different ways to analyze the ATT&CK knowledge base and how organizations might perform similar analyses with their own data.
-
This presentation from the SANS CTI Summit presents an overview of how two different organizations use ATT&CK to map adversary behavior and prioritize how you apply that intelligence to defenses. Slides are also available.
-
his presentation from Shmoocon discusses the use case of evaluating security tools with ATT&CK. It provides an overview of the approach taken by the ATT&CK Evaluations initiative.
-
This presentation from BSides DC explores how you can apply ATT&CK to optimize and harmonize adversarial and defensive cyber operations.
-
This presentation from the FireEye Cyber Defense Summit covers the use of ATT&CK as a framework for understanding FIN7 behaviors. Slides are also available.
-
This presentation from the SANS Threat Hunting Summit shows how you can use ATT&CK to apply threat intelligence to adversary emulation.
-
August 2018This presentation from the DEFCON Blue Team Village shows how ATT&CK can be used for Security Operations Center (SOC) assessments.
-
August 2018This presentation from BSidesLV provides an overview of ATT&CK along with details on two use cases: threat intelligence and analytics. Slides are also available.
-
July 2018This presentation from HOPE provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation. Slides are also available.
-
This presentation from x33fcon discusses how purple teams can use ATT&CK as a common language for adversary emulation. Slides are also available.
-
November 2016This presentation from BSides Delaware outlines the key features of ATT&CK, describing the tactics, techniques, groups, and software that make up ATT&CK along with a discussion on how it can be used.
Other ATT&CK Efforts
Building a community around sharing observations of ATT&CK techniques in the wild.
Plans that showcase the practical use of ATT&CK for offensive operators and defenders.
Evaluations of cybersecurity products using an open methodology based on ATT&CK.
A knowledge base describing actions that adversaries may take while operating within Industrial Control System networks.
Graphics
MITRE ATT&CK Roadmap
Last updated October 2020
MITRE ATT&CK Matrix Poster
Last updated October 2020
Other Resources
- ATT&CK Update Log: Recent changes to the ATT&CK content.
- Interfaces for Working with ATT&CK: Tools we've developed for accessing and manipulating the ATT&CK content.