Getting Started
You want to get started using ATT&CK, but where do you begin? Regardless of what you want to accomplish, it’s important to understand what ATT&CK is and why MITRE created it.
-
ATT&CK 101 Blog PostA quick overview of key points to know about ATT&CK.
-
Getting Started with ATT&CK Blog SeriesProvides an overview of how to use ATT&CK at different levels of sophistication for four use cases: Threat Intelligence, Detection and Analytics, Adversary Emulation and Red Teaming, and Assessments and Engineering.
-
Getting Started with ATT&CK eBookPulls together the content from our four Getting Started blog posts on Threat Intelligence, Detection and Analytics, Adversary Emulation and Red Teaming, and Assessments and Engineering onto a single convenient package.
-
Philosophy PaperAn in-depth look at why MITRE created ATT&CK, how we update and maintain it, and what the community commonly uses it for.
-
Sp4rkcon Presentation: Putting MITRE ATT&CK™ into Action with What You Have, Where You ArePresents an overview of ATT&CK as well as ideas for how you can put it into action for four use cases. Slides are also available.
-
Finding Cyber Threats with ATT&CK-Based AnalyticsPresents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
-
MITRE ATT&CK Introduction Video:
Common Use Cases
Detections and Analytics
ATT&CK can help cyber defenders develop analytics that detect the techniques used by an adversary.
-
Getting Started with ATT&CK: Detection and Analytics Blog Post: This blog post describes how you can get started using ATT&CK for detection and analytics at three different levels of sophistication.
-
Cyber Analytics Repository (CAR): ATT&CK is the framework of what adversaries do, and CAR is a knowledge base of analytics based on ATT&CK. This blog post on CAR explains our work to improve it.
-
Finding Cyber Threats with ATT&CK-Based Analytics: Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
-
CASCADE: This MITRE research project seeks to automate “blue team” work, including running analytics.
-
ATT&CKing the Status Quo Presentation: The latter part of this presentation provides an introduction to using ATT&CK to create analytics. Slides are also available.
-
Many people in the ATT&CK community are doing excellent work with analytics and detection. We encourage you to take a look at the ATT&CKcon 2018 presentations for ideas. You can also follow us on Twitter at @MITREattack, since we sometimes retweet information about community projects that could help ATT&CK users.
Threat Intelligence
ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.
-
Getting Started with ATT&CK: Threat Intelligence Blog Post: This blog post describes how you can get started using ATT&CK for threat intelligence at three different levels of sophistication.
-
ATT&CKing Your Adversaries Presentation: This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections.
-
Blog posts on threat intelligence: These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence.
-
ATT&CKing the Status Quo Presentation: This middle part of this presentation provides an introduction to using ATT&CK for threat intelligence. Slides are also available.
-
ATT&CKing with Threat Intelligence Presentation: This presentation provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation. Slides are also available.
-
ATT&CK Navigator Use Case for Threat Intelligence: This demo provides an overview of the ATT&CK Navigator as well as a threat intelligence use case for how to compare group behaviors. A corresponding written tutorial on comparing Navigator layers is available here.
Adversary Emulation and Red Teaming
ATT&CK provides a common language and framework that red teams can use to emulate specific threats and plan their operations.
-
Getting Started with ATT&CK: Adversary Emulation and Red Teaming Blog Post: This blog post describes how you can get started using ATT&CK for adversary emulation and red teaming at three different levels of sophistication.
-
Do-It-Yourself ATT&CK Evaluations to Improve Your Security Posture Presentation: This presentation explains how defenders can improve their security posture through the use of adversary emulation by performing their very own ATT&CK Evaluations.
-
APT ATT&CK - Threat-based Purple Teaming with ATT&CK Continued Presentation: This presentation takes a deep-dive into using ATT&CK for purple teaming, including lessons learned from ATT&CK Evaluations.
-
To Blue with ATT&CK-Flavored Love Presentation: This presentation provides a red teamer’s perspective to show how ATT&CK is a valuable tool to help red and blue teams work together to improve their defenses. Slides are also available.
-
Finding Cyber Threats with ATT&CK-Based Analytics: Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
-
Adversary Emulation Plans: To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. We previously released a plan for APT3 (as well as an accompanying field manual) and anticipate that we will release additional plans in the future.
-
CALDERA: CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans using a pre-configured adversary model based on ATT&CK. This presentation from BSides Charm provides an overview of CALDERA.
-
Threat-based Purple Teaming with ATT&CK Presentation:This presentation discusses how purple teams can use ATT&CK as a common language for adversary emulation. Slides are also available.
-
ATT&CKing with Threat Intelligence Presentation: This presentation provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation Slides are also available.
-
ATT&CK Evaluations Adversary Emulation Summary: This summary from the ATT&CK Evaluations website provides an introduction to how ATT&CK Evaluations used an adversary emulation approach.
Assessment and Engineering
ATT&CK can be used to assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.
-
Getting Started with ATT&CK: Assessments and Engineering Blog Post: This blog post describes how you can get started using ATT&CK for assessments and engineering at three different levels of sophistication.
-
Lessons Learned Applying ATT&CK-Based SOC Assessments Presentation: This keynote presentation discusses a process to gauge a SOC’s detective capabilities as they relate to ATT&CK, including MITRE’s practical experiences and lessons learned.
-
ATT&CK Evaluations: MITRE’s evaluations of cybersecurity products using an open methodology based on ATT&CK can help end users understand how commercial security products detect known adversary behaviors.
-
Finding Cyber Threats with ATT&CK-Based Analytics: Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
Working with ATT&CK
Here are some resources on the ATT&CK infrastructure to help you work with the content to accomplish these use cases.
-
Interfaces for Working with ATT&CK: This page describes how you can programmatically access ATT&CK content using STIX/TAXII.
-
ATT&CK Navigator: The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices. You can use the Navigator to visualize defensive coverage, your red/blue team planning, or anything else you what to do with ATT&CK. If you want to get started immediately, a hosted instance is available here.
Community
We’re creating a community of ATT&CK users who are passionate about ATT&CK and threat-informed defense. Here’s how you can find other community members, find out what they’re doing with ATT&CK, and get involved.
-
Blog: Check out our Medium blog for ATT&CK updates and information.
-
Twitter: Follow us at @MITREattack to hear about our latest updates and what community members are doing with ATT&CK.
-
ATT&CKcon 2018 Presentations: In October 2018, we held the first-ever ATT&CKcon at MITRE’s McLean campus. Check out the presentations for ideas on how the community is using ATT&CK as well as the blog post about the event.
-
Contribute to ATT&CK: We rely on the community to help us improve ATT&CK. If you want to contribute, here’s how to reach out and what we’re looking for.