ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.

• Getting Started with ATT&CK: Threat Intelligence Blog Post: This blog post describes how you can get started using ATT&CK for threat intelligence at three different levels of sophistication.
• ATT&CKing Your Adversaries Presentation: This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections.
• Blog posts on threat intelligence: These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence.
• ATT&CKing the Status Quo Presentation: This middle part of this presentation provides an introduction to using ATT&CK for threat intelligence. Slides are also available.
• ATT&CKing with Threat Intelligence Presentation: This presentation provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation. Slides are also available.
• ATT&CK Navigator Use Case for Threat Intelligence: This demo provides an overview of the ATT&CK Navigator as well as a threat intelligence use case for how to compare group behaviors. A corresponding written tutorial on comparing Navigator layers is available here.

ATT&CK provides a common language and framework that red teams can use to emulate specific threats and plan their operations.

• Getting Started with ATT&CK: Adversary Emulation and Red Teaming Blog Post: This blog post describes how you can get started using ATT&CK for adversary emulation and red teaming at three different levels of sophistication.
• Do-It-Yourself ATT&CK Evaluations to Improve Your Security Posture Presentation: This presentation explains how defenders can improve their security posture through the use of adversary emulation by performing their very own ATT&CK Evaluations.
• APT ATT&CK - Threat-based Purple Teaming with ATT&CK Continued Presentation: This presentation takes a deep-dive into using ATT&CK for purple teaming, including lessons learned from ATT&CK Evaluations.
• To Blue with ATT&CK-Flavored Love Presentation: This presentation provides a red teamer’s perspective to show how ATT&CK is a valuable tool to help red and blue teams work together to improve their defenses. Slides are also available.
• Finding Cyber Threats with ATT&CK-Based Analytics: Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.
• Adversary Emulation Plans: To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. We previously released a plan for APT3 (as well as an accompanying field manual) and anticipate that we will release additional plans in the future.
• CALDERA: CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans using a pre-configured adversary model based on ATT&CK. This presentation from BSides Charm provides an overview of CALDERA.
• Threat-based Purple Teaming with ATT&CK Presentation:This presentation discusses how purple teams can use ATT&CK as a common language for adversary emulation. Slides are also available.
• ATT&CKing with Threat Intelligence Presentation: This presentation provides perspective on how to use threat intelligence for ATT&CK-based adversary emulation Slides are also available.
• ATT&CK Evaluations Adversary Emulation Summary: This summary from the ATT&CK Evaluations website provides an introduction to how ATT&CK Evaluations used an adversary emulation approach.

ATT&CK can be used to assess your organization’s capabilities and drive engineering decisions like what tools or logging you should implement.

• Getting Started with ATT&CK: Assessments and Engineering Blog Post: This blog post describes how you can get started using ATT&CK for assessments and engineering at three different levels of sophistication.
• Lessons Learned Applying ATT&CK-Based SOC Assessments Presentation: This keynote presentation discusses a process to gauge a SOC’s detective capabilities as they relate to ATT&CK, including MITRE’s practical experiences and lessons learned.
• ATT&CK Evaluations: MITRE’s evaluations of cybersecurity products using an open methodology based on ATT&CK can help end users understand how commercial security products detect known adversary behaviors.
• Finding Cyber Threats with ATT&CK-Based Analytics: Presents a methodology for using ATT&CK to build, test, and refine behavioral-based analytic detection capabilities.