Frequently Asked Questions

General

What is ATT&CK?

ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, and ATT&CK for Mobile, which focuses on behavior against mobile devices.

Why did MITRE develop ATT&CK?

MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.

What are "tactics"?

Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.

What are "techniques"?

Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

What are "sub-techniques"?

Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.

What are "procedures"?

Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.

What are the differences between sub-techniques and procedures?

Sub-techniques and procedures describe different things in ATT&CK. Sub-techniques are used to categorize behavior and procedures are used to describe in-the-wild use of techniques. Furthermore, since procedures are specific implementations of techniques and sub-techniques, they may include several additional behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering the PowerShell, Process Injection, and Credential Dumping against LSASS behaviors.

What technologies does ATT&CK apply to?

Enterprise IT systems covering Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers); cloud systems covering Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office 365, Azure Active Directory (Azure AD), and Google Workspace; mobile devices covering Android and iOS.

How can I use ATT&CK?

ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See the getting started page for resources on how to start using ATT&CK. Also check out the Resources section of the website and the blog for related projects and other material.

Content

How often is ATT&CK updated?

Bi-annually.

Where does the info in ATT&CK come from?

Publicly available threat intelligence and incident reporting is the main source of data in ATT&CK. We take what's available in the public and distill out common TTPs. We also use publicly available research on new techniques that closely align with what adversaries commonly do since new TTPs often get used in the wild quickly. For more information see The Design and Philosophy of ATT&CK.

How can I contribute content to ATT&CK?

Check out our contribute page!

Please contact us before spending a lot of time writing up a new technique/group/software since we always have things in the works and don’t want you to duplicate efforts. For any contributions we add, we'll run the final product by you and credit you as a contributor. In particular, we're looking for Mac/Linux contributions.

My "favorite" threat group isn't included in ATT&CK - why?

We try to include most threat reporting but can only get to so much. If you feel information is missing, then help us by contributing to ATT&CK. Reach out to see if we’re already working on the group and review our contribute page for guidance and formatting for group and software submissions.

Resources

Are there APIs I can use to access the ATT&CK content?

Yes! Check out this page: Interfaces for Working with ATT&CK.

Staying Informed

How do I stay up to date with what's happening with ATT&CK?

Follow @MITREattack on Twitter for news and check out our blog for posts about topics related to ATT&CK.

ATT&CK and Other Models

How does ATT&CK relate to other cyber frameworks and models?

Each model and framework can be used for different purposes. We have documented several use cases where ATT&CK can be used to provide granular detail on adversary behavior. We believe most models and frameworks are complementary to ATT&CK, so you don't have to choose just one.

What is the relationship between ATT&CK and the Diamond Model?

ATT&CK and the Diamond Model are complementary. ATT&CK documents detailed adversary behavior while the Diamond Model is helpful if you're trying to cluster intrusions. There are cases where they may be used together. For example, ATT&CK-mapped techniques may be a useful source of input into the Diamond Model to analyze adversary capabilities.

What is the relationship between ATT&CK and the Lockheed Martin Cyber Kill Chain^®?

ATT&CK and the Cyber Kill Chain are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics are unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation, whereas the Cyber Kill Chain uses ordered phases to describe high level adversary objectives.

Legal

How should I reference the name ATT&CK?

Both MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

Your first references in writing must include "MITRE" preceding "ATT&CK^®" - but subsequently should just reference "ATT&CK" (no registered trademark symbol required).
- Example of a first reference: MITRE ATT&CK^® is a curated knowledge base and model for cyber adversary behavior...
- Example of subsequent reference: ATT&CK is useful for understanding security risk against known adversary behavior...
A headline should always reference "MITRE ATT&CK" together (never only "ATT&CK^®").
Always capitalize "ATT&CK" to distinguish it from the surrounding text.
Do not modify the trademark, such as through hyphenation or abbreviation. For example, "ATT&CK'd!", "Plan-of-ATT&CK", "ATTK".
You may not display the ATT&CK trademark in any manner that implies an affiliation with, sponsorship, or endorsement by MITRE, or in a manner that can be reasonably interpreted to suggest third party content represents the views and opinions of MITRE or MITRE personnel, unless those third parties receive express permission from MITRE.
You may not use ATT&CK in your product names, service names, trademarks, logos, or company names.

Where can I download the MITRE ATT&CK logo?

You can find the MITRE ATT&CK logo here:

If you need a vector graphic of the MITRE ATT&CK logo, please contact us.

Can I use ATT&CK in my products and/or services?

Yes – ATT&CK is open and available to any person or organization for use at no charge. If you decide to use ATT&CK, then follow the terms of use. If you have further questions, then please reach out to us at attack@mitre.org.

Remember, you may never use MITRE ATT&CK, MITRE, or ATT&CK in a way that implies an endorsement of a product or service. MITRE does not endorse those organizations, individuals, etc. leveraging MITRE ATT&CK in their work. The inclusion of MITRE ATT&CK does not imply endorsement or support from MITRE.