MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.

ATT&CK is a matrix of hacking techniques by tactics. There are several different matrices:

• PRE-ATT&CK Matrix includes techniques used for reconnaissance, target identification, and attack planning.
• Windows includes techniques used to hack all flavors of Windows.
• Linux includes techniques used to hack all flavors of Linux.
• MacOS includes techniques used to hack MacOS.
• Mobile ATT&CK matrix includes techniques used to attack mobile devices.

The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. At the time of this writing, there are 245 techniques in the Enterprise model. MITRE regularly updates ATT&CK with the latest and greatest hacking techniques that hackers and security researchers discover in the wild.

• The MITRE ATT&CK Framework: Initial Access
• The MITRE ATT&CK Framework: Execution
• The MITRE ATT&CK Framework: Persistence
• The MITRE ATT&CK Framework: Privilege Escalation
• The MITRE ATT&CK Framework: Defense Evasion
• The MITRE ATT&CK Framework: Credential Access
• The MITRE ATT&CK Framework: Discovery
• The MITRE ATT&CK Framework: Lateral Movement
• The MITRE ATT&CK Framework: Collection
• The MITRE ATT&CK Framework: Exfiltration
• The MITRE ATT&CK Framework: Command and Control

The Differences Between PRE-ATT&CK and ATT&CK Enterprise

PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.

MITRE and other third-party developers use ATT&CK to help the Red and Blue Teams implement their pentesting and defensive efforts:

• Caldera is MITRE’s automated attach technique emulation tool
• Cascade is MITRE’s Blue Team automation toolset
• Attack Navigator is a web application you can use to make notes and track your ATT&CK status
• Oilrig is Palo Alto’s Adversary Playbook built on the ATT&CK model.
• MITRE’s Cyber Analytics Repository is a separate project from ATT&CK that tracks detailed information about how to detect techniques.
• Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the Hash, Pass the Ticket, and Brute Force.  Varonis threat models use the same language as ATT&CK so you can easily reference both resources when you need to research cyberattacks.