LLMpediaThe first transparent, open encyclopedia generated by LLMs

ATT&CK

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: IBM Security Hop 5
Expansion Funnel Raw 129 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted129
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
ATT&CK
NameATT&CK
DeveloperMITRE
Released2013
Latest releaseongoing
Platformcross-platform
Licensepublic domain / open framework

ATT&CK

ATT&CK is a knowledge base and framework for categorizing adversary behavior, techniques, and procedures used in cyber intrusions. It provides a matrix of tactics and techniques to map actions observed in incidents to standardized entries, enabling analysts from organizations such as National Security Agency, Department of Defense, Department of Homeland Security, Federal Bureau of Investigation, and Central Intelligence Agency to communicate about threats with shared terminology. Security vendors like Microsoft, Google, Amazon (company), CrowdStrike, FireEye, and Palo Alto Networks integrate ATT&CK into detection, threat hunting, and incident response workflows used by teams at JPMorgan Chase, Goldman Sachs, ExxonMobil, Walmart, and UnitedHealth Group.

Overview

ATT&CK presents techniques grouped under tactical goals such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. Analysts at Lockheed Martin, Boeing, Raytheon Technologies, Northrop Grumman, and BAE Systems apply the framework alongside models from MITRE Corporation partners and standards bodies like National Institute of Standards and Technology, International Organization for Standardization, Internet Engineering Task Force, European Union Agency for Cybersecurity, and Council of the European Union. The framework interoperates with tools and data standards such as STIX, TAXII, OpenIOC, CEF (Common Event Format), Syslog, and Elastic Stack (ELK), assisting security operations centers at AT&T, Verizon Communications, T-Mobile US, Siemens, and Schneider Electric.

History and development

Development began at MITRE Corporation as a response to the need for a systematic catalog of adversary behavior observed across incidents involving entities like Equifax, Target Corporation, Sony Pictures Entertainment, Home Depot, and nation-state operations attributed to actors linked to China, Russia, North Korea, and Iran. Early adopters included US Cyber Command, NATO Cooperative Cyber Defence Centre of Excellence, and commercial firms such as Symantec and McAfee. Over time the framework expanded with community contributions from researchers at SANS Institute, CERT Coordination Center, Carnegie Mellon University, Stanford University, Massachusetts Institute of Technology, and University of Cambridge. Annual events and workshops at venues like Black Hat USA, DEF CON, RSA Conference, ISSA International Conference, and ENISA conferences accelerated mapping efforts and integration with threat intelligence feeds maintained by Recorded Future, Mandiant, Kaspersky Lab, ESET, and Trend Micro.

Structure and components

The framework is organized into matrices for enterprise, mobile, and industrial control systems, with entries for techniques, sub-techniques, mitigations, and detections. Components reference behavior observed in campaigns tied to groups like APT28, APT29, Lazarus Group, Charming Kitten, and Sandworm and link to software such as Cobalt Strike, Mimikatz, PowerShell Empire, Metasploit, and Impacket. ATT&CK entries include examples from intrusion reports issued by Mandiant, CERT-EU, US-CERT, Cisco Talos, Proofpoint, and Malwarebytes and map defensive recommendations connected to vendor products from Splunk, SentinelOne, Sophos, Trend Micro, and Cylance. The taxonomy supports mapping to compliance frameworks and regulations like Health Insurance Portability and Accountability Act, General Data Protection Regulation, Sarbanes–Oxley Act, and standards such as NIST SP 800-53.

Use cases and applications

Organizations use the framework for threat modeling, red teaming, purple teaming, detection engineering, threat intelligence enrichment, and cyber risk assessment. Red team engagements at Goldman Sachs, Citigroup, Deutsche Bank, and UBS simulate techniques cataloged in the matrices; purple team exercises at Facebook (Meta), Twitter, Instagram, and LinkedIn refine detections. Security orchestration, automation, and response platforms from Splunk Phantom, Palo Alto Networks Cortex XSOAR, ServiceNow, and IBM Resilient operationalize ATT&CK mappings. Law enforcement agencies like Europol, INTERPOL, Metropolitan Police Service, and FBI Cyber Division leverage the framework to standardize case reports and share indicators with industry partners such as Anomali, ThreatConnect, Recorded Future, and VirusTotal.

Adoption and community ecosystem

A broad ecosystem of vendors, open-source projects, academic groups, and government bodies supports ATT&CK. Open-source tools and projects including MITRE ATT&CK Navigator, CALDERA, Atomic Red Team, Velociraptor, GRR Rapid Response, and Osquery provide mapping, simulation, and telemetry collection. Certifications and training content are offered by SANS Institute, (ISC)², ISACA, and university programs at Georgia Institute of Technology, University of Maryland, College Park, and Carnegie Mellon University. Collaborative knowledge sharing occurs in communities around conferences like DEF CON, Black Hat Europe, RSA Conference, and forums maintained by MITRE Engenuity, Azure Sentinel community, AWS Security Blog, and vendor-specific research teams at Microsoft Threat Intelligence Center.

Criticisms and limitations

Critics point to gaps including coverage bias toward observable techniques in enterprise IT environments versus legacy industrial control systems used by Siemens Energy and Schneider Electric; over-reliance on telemetry sources favored by vendors such as Microsoft and Elastic; and the potential for adversary adaptation once techniques are widely cataloged, affecting actors like APT29 and Lazarus Group. Scholars from Oxford University, Stanford University, and Harvard University have published analyses noting taxonomy drift, attribution challenges, and difficulties mapping high-level campaign narratives from reports by Mandiant, Kaspersky Lab, and CrowdStrike into discrete technique tags. Operational limitations appear in small-to-medium enterprises and non-profits like Red Cross and Amnesty International, where resource constraints complicate full adoption and continuous tuning of detections tied to ATT&CK mappings.

Category:Cybersecurity