The ATT&CKcon 7.0 CFP is open! Want to join us on stage in McLean, VA, 10/28-29? We'd love to hear your best talk ideas with some relation to ATT&CK so we can bring to the wider ATT&CK community.
To submit to go openconf.org/ATTACKcon2026/ before 8pm ET on July 2nd.
As we get ready to release ATT&CK for Containers with our April release, we realize that some have gotten the wrong impression of how we’ve scoped Containers. We wanted to share some examples of upcoming groups and techniques starting with our new Ever Given group page.
How do I get started using ATT&CK? No matter how sophisticated your team is, our new blog series can help you figure that out. First up, @likethecoins walks through a couple ideas for how you can use ATT&CK for #threatintel. medium.com/mitre-attack/gett…
It has launched! ATT&CK v9 is now live with refactored data sources, ATT&CK for Containers, Google Workspace as a platform and more! Read about new data sources and the rest of the update at medium.com/mitre-attack/atta… or attack.mitre.org/resources/u… for new/changed groups/techniques/sw.
Our beta release of ATT&CK with sub-techniques is now live! We’ve just posted a blog post by @stromcoffee with links to all of the new resources and advice on how to leverage them (medium.com/mitre-attack/atta…). You can also check out the new site itself at attack.mitre.org/beta/.
The April 2019 release of ATT&CK is out including our new Impact tactic! We’ve added 21 techniques (14 in Impact), 8 groups, and 50 software entries. We’ve also made updates to 22 techniques, 31 groups, and 46 software entries. attack.mitre.org/resources/u…
We've released the ATT&CK Navigator today. It's a tool to help build color coded ATT&CK Matrix visualizations and heat maps, but now with less MS Excel mitre.org/capabilities/cyber…
We’re excited to announce the initial release of ATT&CK for ICS! You can find the ICS knowledge base at attack.mitre.org/ics and a blog post by @ojalexander explaining what’s new and different here: medium.com/mitre-attack/laun…. Thank you to everyone who helped us get here!
October ATT&CK update is now live! Lots of new information in Enterprise, Mobile, Groups, and Software. The biggest change is the addition of ATT&CK for Cloud! Thanks to all our contributors that helped with this update and with Cloud! Update notes: attack.mitre.org/resources/u…
We've released a whitepaper detailing ATT&CK's background, the various components of the framework, and our philosophy for maintaining it. As always, feedback is welcome and encouraged.
mitre.org/publications/techn…
We'd like to announce a new Tactic for Enterprise ATT@CK, "Flailing". We feel that these 10 new techniques describe a number of adversary and red team behaviors previously missing from ATT@CK. New techniques include "Invalid Accounts", "Commonly Blocked Port", "Visible Windows."
Subs have launched! After 3 months in beta, ATT&CK with Sub-Techniques (with some small fixes) has become... ATT&CK (attack.mitre.org/resources/u…). We've published a new blog post (medium.com/mitre-attack/atta…) that includes updates to our crosswalk format and describes what's changed.
ALT shooting star dog GIF by Nebraska Humane Society
It's a v10! Our release of ATT&CK is now live with new data source objects, improvements to macOS/Linux content, and updates across the board.
A new blog post describes the changes at medium.com/mitre-attack/intr… or you can go to attack.mitre.org/resources/u… and score it yourself!
The ATT&CK Evaluations Team just released the APT29 Evaluation results, DIY Eval profile, and a Joystick update on attackevals.mitre.org. Check out medium.com/mitre-attack/atta… to learn more about the evaluation process.
Want to buy 100% ATT&CK? Now introducing non-fungible techniques. 💀🚨♥️
Today, 4/1, we’re excited to announce the launch of the Bored ATT&CK Technique Club! We’ll be minting Technique NFTs throughout the day, initial drop ready to go now. 💎🤲 opensea.io/collection/bored-…
CALDERA 2.0 is now live at github.com/mitre/caldera, with support for new platforms, better usability, and an all new Chain mode. If you're at @BSidesCharm today, you can hear all about the new version and see a live demo from @privateducky at 3pm in Track 1.
The present everyone has been asking for is here! We are excited to announce the beta release of TRAM, a tool to aid in mapping reports to ATT&CK. You can find our latest blog with all the details at medium.com/mitre-attack/auto… and the source code at github.com/mitre-attack/tram.
In light of an uptick in recent technique submissions, we’d like to announce a new ATT&CK model, ATT&CK for Teleworking. We encourage the community to share Tactic and Technique suggestions via Twitter DM or mention, each must include a procedure in the form of a gif.
For anyone looking to write ATT&CK-based detections, the process @verri3r describes could help: hypothesize, find out what's normal, write, test, peer review, and publish. Also a solid list of ?s to ask about what execution should look like. redcanary.com/blog/detection…@redcanaryco
We're releasing an ATT&CK for Enterprise content update next Tuesday 1/16. There may be a bit of downtime. Some highlights: 19 new techniques (now up to 188), nine new groups, 26 new software entries. Many techniques and groups have had content updates
Congrats to @mitrecorp InfoSec on their release of Shield (shield.mitre.org)! Shield is a knowledge base of active defense and adversary engagement options structured similarly to ATT&CK and linked to ATT&CK techniques. We look forward to seeing how it evolves and grows!
We’re excited to announce that we're hosting ATT&CKcon on Oct. 23-24 @MITREcorp! Whether you’re using ATT&CK now or thinking about it for the future (or you just like ampersands), this is the con for you. Email us to get on the distro for announcements: ATTACKcon@mitre.org
You can detect more than just C2 & exfil with network logs. Check out BZAR, a collection of @Zeekurity analytics aimed at detecting ATT&CK techniques that leverage RPC & SMB: github.com/mitre-attack/car/…. Let us know if you want to contribute to BZAR or the Cyber Analytics Repository!
We've released the APT3 Adversary Emulation Plan based on ATT&CK. These plans help describe a threat group's behavior for the purposes of testing security. Special thanks to @ckorban, Doug Miller, Adam Pennington, and @its_a_feature_ for their work attack.mitre.org/wiki/Advers…
We're excited to begin a short beta-test period for the new MITRE ATT&CK website - check it out at mitre-attack.github.io. We're also moving the ATT&CK blog over to @Medium and our first new blog describes the website beta release medium.com/mitre-attack/new-…
Announcing the ATT&CKcon Power Hour! Instead of a 2 day conference, starting Oct 9 we'll be running a series of 90 minute virtual events! The CFP will be opening shortly for your talks on the most practical, aspirational, and things to always avoid with ATT&CK.
You asked, we listened. Our sister project, Cyber Analytics Repository (CAR), was migrated to Github as we start to reinvigorate the project to make it easier to contribute. Check out @jwunder's blog post (medium.com/mitre-attack/cybe…) and the new site: car.mitre.org/
We're excited to see the launch of the Center for Threat-Informed Defense! Rest assured: the Center will help accelerate research around ATT&CK and defense, but ATT&CK will remain free and open to all. You can use and contribute to ATT&CK whether you're a Center member or not.
#Cybersecurity challenges transcend individual organizations, fields, and countries. The Center for Threat-Informed Defense is bringing the private sector together to improve cyber defenses for all. bit.ly/2qLSrUH
Individual ATT&CKcon 2.0 videos are now up on YouTube! piped.video/playlist?list=PL…
We'll have a page up shortly linking to slides from the conference. Thank you again to all of our speakers for making this possible!
The next post in our "Getting Started with ATT&CK" blog series is now live. This week, @jwunder gives pointers on how you can write ATT&CK-based analytics, test them with purple teaming, and use ATT&CK to measure your progress. medium.com/mitre-attack/gett…
The ATT&CK website code is now open sourced! It generates static pages from STIX 2.0 data and can be used to build local copies with custom content using your own STIX bundles. Send PRs if you extend the site in a useful way and want to share! github.com/mitre-attack/atta…
We recently released v.2.2 of the Navigator. Check out all the new features, like the ability to load multiple layers by default and add your own customized metadata to layers, here - github.com/mitre/attack-navi…
This is a valuable process. Map your detections to ATT&CK, identify gaps in both the detections AND ATT&CK, then feed that back into ATT&CK to improve it for everyone. redcanary.com/blog/red-canar…
Now you can generate ATT&CK into a format many of you have asked for, Excel! Our new mitreattack-python pip library contains the Excel generator plus tools for working with ATT&CK Navigator layers.
github.com/mitre-attack/mitr…pypi.org/project/mitreattack…
Get ready, ATT&CK v9 is coming Thursday, April 29th! We've already shared our roadmap for April and October releases (medium.com/mitre-attack/att-…) but excited to now have a date.
Ready to fire on all cylinders across the whole adversary lifecycle? ATT&CK v8 is out! It has two new tactics, Reconnaissance and Resource Development, replacing the scope of PRE-ATT&CK. @_whatshisface and @snarejen have written a post about the changes: medium.com/mitre-attack/the-….
Y'all realize that you don't need to reload all of ATT&CK from our TAXII server several times an hour? We only release twice a year.
Love,
Our AWS bill
We're excited to announce a new initiative to offer ATT&CK-based evaluations for #EDR products as a way to advance the market. The first-round CFP is open through April 13. Contact us at attackevals@mitre.org for more info or to request participation. mitre.org/news/press-release…
On October 21 (2021) v10 of ATT&CK will arrive! v10 will feature our new Data Sources objects (previewed at github.com/mitre-attack/atta…), along with updates to Techniques, Groups, and Software across all of our platforms.
Continuing our series on ATT&CK misunderstandings, we'd like to discuss attribution...
It may be tempting to attribute groups based on technique usage, but ATT&CK techniques only represent ONE aspect of a group & are generally too broad to produce reliable attribution alone.
We're gearing up to celebrate Windows XP's 21st birthday in style by releasing ATT&CK v12.
Watch this space October 25th for the initial release of Campaigns, and updates across ATT&CK for Enterprise, ICS, and Mobile!
Looking to automate your ATT&CK Navigator workflow? We recently released fresh Python scripts implementing several Navigator functionalities, including export to Excel! Check it out at github.com/mitre-attack/atta….
We are getting very close to our next ATT&CK release and the retirement of PRE-ATT&CK in its current form. ATT&CK for Enterprise will be adding new tactics to take its place, as described by @_whatshisface at ATT&CKcon 2.0 (slideshare.net/attackcon2018…). Watch this space next Tuesday!
Big changes coming in this week's update to better align ATT&CK and @MITREpreattack. We're adding Initial Access to ATT&CK to cover how adversaries gain access to enterprise networks -- it's no longer strictly post-compromise. PRE-ATT&CK's Launch and Compromise will be deprecated
We're trying something new for our next adversary emulation plan on APT29. We invite the community to contribute #threatintel, and then we'll openly publish the plan along with ATT&CK Evaluations results. Check out our blog & send contributions by 3/15: medium.com/mitre-attack/open…
We're excited to see @HybridAnalysis mapping sandbox analysis to ATT&CK! This is a great way to give an understanding of malware behavior by using a common language.
[UPDATE] We took on the challenge and now map behavior indicators to the MITRE ATT&CK framework for industry standard visibility into techniques and tactics. Example: hybrid-analysis.com/sample/1…
Earlier this week, @CISACyber released updates to their Best Practices for MITRE ATT&CK Mapping guide focusing on avoiding common pitfalls, better representing ATT&CK in reports, and guidance specific to ATT&CK for ICS. Check it out at go.dhs.gov/Zar
Let's continue our ATT&CK misunderstandings series & discuss procedures.
People sometimes assume ATT&CK is trying to cover every possible way a (sub-)technique can be done, but our procedures only cover what we've seen in public reporting tied to Groups, Software, or Campaigns.
For an overview of what ATT&CK is and how to get started using it, check out @likethecoins' presentation from @Sp4rkCon - "Putting MITRE ATT&CK into Action with What You Have, Where You Are." piped.video/bkfwMADar0M
We've been tracking reporting on the recent activity related to UNC2452/Solarigate with an eye to mapping it to ATT&CK and adding new techniques. We've posted and intend to keep up to date on the reports we're tracking but let us know what we're missing. medium.com/mitre-attack/iden….
ATT&CK is stronger because of the community behind it. To help you understand what contributions and formats we're looking for, here's a short summary: attack.mitre.org/w/img_auth.…. Thank you to all of our awesome contributors - past, present, and future!
Videos and slides from ATT&CKcon 2.0 have been available since shortly after the conference, but we recently updated our website to make them much easier to find. Everything from ATT&CKcon 2018, and 2.0 can now be found at attack.mitre.org/resources/a…. #attackcon
We've just made a point release (v8.2) to ATT&CK adding UNC2452 along with several software entries and a few new/updated techniques related to the Solar Winds supply chain injection. We describe the changes in medium.com/mitre-attack/iden….
Thanks to everyone who has contributed!
The team has been working furiously on a few projects that will be dropping soon. We'll be releasing a major update, including a new Impact tactic (destructive techniques, anyone?). Plus, CALDERA will be releasing version 2.0. (who likes dark theme?) We can't wait to share!
Sub-techniques, a new tactic, a new approach to mitigations, a hint about ATT&CKcon 2019, and more. Check out @jwunder's post on where we've been in 2018 and where we're hoping to go in 2019. medium.com/mitre-attack/atta…
You can now tag Sigma rules with ATT&CK tactics, techniques, groups, or software. This is a great step toward expressing detection in a common language!
The final post in our "Getting Started with ATT&CK" blog series is out! This time @andyplayse4 guides you through using ATT&CK to assess your SOC and engineer new defenses.
medium.com/mitre-attack/gett…
We just released a blog post jointly written by ATT&CK for ICS Lead @ojalexander and @Mandiant. It explores a visualization drawing on both the ATT&CK for Enterprise and ICS knowledge bases to describe an adversary operating across both. Check it out at medium.com/mitre-attack/in-p….
In collaboration with research partners, our friends at the Center for Threat-Informed Defense have released the Adversary Emulation Library (github.com/center-for-threat…). Check out the first emulation plan, which focuses on FIN6 (attack.mitre.org/groups/G003…).
We released a joint advisory with @NCSC, @NSAgov & @FBI on recommended detection and mitigation of SVR activity following the attribution of the SolarWinds compromise. We recommend all stakeholders check their networks for indicators of compromise: go.usa.gov/xHwAj
Looking to up your game on using ATT&CK for #CTI? @likethecoins and @_whatshisface recently recorded the ATT&CK for CTI training that they created and taught to multiple audiences over the past year. Exercises and links to the videos are now up at attack.mitre.org/training/ct….
With any big change to ATT&CK, we want the community's feedback to make sure we're on the right track. @stromcoffee wrote up our plans for sub-techniques and what the changes might entail medium.com/mitre-attack/atta…. Love it? Hate it? Let us know!
Looking for some free ATT&CK training? Last week, @MITREengenuity launched the MITRE ATT&CK Defender program with training created by members of the ATT&CK team. Check out ATT&CK Fundamentals, ATT&CK SOC Assessments, and ATT&CK for CTI via @cybraryIT at cybrary.it/info/mitre-attack…!
Curious about how ATT&CK maps to sensor logs?
Our Defensive lead @LexOnTheHunt led a @MITREengenuity team to map ATT&CK data sources & data components to events in:
🪵 Auditd
🪵CloudTrail
🪵OSQuery
🪵Sysmon
🪵WinEvtx
🪵ZEEK
Check it out at center-for-threat-informed-d…!
Our next Getting Started with ATT&CK blog post is out, and this one was a team effort by @stromcoffee, @teschulz, and @likethecoins. Check out their advice on using ATT&CK for Adversary Emulation & Red Teaming and improving your defenses. medium.com/mitre-attack/gett…
As a part of ATT&CK v8, we also released ATT&CK for ICS in STIX (github.com/mitre/cti/tree/ma…), and a new version of the ATT&CK Navigator where you can pick your domain (including ICS) and version of ATT&CK (mitre-attack.github.io/attac…)! TAXII support for ICS is coming soon.
We've now crossed a number of items off our 2022 todo list with the release of ATT&CK v11 earlier this week! If you haven't checked it out yet, take a look at what's new at medium.com/mitre-attack/atta… and what else is coming this year in our 2022 roadmap
medium.com/mitre-attack/atta….
Sub-techniques aren’t there yet, but we’re getting close! @stromcoffee wrote an update blog post about how sub-techniques are coming along that previews two tactics, Credential Access and Lateral Movement, and responds to much of your great feedback! medium.com/mitre-attack/sub-…
We're completely full in-person for #ATTACKcon 2.0 but we are once again going to be streaming the entire conference live (as well as some online-only exclusives) for free! Sign up at mitre.org/attackcon-streamed… to join us virtually.
Power up your layers with the release of ATT&CK Navigator v4.4! We've added a new workflow for upgrading a nav layer that lets you see and respond to changed techniques, and combined search and multi-select into a more powerful UI. Check out new version at mitre-attack.github.io/attac…
We hear you that doing the MITRE is hard! Today we're launching a MITRE training bootcamp to help you all get your & on.
First up: Achieve 100% coverage! Head on over to attack.mitre.org/full-covera… and play for that 100% MITRE coverage everyone's been bragging about!
Wow, 40k followers! Thanks to everyone in the community who have helped us get ATT&CK to where it is today. We're humbled by these last five years, and look forward to working with many more of you in the future!
ATT&CK Evaluations just released their 2020 Carbanak & FIN7 Evaluation results and emulation plan, as well as major updates to results format on attackevals.mitre-engenuity.…. Check out medium.com/mitre-engenuity/a… to learn more about everything that is now available.
We are thrilled to announce our keynote speaker for ATT&CKcon 3.0, Selena Larson (@selenalarson)!
We will be opening free virtual registration for ATT&CKcon 3.0 next week, and you can check out the rest of our great list of speakers at mitre.org/attackcon.