This paper lays out the motivation and details of MITRE ATT&CK’s design, creation, and maintenance. It can serve as a guide to ATT&CK itself, as well as a resource for those looking to create ATT&CK-like knowledge bases.
This paper discusses the motivation behind the creation of MITRE ATT&CK®, the components described within it, its design philosophy, how the project has progressed, and how it can be used. It is meant to be used as an authoritative source of information about ATT&CK, as well as to help guide how ATT&CK is maintained and how ATT&CK-based knowledge bases are created for new technology-domains and platforms.
Adoption of ATT&CK is widespread across multiple disciplines, including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management. It is important for MITRE to strive for transparency about how ATT&CK was created and the decision process that is used to maintain it, as more organizations use ATT&CK. We want users of ATT&CK to have confidence in the information and resources that it can provide and better understand how they can begin to use it—and also how and where they can help ATT&CK grow.
The types of information that went into ATT&CK, and the process used to create and maintain it, may also be useful for other work to derive similar models for other technology domains or for taxonomies of adversarial behavior in other areas. ATT&CK’s grounding with empirically driven threat information and its driving use cases for adversary emulation and better measurement of defensive coverage were foundational in how it was perceived and used across the security community. We hope this document can be a useful resource for efforts seeking to follow the process used to create ATT&CK for new areas.