ATT&CK Model: It ain’t your mama’s kill chain model

Who and what is MITRE

MITRE is a non-profit whose mission is to solve problems for a safer world through federally funded research and development centers and public-private partnerships. Their aim is to tackle challenges to the safety, stability, and well being of the United States.

MITRE brings innovative ideas into existence in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.

What is ATT&CK

The ATT&CK is a curated knowledge-base of adversarial behaviors observed in the wild that reflects the various phases of an adversary’s attack lifecycle and platforms they are known to target organized into tactical goals. The ATT&CK is a byproduct of exercises MITRE ran under a research project named the Fort Meade Experiment (FMX) created to enumerate and categorize post-compromise adversary tactics, techniques, and procedures (TTPs) against Microsoft Windows. The project emulated adversarial techniques within a cyber war game closely monitored within an isolated enclave to test analytic hypotheses in order to improve post-compromise detection of threats.

The different applications of the ATT&CK model extend across intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management and are grounded in empirically driven threat information from use cases created by adversary emulation to achieve better measurement of defensive coverage.

Unlike the Lockheed Martin kill chain model (KCM), the ATT&CK does not represent tactics or techniques in a linear order — rather, adversaries jump around between different techniques in order to achieve their tactical goals.

The relationship between the different elements of the ATT&CK are diagramed below in Figure 1.

Figure 1: The interactions between the elements of the ATT&CK

What ATT&CK is NOT is an exhaustive enumeration of attack vectors. Those are covered under separate MITRE research and are referenced in the techniques of the ATT&CK matrix, these include the CAPEC (Common Attack Pattern Enumeration and Classification) and CWE (Common Weaknesses Enumeration).

The ATT&CK matrix is organized in a tabular format with tactics organized into columns as the short-term adversarial goals during an attack and the cells representing the individual techniques used by the adversaries to achieve those tactical goals.

History of ATT&CK

The first ATT&CK model was created in September of 2013 as a result of the FMX research and publicly released in May of 2015 with 96 techniques organized under 9 tactics. Since 2013, the community has collectively contributed to the project through the creation of a similar knowledge base called the