For the Cybersecurity and Infrastructure Security Agency (CISA), understanding adversary behavior is often the first step in protecting networks and data. The success network defenders have in detecting and mitigating cyberattacks depends on this understanding. The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides details on 100+ threat actor groups, including the techniques and software they are known to use.1 ATT&CK can be used to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls. CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. CISA created this guide with the Homeland Security Systems Engineering and Development InstituteTM (HSSEDI), a DHS-owned, federally funded research and development center (FFRDC) that works with the MITRE ATT&CK team.
Since the initial release of Best Practices for MITRE ATT&CK® Mapping in June 2021, malicious cyber operators and operations have continued to evolve at a rapid pace. To maintain relevancy and maximize impact for defenders, MITRE ATT&CK has also evolved the ATT&CK framework, adding major new structures, features, and techniques. Beginning with ATT&CK version nine (v9) these changes include:
- The introduction of new platforms,
- Expansion of macOS and Linux coverage,
- Increased equity between the Industrial Control Systems (ICS), Mobile, and Enterprise matrices,
- The redefinition of data sources and detections, and
- The addition of ATT&CK Campaigns.
As of version 12 (v12), ATT&CK for Enterprise contains 14 tactics, 193 techniques, and 401 subtechniques.
The January 2023 update of Best Practices for MITRE ATT&CK® Mapping covers the above list of ATT&CK updates. This version of the best practices also covers common analytical biases, mapping mistakes, and specific ATT&CK mapping guidance for ICS.