Best Practices for MITRE ATT&CK® Mapping

For the Cybersecurity and Infrastructure Security Agency (CISA), understanding adversary behavior is often the first step in protecting networks and data. The success network defenders have in detecting and mitigating cyberattacks depends on this understanding. The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is freely open and available to any person or organization in the hopes of bringing communities together to develop more effective cybersecurity.

CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. ATT&CK provides details on 100+ threat actor groups, including the techniques and software they are known to use. (Note: Not every adversary behavior is documented in ATT&CK.) ATT&CK can be used to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls.

This Best Practices for MITRE ATT&CK Mapping guide provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK as they analyze and report on cybersecurity threats. This will improve defenders’ ability to proactively detect adversary behavior and supports robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data. CISA developed this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), which worked with the MITRE ATT&CK team.