We welcome your feedback about MITRE Engage v0.9 Beta: Email us at engage@mitre.org

ATT&CK® Mapping Overview

By mapping the various Engagement Activities to ATT&CK, we can ensure that each activity in Engage is driven by observed adversary behavior. In adversary engagement operations it can be tempting to try to anticipate the adversary actions. However, without extensive understanding of the specific threat, this line of thinking can lead the defender to make incorrect or ineffective decisions. By mapping to ATT&CK, we can ensure that our chosen engagement activities are appropriate for the target adversary. In the below table, each approach in the ATT&CK framework is shown individually. Clicking on a specific approach will show a detail page with the following information:

  • ATT&CK ID & Name – The ATT&CK Technique ID and Name
  • Adversary Vulnerability – The vulnerability that the adversary exposes when they engage in a specific behavior
  • Engagement Activity – The action the defender can take to take advantage of the vulnerability the adversary has exposed
When an adversary engages in a specific behavior, they are vulnerable expose an unintended weakness. By looking at each ATT&CK activity, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.

In our first release of MITRE Engage we have chosen not to include any specific activity implementations or use cases in these mappings. To provide some guidance, we have included expanded definitions for each Activity including concrete examples. We hope these definitions will provide some examples of the art of the possible. If you have questions, please reach out! We would be happy to share our past operational implementations or discuss your ideas.

In the future we hope to find new ways to dive into specific implementations, including collecting open source examples of activity implementations either from vendor products or individual practitioners.

ATT&CK® Mapping by Tactic

ATT&CK® Tactic Description
TA0043 - Reconnaissance The adversary is trying to gather information they can use to plan future operations.
TA0042 - Resource Development The adversary is trying to establish resources they can use to support operations.
TA0001 - Initial Access The adversary is trying to get into your network.
TA0002 - Execution The adversary is trying to run malicious code.
TA0003 - Persistence The adversary is trying to maintain their foothold.
TA0004 - Privilege Escalation The adversary is trying to gain higher-level permissions.
TA0005 - Defense Evasion The adversary is trying to avoid being detected.
TA0006 - Credential Access The adversary is trying to steal account names and passwords.
TA0007 - Discovery The adversary is trying to figure out your environment.
TA0008 - Lateral Movement The adversary is trying to move through your environment.
TA0009 - Collection The adversary is trying to gather data of interest to their goal.
TA0010 - Exfiltration The adversary is trying to steal data.
TA0011 - Command and Control The adversary is trying to communicate with compromised systems to control them.
TA0040 - Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data.