If you are a security professional, MITRE’s ATT&CK is everywhere these days. Even in places it does not belong! That being said, there are a ton of tools, projects, and extensions to ATT&CK. Some are fundamental (like Navigator) while others are niche. How do we tell what is right for us? What projects are essential to power up your security program? For my upcoming Cisco Live presentation in February, I take a crack at mapping ATT&CK’s massive ecosystem to roles and functions. Am I off to a good start? Let’s me share how I tackled this and you can let me know!

The High Level Mapping

As we’ve mentioned in a lot of the previous ATT&CK-related blogs, there are a ton of use cases. Depending on your role, or the roles on your team, you may not need all of these tools. You may only focus on a single use case. In the following diagram mapping ATT&CK’s ecosystem, I took a crack at breaking that up. I envision that almost anyone could learn something from the ATT&CK website and Navigator. Likewise, other tools help make ATT&CK accessible to all. After that, however, it diverges. I’ll explain each tool below. If you might find it useful, I am carrying this over to a living Rosetta Stone on GitHub for ATT&CK projects here.

Picture showing how various MITRE ATT&CK-related projects map to specific roles and functions in a security program.
Mapping the ATT&CK Ecosystem of Projects – It isn’t pretty, but it is a start!

Core Framework & Database

All of the tools listed hereafter rely heavily on this database. As we’ve mentioned, this is the center of the ATT&CK universe, and all other efforts leverage it.

  • MITRE ATT&CK: This core project website offers browse-able access to the ATT&CK Database, links to Navigator views, and pivots to the source information that drive its open-source contents. This is a must across all roles.

Core Tools

Regardless of your role (defender, tester, researcher, engineer or architect) you should be familiar with the tools below. How often you use them may vary, but Navigator is a fundamental collaboration tool and Workbench makes ATT&CK super easy to access!

  • ATT&CK Navigator (Online version): This lightweight web application acts as a workspace upon which to map coverage against various versions and matrices of ATT&CK. This is heavily used across the defensive specialties, and can help with gap analysis of visibility and detection.
  • ATT&CK Navigator (for self-hosting): Should a publicly hosted version not be desired, Navigator can also be run in a private instance based on Node.js. Docker and native Node.js versions are located here.
  • ATT&CK Workbench: ATT&CK Workbench offers a browser plug-in that enables users to annotate, enrich, and better leverage the ATT&CK DB as part of their own workflows.

Extending and integrating with ATT&CK’s ecosystem

These projects help different roles extend, integrate with, or otherwise comply with ATT&CK. Some of them (TRAM) help build TTP mappings that leverage ATT&CK, while others find more use in the back-end of systems (like the Python Scripts). These tools weave ATT&CK into your security stack, but may not be directly accessed:

  • ATT&CK Python Scripts: MITRE’s CTID has provided these scripts to help in accessing ATT&CK’s contents from within SOC tools or other projects.
  • Threat Report ATT&CK Mapper (TRAM): This tool leverages Machine Learning and an AI LLM to assist CTI researchers in accurately mapping threat intelligence to ATT&CK TTPs.
  • ATT&CK Flow: ATT&CK is very focused on the atomic actions taken by adversaries, but Flow ties those atomic elements together into patterns of behavior. This is useful in crafting emulation plans, assigning attribution, and understanding Attack Chains.
  • ATT&CK Sync: MITRE ATT&Ck is under continual renewal, and Sync offers assistance in migrating artifacts from older to newer versions.
  • ATT&CK in STIX: Many SOC tools (SIEMs, TIPs, etc.) receive threat intelligence updates via feeds. This project helps map ATT&CK TTPs to appropriate STIX formats (currently 2.0).

Where the power-ups to security take shape – Operations

This set of tools are more operational than those in the extend & integrate camp. Some roles in your org may use these as primary (or at least important) utilities in their work. Rather than hiding behind the scenes, roles directly access these tools to assist in performing their duties.

  • MITRE D3FEND: MITRE D3FEND assists in mapping intellectual property (patents) to ATT&CK. This helps detection engineers and product developers who are seeking to leverage their solutions to offer more detection value.
  • MITRE ENGAGE: MITRE ENGAGE helps use ATT&CK to recommend response actions, active defense strategies and more. Used properly, you can flip the script on adversaries.
  • Cyber Analytics Repository (CAR): CAR is a fantastic repository of publicly shared analytic recipes. These recipes can help SOC’s quickly add detection of TTPs to their SIEM/XDR. Psuedocode, EQL, and other scripts are provided as available to accelerate time to value.
  • ATT&CK Emulation Library: This is a great first step to understand how adversaries’ playbooks are implemented, . It leads readers through how an operation is conducted and provides ample material for emulating or understanding the threat actors.
  • MITRE Caldera: Breach Attack & Simulation tools validate that detections are working properly and mitigations are having intended impact. Caldera is MITRE’s offering that allows Red and Blue Team operations around simulated attacks.

3rd Party Tools and extensions of note

This category consists of community contributions to the ecosystem. D3TT&CT in particular gets a lot of attention from me. But each of these makes aspects of ATT&CK even better, and we can expect this category to grow further as we continue mapping ATT&CK’s ecosystem”

  • D3TT&CT (Operational): With this project, architects map coverage based on Operating System and kernel features, configurations, and the corresponding logging options. Implement it as either a local Python web service or a container. This tool helps in creating mappings of detection and coverage, as well as in defining new adversaries TTP maps.
  • R3&CT (Operational): this project’s collaborators set out to map Incident Response actions to ATT&CK TTPs. It is useful to IR folks in ensuring they have their bases covered.
  • MITRE ATT&CK Insights (Fundamental?): This project visualizes how prevalent TTPs are for each attacker. Alternately, you can see how popular TTPs, software, malware and the like are across all ATT&CK-categorized threat actors. I put it in the fundamental category, simply because it can help anyone better understand the underlying database.

Conclusion

In this post, we took a crack at mapping the many projects relating to ATT&CK, limited to those that I run into. Things get even more interesting when you venture into the 3rd party stuff, or pivot into related frameworks. Some new projects have recently arrived that might follow ATT&CK’s lead. MITRE ATLAS, for instance, is like ATT&CK but for Artificial Intelligence. MITRE just extended ATT&CK for containers, showing the community just how extensible it’s project has become.

ATT&CK appeals to many becuase it tackles a wide enough scope to appeal broadly. Every security team at least grasps its use. But there has to be more to its appeal. When we’ve talked about MAEC and CAPEC, both tackle areas that many organizations share (malware and web applications). That said, both lack ecosystems AND both are considered more niche and open to competing frameworks (OWASP on the web side, for instance). I believe that part of ATT&CK’s success is how quickly it gained momentum to become an ecosystem of useful and community-supported tools.

So how did I do? What did we miss? Please send along your thoughts and inputs! I hope this is useful, and please bookmark the GitHub repo as I continue to evolve this living mapping.