MITRE ATT&CKOverview
The MITRE ATT&CK integration provides:
- Complete ATT&CK framework database
- Technique tagging for activities
- Coverage visualization
- Report integration
- Detection recommendations
Accessing MITRE ATT&CK
Navigate to Reporting → MITRE ATT&CK to browse techniques and view coverage.
ATT&CK Framework Structure
Tactics
High-level adversary goals:
- Reconnaissance
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
Techniques
Specific methods to achieve tactical goals:
- Each tactic contains multiple techniques
- Techniques have sub-techniques
- Includes descriptions and examples
- Links to mitigations and detections
Tagging Activities
Manual Tagging
- Create or edit activity
- Select MITRE ATT&CK technique
- Choose sub-technique if applicable
- Activity now tagged with technique
Auto-Tagging
StrikeKit automatically suggests techniques based on:
- Activity description
- Commands executed
- Tools used
- Target systems
Bulk Tagging
Tag multiple activities at once:
- Select activities
- Apply technique tag
- All activities tagged simultaneously
Coverage Visualization
ATT&CK Matrix
Visual matrix showing:
- Techniques used (highlighted)
- Coverage by tactic
- Frequency of technique use
- Gaps in coverage
Coverage Reports
Generate reports showing:
- Percentage coverage per tactic
- Most-used techniques
- Comparison to common adversary groups
- Detection opportunities
Detection Mapping
For each technique used:
- View detection recommendations
- See data sources needed
- Review detection analytics
- Link to MITRE references
Reporting Integration
MITRE ATT&CK data appears in reports:
Executive Summary
- High-level tactic coverage
- Comparison to real-world threats
Technical Section
- Detailed technique usage
- Complete ATT&CK matrix
- Technique descriptions
- Detection recommendations
Methodology
- Framework-based testing approach
- Systematic coverage
- Industry-standard terminology
Best Practices
Tagging Guidelines
- Tag immediately: Add techniques when performing activities
- Be specific: Use sub-techniques when applicable
- Multiple techniques: Tag with all relevant techniques
- Consistent tagging: Use same techniques for similar activities
Coverage Goals
Aim for:
- At least one technique per relevant tactic
- Multiple techniques for key tactics
- Balanced coverage across lifecycle
- Realistic adversary simulation
Detection Focus
Use ATT&CK for:
- Identifying detection gaps
- Recommending monitoring improvements
- Testing detection capabilities
- Measuring detection coverage
Common Workflows
During Operations
- Perform activity
- Tag with ATT&CK technique immediately
- Note if detection occurred
- Link to related findings
Report Preparation
- Review ATT&CK coverage
- Ensure all activities tagged
- Generate coverage matrix
- Include in technical report
- Highlight detection gaps
Client Recommendations
Use ATT&CK data to recommend:
- Detection improvements
- Monitoring priorities
- Security control gaps
- Training focus areas
Tips
- Learn the framework: Familiarize yourself with common techniques
- Use search: Search for techniques by name or ID
- Reference descriptions: Read technique details for accurate tagging
- Track detections: Note when your activities were detected
- Compare to threats: Show how your testing relates to real adversaries
- Focus on gaps: Identify uncovered techniques and explain why
Related Features
- Timeline - Activities linked to ATT&CK
- Kill Chain - Attack progression
- Reports - ATT&CK coverage in deliverables
- Findings - Link techniques to vulnerabilities