MITRE ATT&CK Framework

Updated 1 week ago by Elvis Hovor

The MITRE ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. Resource-strapped teams can find it challenging to leverage the full power of the ATT&CK knowledge base in mission-critical workflows. TruSTAR users can now automatically extract MITRE ATT&CK techniques and tactics from Premium Intelligence sources.


As part of TruSTAR’s suite of intelligence management capabilities, you can use the Mitre ATT&CK Framework to

  • Accelerate Prioritization & Resolution: TruSTAR automatically correlates alerts, cases and Indicators that share ATT&CK TTPs. This helps you quickly uncover linkages in adversarial behavior, actors, malware, and Indicators, and then prioritize response actions.
  • Move Up the Pyramid of Pain: By linking Indicators with ATT&CK TTP’s, you can take holistic action rather than just blocking and tackling individual data points. You can also map ATT&CK TTPs with resolved cases and create a library of cases organized by ATT&CK.
  • Assess Operational Controls: By using data available from TTP trends computed from Premium Intelligences sources and submissions to TruSTAR, you can be more data-driven in assessing gaps in operational controls and make appropriate adjustments to increase coverage of your organization's attack surface.

Using the Mitre ATT&CK Framework

To enrich and categorize your reports and indicators MITRE ATT&CK, you can:

  • Create MITRE ATT&CK tags in Intel Reports or Indicators
  • Filter Intel Reports or Indicators by MITRE ATT&CK
You can only tag Intel Reports in your private enclaves with MITRE ATT&CK tags. You cannot tag reports stored in Intelligence Source enclaves.

Creating MITRE ATT&CK Tags

You can tag Intel Reports or Indicators with MITRE ATT&CK tactics or techniques.

  1. Click the plus sign to the right of MITRE ATT&CK in the Tags section on Filter and Refine panel while viewing an individual Intel Report or Indicator. The graphic below shows MITRE ATT&CK for a specific item, an Intel Report.
  2. Select the tactics or techniques to associate to the item. You can select multiple tactics or techniques to associate to each item. If you select a technique, the associated tactic will be added as a separate tag.
  3. Click Save Changes to save the tags to the item.

MITRE ATT&CK tags show in the tags section after you save changes. All MITRE tags are preceded by "mitre/" to differentiate them from other report tags.

Filtering MITRE Tags

In the Reports List View or IOC List View, you can filter by MITRE ATT&CK tags to view only Intel Reports or Indicators associated with a specific MITRE ATT&CK tag.

How Did We Do?