MITRE ATT&CK Framework

Updated 1 year ago by TruSTAR

The MITRE ATT&CK threat model is a real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. TruSTAR users can automatically extract MITRE ATT&CK techniques and tactics from Premium Intelligence sources.


As part of the TruSTAR platform, you can use the Mitre ATT&CK Framework to

  • Accelerate Prioritization & Resolution: Automatically correlate alerts, cases and Indicators that share ATT&CK TTPs. This helps you quickly uncover linkages in adversarial behavior, actors, malware, and Indicators, and then prioritize response actions.
  • Move Up the Pyramid of Pain: By linking Indicators with ATT&CK TTP’s, you can take holistic action rather than just blocking and tackling individual data points. You can also map ATT&CK TTPs with resolved cases and create a library of cases organized by ATT&CK.
  • Assess Operational Controls: By using data available from TTP trends computed from Premium Intelligences sources and submissions to TruSTAR, your decisions can be more data-driven in assessing gaps in operational controls and increase coverage of your organization's attack surface.

Using the Mitre ATT&CK Framework

To enrich and categorize your reports and indicators MITRE ATT&CK, you can:

  • Create MITRE ATT&CK tags in Intel Reports or Indicators
  • Filter Intel Reports or Indicators by MITRE ATT&CK
You can only tag Intel Reports in your private enclaves with MITRE ATT&CK tags. You cannot tag reports stored in Intelligence Source enclaves.

Creating MITRE ATT&CK Tags

You can tag Intel Reports or Indicators with MITRE ATT&CK tactics or techniques.

  1. Click the plus sign to the right of MITRE ATT&CK in the Tags section on Filter and Refine panel while viewing an individual Intel Report or Indicator. The graphic below shows MITRE ATT&CK for an Intel Report.
  2. Select the tactics or techniques to associate to the item. You can select multiple tactics or techniques to associate to each item. If you select a technique, the associated tactic will be added as a separate tag.
  3. Click Save Changes to save the tags to the item.

MITRE ATT&CK tags show in the tags section after you save changes. All MITRE tags are preceded by "mitre/" to differentiate them from other report tags.

Filtering MITRE Tags

In the Reports List View or IOC List View, you can filter by MITRE ATT&CK tags to view only Intel Reports or Indicators associated with a specific MITRE ATT&CK tag.

How Did We Do?