Translation of the official FAQ MITER ATT&CK

FAQ MITER ATT&CK turned out to be an extremely rare document, for all its cognitive value both in the future and for the current activities communities. So we decided to translate it. The result is under the cut.

Translation work several formulations not completed yet. You can join discussion and contribute. We will reflect the final result in this article and publish it on community site.


What is ATT&SK?

ATT&CK is a knowledge base on the behaviors of computer intruders and taxonomy actions used by them in the course of cyberattacks. ATT&CK describes malicious behaviors against several kinds of infrastructures:

Why did MITER develop ATT&CK?

MITER developed ATT&CK in 2013 to document the Tactics, Techniques, and Procedures (TTPs) used by criminal gangs to cyber-attack corporate Windows-based infrastructures. ATT&CK was created out of a need to document attacker behaviors within another MITER research project called FMX. The purpose of FMX was to study the use of analytics and telemetry of operating systems to detect intruders in corporate infrastructures after they have been compromised. The attack team simulated the actions of the attackers inside a special laboratory, while the defense team developed analytics to detect their actions. ATT&CK was used as the basis for testing the effectiveness of sensors and analytics within FMX, and also acted as a common language for joint work between offensive and defensive teams.

What is a “tactic”?

Tactics answers the question “why?” ATT&CK technique or sub-technique is performed. This is the tactical goal of the attacker, the reason for the action. For example, an attacker might need gain a foothold in system.

What is “technique”?

Technology answers the question “how?” the attacker achieves a tactical goal by performing a specific action. For example, an attacker might create or modify a system process to gain a foothold in system.

What is “subtech”?

A sub-technique is a more specific description of the attacker’s behavior. It describes behavior at a lower level than technique. For example, an attacker might modify Windows system service to gain a foothold in system.

What is a “procedure”?

A procedure is a concrete implementation of a technique or sub-technique. For example, an attacker modifies a system service through the Windows registry using the Reg.exe utility, changing the value of the ImagePath key to the path to a malicious executable file. Procedures are classified in ATT&CK as implementations of techniques found in real computer attacks. They are listed on the technique pages in the “Procedure Examples” section.

What is the difference between a sub-technique and a procedure?

Subtechniques and procedures describe different things in ATT&CK. Sub-techniques are used to classify behaviors, and procedures are used to describe the implementation of techniques in actual computer attacks. Also, because procedures are specific implementations of techniques and sub-techniques, they can include several additional behaviors. For example, the procedure “an attacker modifies a system service through the Windows registry using the Reg.exe utility, changing the value of the ImagePath key to the path to a malicious executable file” is an implementation of the technique T1112: Modify Registry and subtechnics T1543.003: Create or Modify System Process: Windows Service.

What technologies is ATT&CK applicable to?

Corporate infrastructures running Windows, macOS and Linux; network devices and container virtualization technologies; cloud computing such as Infrastructure as a Service (IaaS), Software as a Service (SaaS), Office 365, Azure Active Directory (Azure AD), and Google Workspace.

Industrial network devices, control servers, historical data servers, engineering workstations, field controllers / RTU / PLC / IED, human-machine interfaces (HMI), input / output servers, safety systems (SIS), relay protection and automation terminals, industrial network devices.

Mobile devices running Android and iOS.

How can I use ATT&CK?

ATT&CK can be used to support various security processes, security architecture development, computer security threat research, and so on. Refer page Getting Started for information on how to start using ATT&CK. Also check out the sections resources And Blog to learn about related projects and other materials.

About materials

How often is ATT&CK updated?

Twice a year.

Where does the information in ATT&CK come from?

ATT&CK’s main sources of data are publicly available incident reports and computer security threat investigations. Of these, common TTPs stand out. Publicly available research on new techniques that are similar to already known behaviors is also used. This is necessary because new TTPs are quickly adopted by existing criminal groups. For more information see The Design and Philosophy of ATT&CK.

How can I contribute to ATT&CK?

Check out the section Contribute.

Please contact the ATT&CK team before attempting to describe a new technique/group/software. What you are about to add may already be in development. This way you can avoid unnecessary work. Your authorship will be noted in the final version of the analytics. At the moment, the team is most interested in TTPs against macOS and Linux.

Why is my “favorite” crime group not included in ATT&CK?

The ATT&CK team is trying to process as many threat reports as possible, but this is all that has been published so far. If you have the missing information, help the team and the community by contributing to ATT&CK. Contact the team to see if they are working on a description for this group. In section Contribute Formatting recommendations are available for group and software requests.


Are there APIs I can use to access ATT&CK data?

Yes! Check out the page Interfaces for Working with ATT&CK.

Be aware of

How can I keep up to date with what is happening with ATT&CK?

Follow the news on Twitter @MITREattack and publications in blog.

ATT&CK and other models

How does ATT&CK compare to other frameworks and models?

Each model and framework can solve different problems. Among the described use cases, ATT&CK is used to describe the attacker’s behavior in detail. The development team believes that most models and frameworks are complementary to ATT&CK, so you don’t have to choose just one.

What is the relationship between ATT&CK and Diamond Model?

ATT&CK and Diamond Model complement each other. ATT&CK is useful for describing attacker behaviors, while Diamond Model is useful for grouping multiple incidents. They can be used together. For example, techniques linked to ATT&CK can be a useful data source for analyzing attackers’ capabilities through the Diamond Model.

What is the connection between ATT&CK and Lockheed Martin Cyber ​​Kill Chain®?

ATT&CK and Cyber ​​Kill Chain complement each other. ATT&CK describes the attackers’ behavior in detail, while Cyber ​​Kill Chain offers a high-level description of their goals. ATT&CK tactics are not sequenced and not all of them are always encountered in a single invasion, as the attacker’s tactical objectives change throughout the operation. Cyber ​​Kill Chain, in turn, offers ordered, consecutive phases of a computer attack.

legal information

What is the correct way to mention the name ATT&CK?

MITER ATT&CK® and ATT&CK® are registered trademarks of MITER Corporation.

  • Your first mentions in writing should include “MITER” before “ATT&CK®” and after that just use “ATT&CK” (registered trademark symbol not required)

    • First mention example: MITER ATT&CK® is a curated knowledge base and behavior model for computer intruders…

    • Example of follow-up mentions: ATT&CK is useful for understanding the security risks associated with known computer attacker behaviors…

  • The title should always refer to “MITER ATT&CK” together (never just “ATT&CK®”)

  • Always capitalize “ATT&CK” to separate it from surrounding text

  • Do not modify the trademark, for example by using hyphens or abbreviations. For example, “ATT&CK’d!”, “Plan-of-ATT&CK”, “ATTK”

  • You may not use the ATT&CK trademark in any way to represent MITER affiliation, sponsorship or endorsement by MITER

  • You may not use the ATT&CK trademark in any way to imply that third party materials represent the views and opinions of MITER or MITER employees, unless such third parties have received express permission from MITER

  • You may not use ATT&CK in the names of your products, services, trademarks, logos or company names

Where can I download the MITER ATT&CK logo?

Official sources:

If you need the MITER ATT&CK logo in vector format, contact the ATT&CK team.

Can I use ATT&CK in my products and/or services?

Yes. ATT&CK is open and available to any person or organization for free use. If you decide to use ATT&CK, follow terms of use. If you have additional questions, please contact the team at

Please be aware that you may not use MITER ATT&CK, MITER, or ATT&CK in a manner that implies endorsement of any product or service. MITER does not endorse organizations, individuals, etc. that use MITER ATT&CK in their work. The use of MITER ATT&CK does not imply endorsement or endorsement by MITER.

About the community

We are Russian-speaking computer security specialists using MITER ATT&CK®. We spread knowledge to combat threats to computer security.


Resources and contacts

Similar Posts

Leave a Reply