MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is open and available to any person or organization for use at no charge. Below you can find a collection of MITRE ATT&CK tools and resources available for free.
eBook: Getting Started with ATT&CK
This free eBook pulls together the content from blog posts on threat intelligence, detection and analytics, adversary emulation and red teaming, and assessments and engineering onto a single, convenient package.
CALDERA
CALDERA is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE.
The framework consists of two components:
- The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
- Plugins. These repositories expand the core framework capabilities and provide additional functionality. Examples include agents, reporting, collections of TTPs, etc.
Whitepaper: Best Practices for MITRE ATT&CK Mapping
CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. CISA created this guide with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned federally funded research and development center (FFRDC), which worked with the MITRE ATT&CK team.
CASCADE
CASCADE is a research project at MITRE which seeks to automate much of the investigative work a “blue-team” team would perform to determine the scope and maliciousness of suspicious behavior on a network using host data.
The prototype CASCADE server has the ability to handle user authentication, run analytics, and perform investigations. The server runs analytics against data stored in Splunk/ElasticSearch to generate alerts. Alerts trigger a recursive investigative process where several ensuing queries gather related events. Supported event relationships include parent and child processes (process trees), network connections, and file activity. The server automatically generates a graph of these events, showing relationships between them, and tags the graph with information from the ATT&CK project.
Metta
Metta is an information security preparedness tool. This project uses Redis/Celery, Python, and vagrant with VirtualBox to do adversarial simulation. This allows you to test your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The project parses YAML files with actions and uses Celery to queue these actions up and run them one at a time without interaction.
Sandbox Scryer
Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output. The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling IOCs, understanding attack movement and hunting threats. By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale.
Whitepaper: Finding Cyber Threats with ATT&CK-Based Analytics
This whitepaper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.
Atomic Red Team
Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. You can execute atomic tests directly from the command line, no installation required.
Red Team Automation (RTA)
RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file time stopping, process injections, and beacon simulation as needed.
Mapping CVEs to MITRE ATT&CK
Vulcan Cyber’s research team has created this site to showcase an ongoing project to map documented CVEs to relevant tactics and techniques from the MITRE ATT&CK matrix. You can search for CVES based on specific techniques and vice versa. For more information about this project, please read the associated whitepaper.