Recent breaches have shown an ugly truth: determined adversaries will get into your network. This talk will present the MITRE-developed Adversarial Tactics, Techniques & Common Knowledge (ATT&CK), a framework for describing the actions an adversary may take while operating within an enterprise network after they compromise it. ATT&CK provides a common way to characterize and describe post-compromise adversary behavior and, unlike other models, was developed via red teaming and analyzing public cyber threat intelligence reports: the tactics and techniques in ATT&CK are real ones that adversaries have used in the wild. Perhaps most importantly, ATT&CK is free and publicly available at attack.mitre.org.
In this presentation, we will outline the key features of ATT&CK, describing the tactics, techniques, threat actor groups, and software that make up the ATT&CK model, followed by a discussion of how ATT&CK can be used in the field, including for training, red team assessments, defensive gap analysis, information sharing, and threat reporting.