--- id: framework:mitre-attack type: framework title: MITRE ATT&CK status: active confidence: 0.9 sources: - 2026-05-09-cybersec-library-overview.md - 2026-05-09-cybersec-mapping-mitre-attack.md - 2026-05-09-cybersec-attack-coverage.md - 2026-05-09-cybersec-mapping-attack-coverage.md - 2026-05-09-cybersec-mappings-overview.md created: 2026-05-09 updated: 2026-05-09 updated_log: - 2026-05-09: created tiers: semantic half_life_days: 180 tags: [framework, attack, ttp, adversary] --- # MITRE ATT&CK ## Summary [MITRE ATT&CK](https://attack.mitre.org/) is a globally-accessible, curated knowledge base of cyber adversary behavior — the "how" of real-world attacks. The Enterprise matrix organizes adversary tactics (the "why" — 14 of them) into techniques (the "how") and sub-techniques (specific implementations). It is the most-mapped of the five frameworks in the [[concept:cybersec-skill-library]]: 291 unique techniques across 14/14 tactics, with the library's coverage visualized by an [[tool:mitre-attack-navigator]] layer file shipped in the v1.0.0 release. ## Claims - ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting phases of the adversary lifecycle and target platforms. The library uses Enterprise matrix v15 for current mappings; the README cites v18 (14 tactics · 200+ techniques). `[src: raw/2026-05-09-cybersec-mapping-mitre-attack.md] {conf: 0.85}` - The 14 Enterprise tactics are: Reconnaissance (TA0043), Resource Development (TA0042), Initial Access (TA0001), Execution (TA0002), Persistence (TA0003), Privilege Escalation (TA0004), Defense Evasion (TA0005), Credential Access (TA0006), Discovery (TA0007), Lateral Movement (TA0008), Collection (TA0009), Command and Control (TA0011), Exfiltration (TA0010), Impact (TA0040). `[src: raw/2026-05-09-cybersec-mapping-mitre-attack.md] {conf: 0.95}` - The library covers 291 unique techniques (149 parent + ~142 sub-techniques) across all 14/14 tactics. Defense Evasion (48 techniques) and Persistence (36) are the deepest-covered tactics; Impact (6) is the shallowest. `[src: raw/2026-05-09-cybersec-attack-coverage.md] {conf: 0.9}` - Top-10 most-covered techniques: T1059.001 PowerShell (26 skills), T1055 Process Injection (17), T1053.005 Scheduled Task (16), T1566.001 Spearphishing Attachment (15), T1558.003 Kerberoasting (14), T1547.001 Registry Run Keys (13), T1078 Valid Accounts (13), T1003.006 DCSync (13), T1071.001 Web Protocols (12), T1021.002 SMB/Admin Shares (12). `[src: raw/2026-05-09-cybersec-mappings-overview.md] {conf: 0.9}` - Mapping is bidirectional offensive/defensive — each tactic table lists which library subdomains contribute offensive skills (penetration-testing, red-teaming) vs. defensive (threat-hunting, soc-operations, etc.). Red-teaming (24 skills) covers all 14 tactics with High intensity; the most cross-cutting subdomain. `[src: raw/2026-05-09-cybersec-mapping-attack-coverage.md] {conf: 0.85}` - ATT&CK v19 is scheduled for April 28, 2026 and will split Defense Evasion (TA0005) into two new tactics — *Stealth* and *Impair Defenses*. The library plans to update mappings in a forthcoming release. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.75}` - An ATT&CK Navigator layer file ships with the v1.0.0 release at `mappings/attack-navigator-layer.json` (format v4.5, ATT&CK v14, Enterprise) for visual coverage mapping; coverage is color-coded blue from light (1-2 skills) to deep (11+ skills). `[src: raw/2026-05-09-cybersec-mappings-overview.md] {conf: 0.85}` ## Relationships - complements → [[framework:nist-csf-20]] `{conf: 0.8}` - complements → [[framework:mitre-atlas]] `{conf: 0.7}` - complements → [[framework:mitre-d3fend]] `{conf: 0.85}` - maps-to → [[concept:cybersec-skill-library]] `{conf: 0.9}` - uses → [[tool:mitre-attack-navigator]] `{conf: 0.85}` ## Open questions - [ ] The mappings vary by source — README cites Enterprise v18, mapping README cites v15, navigator layer cites v14, coverage doc cites v16. Which is canonical for the current `main` library state? ## Changelog - 2026-05-09 — created