Our ATT&CK® Evaluations methodology
ATT&CK® Evaluations' mission is to bridge the gap between the security solution providers and their users/customers by enabling users to better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results - leading to a more informed community and safer world for all. We use adversary emulation to scope evaluations in context of the MITRE ATT&CK® framework. The evaluations address today's threats by using tactics, tools, methods, and goals inspired by that of known attacks.
Techniques are executed in a logical step-by-step ordering to explore the breadth of ATT&CK coverage. And because adversaries may execute the same technique, but in very different ways, our evaluations use procedural variation to capture the same behavior via different methods to explore the depth of ATT&CK coverage.
edit_calendar
Planning
Threat landscape research and adversary selection
Intent
We take into account concerns (e.g ransomeware vs. data theft) voiced from our user community
Differentiation
We balance the usage of new and previously tested techniques
Sophistication
We consider development resources and whether we are baselining or pushing defenses
Intelligence
We assess the quantity and quality of intel to thoroughly understand the adversary
code
Development
Development of the components required to conduct the evaluation
Decomposition
We extract cyber threat intelligence (CTI) into individual components that compromise the emulation plan
Chain
We recompile and organize procedures into a larger emulation scenario
Refinement
We fill in gaps through collaboration and targeted research
Tooling
We select/build offensive tools that can faithfully replicate behaviors
Customization
We capture important tradecraft details (e.g. delivery mechanisms, command and control, etc.)
Review
We compare against CTI and note deviations
Creation
We compile all the information into a structured emulation plan