Best Practices for MITRE ATT&CK® Mapping


For CISA, understanding adversary behavior is often the first step in protecting networks and data. The success network defenders have in detecting and mitigating cyberattacks depends on this understanding. The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Network defenders use the ATT&CK knowledge base as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is freely open and available to any person or organization in the hopes of bringing communities together to develop more effective cybersecurity.

CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. ATT&CK provides details on 100+ threat actor groups, including the techniques and software they are known to use.  ATT&CK can be used to identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, engage in red team activities, or validate mitigation controls. CISA highly encourages the cybersecurity community to use the framework because it provides a common language for threat actor analysis.

Best Practices for MITRE ATT&CK Mapping provides network defenders with clear guidance, examples, and step-by-step instructions to make better use of MITRE ATT&CK as they analyze and report on cybersecurity threats. Following these best practices will improve defenders’ ability to proactively detect adversary behavior and supports robust, contextual bi-directional sharing of information to help strengthen the security of systems, networks, and data. CISA developed this guide in partnership with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), which worked with the MITRE ATT&CK team.

Note: In January 2023, CISA, in coordination with HSSEDI, updated the best practices. The update covers changes made to the framework since CISA initially published the best practices in June 2021. This update also covers common analytical biases, mapping mistakes, and specific ATT&CK mapping guidance for industrial control systems (ICS).