Software Engineering Institute

MITRE's ATT&CK framework is popular among computer network defense (CND) practitioners. One goal of ATT&CK is to enumerate adversary tactics and organize them under different strategies. This organization enables defenders to label observed adversary activity with tactics, then heuristically hypothesize what other adversary behaviors are likely, based on how that tactic is related to others in the framework. We evaluated how useful this approach would be. Our evaluation is based on measuring correlation and predictiveness among tactics in case studies curated by MITRE and labeled with ATT&CK tactics. We could not find any reliable relationships between tactics or strategies. We believe this is because the ATT&CK framework removed the structure provided by the diamond model. We will explain why model structure is important and what we might gain by restructuring ATT&CK to better capture temporal and structural relationships.