MAPPING THE ENGAGE MATRIX
TO MITRE ATT&CK ®
When an adversary engages in a specific behavior, they are
vulnerable to exposing an unintended weakness. In MITRE
Engage,™ we look at each ATT&CK technique to examine the MITRE ATT&CK lays
weaknesses revealed and identify an engagement activity or out detections and
activities to exploit this weakness. By mapping the various mitigations against
MITRE Engage Engagement Activities to ATT&CK, we can adversary behaviors,
ensure that each activity in Engage is driven by observed but MITRE Engage
adversary behavior.
opens up a new set of
ATT&CK MAPPINGS options that a defender
In adversary engagement operations it can be tempting to try to anticipate the
adversary’s actions. However, this line of thinking can lead the defender to make
can take with adversary
incorrect or ineffective decisions due to cultural, experiential, or any of a host engagement.
of other differences. By mapping to ATT&CK, we can ensure that our chosen Adam Pennington, MITRE ATT&CK Lead
engagement activities are driven by observed and reported adversary behavior,
not our expectations.
When an adversary engages in a specific behavior, they are vulnerable to expose
an unintended weakness. By looking at each ATT&CK activity, we can examine
the weaknesses revealed and identify an engagement activity or activities to exploit
this weakness. For example, when adversaries display the ATT&CK Technique
of Remote System Discovery (T1018), they are vulnerable to collect, observe, or
manipulate deceptive system artifacts or information. Therefore, as defenders we
[email protected]can use lures to cause them to reveal behaviors, use additional or more advanced
capabilities against the target, and/or impact their dwell time.
engage.mitre.org
For a given ATT&CK technique we offer the following mapping: For information about MITRE Engage™,
ATT&CK ID & Name—The ATT&CK Technique ID and Name contact
[email protected], visit us at
@ MITRE Engage
engage.mitre.org, or connect with us
Adversary Vulnerability—The vulnerability that the adversary exposes when
on LinkedIn @MITRE Engage
they engage in a specific behavior
Engagement Activity—The action the defender can perform to take advantage MITRE’s mission-driven teams are
of the vulnerability the adversary has exposed dedicated to solving problems for a
safer world. Through our public-private
These mappings are one to many (ie a single ATT&CK ID may have one or more
partnerships and federally funded R&D
unique vulnerability and Engagement Activity pairs).
centers, we work across government and
in partnership with industry to tackle
ATT&CK Technique Adversary Vulnerability Engagement Activity challenges to the safety, stability, and
When adversaries that the defender can well-being of our nation.
their actions reveal
perform specific take advantage of for
vulnerabilities
actions, defensive purposes
© 2022 MITRE PR_21-01759-8 2-28-2022 VERSION 1.0 engage.mitre.org
