5 open source Mitre ATT&CK tools

1. Mitre ATT&CK Navigator

ATT&CK Navigator, developed by Mitre, helps security teams visualize and navigate ATT&CK matrices. The web-based tool includes interactive ATT&CK visualizations, integrates with other Mitre tools and resources, and has data exporting capabilities for further analysis and training purposes.

Security professionals can use ATT&CK Navigator to understand the scope of an incident, identify potential attack vectors and plan response strategies. It enables security analysts and incident response teams to better understand attacker behavior and analyze which specific tactics, techniques and procedures (TTPs) could target their organizations.

2. CISA Decider

Decider, developed by CISA in collaboration with the Homeland Security Systems Engineering and Development Institute and Mitre, is a web application for mapping adversary techniques to the ATT&CK framework. CISA designed Decider to work in conjunction with other tools; for example, it enables security professionals to visualize the data and findings in ATT&CK Navigator.

Decider asks a series of questions to help security professionals map adversaries' TTPs to the ATT&CK framework. Security teams can then collect analytics and data for detecting attack techniques, create attack mitigations and develop threat response plans. Decider includes a search function in the event the guided questions don't provide the correct technique prompt in the workflow or if the user wants to jump to a particular technique or subtechnique.

3. Atomic Red Team

Atomic Red Team was developed by threat detection and response vendor Red Canary and is maintained by volunteers. It is a library of prebuilt tests mapped to specific ATT&CK techniques. Each test takes about five minutes.

Atomic Red Team enables security teams to do the following:

• Simulate adversary TTPs.
• Test security controls and defenses, both once and continuously.
• Validate detection and response capabilities.
• Evaluate security team operational efforts and knowledge.

Atomic Red Team includes the following features:

• Chain Reactor enables teams to combine multiple tests to conduct more complex attacks.
• Invoke-Atomic is a PowerShell-based framework that enables teams to build tests and simulate attacks across platforms and network connections.
• AtomicTestHarnesses is a PowerShell module for testing multiple variations of a single attack method simultaneously.

4. Mitre Caldera

Caldera is a Mitre-developed platform designed to use the ATT&CK framework for performing and automating red team tasks. Caldera use cases include the following:

• Automate adversary emulation. Red teams can build attacker profiles to automate adversary TTPs and identify security control weaknesses and vulnerabilities.
• Test security tools. Automated testing of threat detection and response platforms enables teams to monitor if the tools create alerts, perform autonomous mitigation and more.
• Conduct red team assessments. Security teams can use Caldera in concert with existing tools to perform manual assessments.
• Test red and blue teams. Organizations can conduct cyber-war games and other learning opportunities to help teams practice and manage cybersecurity tools and defenses.

The Mitre tool also uses plugins to enable additional capabilities and functionalities. These include support for operational technology protocols, such as Building Automation and Control Networks, Distributed Network Protocol 3 and Modbus; reverse-engineering capabilities; integration with Atomic Red Team and Metasploit; and more.

5. ATT&CK in STIX

Structured Threat Information eXpression (STIX), developed by Mitre for the U.S. Department of Homeland Security and maintained by open source standards organization OASIS, is a language and serialization format designed to share threat intelligence in a standardized format.

Threat intelligence is represented visually or stored as a JSON file. Using ATT&CK data in the STIX format enables interoperability among security tools and platforms to share cyberthreat data. STIX works with multiple structured languages, including OASIS' Cyber Observable eXpression and Mitre's Malware Attribute Enumeration and Characterization and Common Attack Pattern Enumeration and Classification.

STIX provides unifying architecture that enables security teams to collect, gather and share the following cyberthreat information:

• General threat intelligence.
• Indicators of compromise.
• Attacker actions.
• Attacker TTPs.
• Targeted vulnerabilities and weaknesses.
• Incident response actions.
• Identification of threat actors and campaigns.

With data in the STIX format, security professionals can share threat intelligence across their own organizations, as well as with external parties, including vendors and partners.

Ashwin Krishnan is a technical writer based in California. He hosts StandOutin90Sec, where he interviews cybersecurity newcomers, employees and executives in short, high-impact conversations.