MITRE ATT&CK Mapping
This directory maps the cybersecurity skills in this repository to the MITRE ATT&CK framework (Enterprise v15).
Overview
MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's lifecycle and the platforms they target. This mapping connects our hands-on skills to ATT&CK tactics and techniques, enabling:
- Threat-informed defense -- prioritize skill development based on real adversary behavior
- Gap analysis -- identify ATT&CK techniques not yet covered by available skills
- Purple team exercises -- pair offensive (red team) and defensive (blue team) skills for each technique
- Agent-driven discovery -- AI agents can query skills by ATT&CK ID for automated security workflows
Mapping Methodology
Tactic Mapping (TA00xx)
Each of the 14 ATT&CK Enterprise tactics represents a distinct adversary objective. Skills are mapped to tactics based on which adversary goal they help achieve (offensive) or defend against (defensive):
| Tactic | ID | Offensive Skills | Defensive Skills |
|---|---|---|---|
| Reconnaissance | TA0043 | penetration-testing, red-teaming | threat-intelligence, phishing-defense |
| Resource Development | TA0042 | red-teaming | threat-intelligence |
| Initial Access | TA0001 | web-application-security, penetration-testing | phishing-defense, endpoint-security |
| Execution | TA0002 | penetration-testing, red-teaming | malware-analysis, endpoint-security, soc-operations |
| Persistence | TA0003 | red-teaming, penetration-testing | threat-hunting, digital-forensics, endpoint-security |
| Privilege Escalation | TA0004 | penetration-testing, red-teaming | endpoint-security, identity-access-management |
| Defense Evasion | TA0005 | red-teaming | malware-analysis, endpoint-security, threat-hunting |
| Credential Access | TA0006 | penetration-testing, red-teaming | identity-access-management, soc-operations |
| Discovery | TA0007 | penetration-testing, red-teaming | threat-hunting, network-security |
| Lateral Movement | TA0008 | red-teaming, penetration-testing | network-security, threat-hunting, soc-operations |
| Collection | TA0009 | red-teaming | digital-forensics, threat-hunting |
| Command and Control | TA0011 | red-teaming | threat-intelligence, network-security, soc-operations |
| Exfiltration | TA0010 | red-teaming | threat-hunting, digital-forensics, network-security |
| Impact | TA0040 | red-teaming | ransomware-defense, incident-response |
Technique Mapping (T1xxx)
Skills are mapped to specific techniques based on their content. Examples:
| Technique | ID | Example Skills |
|---|---|---|
| Phishing | T1566 | analyzing-phishing-email-headers, analyzing-certificate-transparency-for-phishing |
| Exploit Public-Facing Application | T1190 | web-application-security skills (SQL injection, XSS, SSRF) |
| OS Credential Dumping | T1003 | penetration-testing credential harvesting skills |
| PowerShell | T1059.001 | analyzing-windows-event-logs-in-splunk, malware-analysis skills |
| Remote Services | T1021 | network-security lateral movement skills |
| Data Encrypted for Impact | T1486 | analyzing-ransomware-encryption-mechanisms |
| Command and Scripting Interpreter | T1059 | malware-analysis script deobfuscation skills |
| Scheduled Task/Job | T1053 | analyzing-malware-persistence-with-autoruns |
| Registry Run Keys | T1547.001 | analyzing-windows-registry-for-artifacts |
| DLL Side-Loading | T1574.002 | analyzing-bootkit-and-rootkit-samples |
Sub-technique Mapping (T1xxx.xxx)
Where applicable, skills are mapped to sub-techniques for precision. For example:
T1566.001(Spearphishing Attachment) -- analyzing-email-headers-for-phishing-investigationT1566.002(Spearphishing Link) -- analyzing-certificate-transparency-for-phishingT1003.001(LSASS Memory) -- analyzing-memory-dumps-with-volatility
ATT&CK Navigator Integration
You can visualize our skill coverage using the ATT&CK Navigator. To generate a Navigator layer:
- Use the coverage summary in
coverage-summary.mdto identify covered tactics - Import the tactic/technique IDs into a Navigator layer JSON
- Color-code by coverage depth (number of skills per technique)
Suggested Color Scale
| Coverage | Color | Meaning |
|---|---|---|
| 0 skills | White | No coverage -- gap |
| 1-2 skills | Light blue | Basic coverage |
| 3-5 skills | Medium blue | Moderate coverage |
| 6+ skills | Dark blue | Strong coverage |
Skill Tag Convention
Skills relevant to ATT&CK carry these tags in their YAML frontmatter:
mitre-attack-- general ATT&CK relevance (56 skills currently tagged)- Technique-specific tags like
privilege-escalation,lateral-movement,persistence - Tool-specific tags that map to ATT&CK software entries (e.g.,
cobalt-strike,mimikatz)
How to Contribute Mappings
- Identify the skill -- Read the skill's SKILL.md to understand what it teaches
- Find the ATT&CK technique -- Search attack.mitre.org for the matching technique
- Determine offensive vs. defensive -- Is the skill about performing or detecting/preventing the technique?
- Update the mapping -- Add the technique ID to the appropriate table in this directory
- Update skill tags -- Add
mitre-attackand technique-specific tags to the skill's frontmatter - Submit a PR -- Include the ATT&CK technique URL as justification
References
- MITRE ATT&CK Enterprise Matrix
- MITRE ATT&CK Navigator
- ATT&CK v15 Release Notes
- MITRE ATT&CK for ICS -- relevant for ot-ics-security skills
- MITRE ATT&CK for Mobile -- relevant for mobile-security skills