AttackIQ and the Center for Threat-Informed Defense

AttackIQ is a founding member of the Center for Threat-Informed Defense, a non-profit research and development organization operated by MITRE Engenuity with the mission to advance the practice of threat-informed defense. Comprised of organizations with highly sophisticated security teams including Microsoft, Citi, JP Morgan Chase & Co. and HCA Healthcare, the Center builds on MITRE ATT&CK® to help practitioners strengthen their cybersecurity posture.

“The Center for Threat-Informed Defense brings together the best security teams in the world to collaborate on research that will shift the cybersecurity playing field in favor of defenders. Together, we can make an impact that’s far larger than anything we can do as individual companies.”

CTID Members

As the first company to operationalize and automate the MITRE ATT&CK™ framework, AttackIQ has been collaborating with The Center of Threat-Informed Defense since its inception to help defenders take a proactive, strategic approach to their security programs.

“AttackIQ’s mission is to make the world safe for compute. We contribute to the Center to give back to the community. Everytime we produce a research project, we also create an AttackIQ Academy course to deliver even more value from the project.”

Highlighted Projects

Adversary Emulation Plans

Understanding defenses from the perspective of the adversary is critical, but often teams lack the resources (expertise and funding) to conduct adversary emulation exercises. The CTID solution is to establish a library of standardized intelligence driven adversary emulation plans that can be easily leveraged by cyberdefenders. Developed over the course of four years with intel from 10+ vendors in the Center, the FIN6 Emulation Plan is one example of a comprehensive and detailed adversary emulation plan resource. FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. AttackIQ played a leading role defining the standard, which was then leveraged for FIN7, menuPass, and APT29, and will continue to be leveraged for follow-on standards.


Funding Research Participants



ATT&CK For Cloud

Defenders lack visibility into adversary behaviors in cloud technologies, leaving their organizations exposed to emerging threats. The Center expanded MITRE ATT&CK to describe adversary behaviors in and against Cloud technologies. This simplified defenders’ use of ATT&CK by aligning ATT&CK’s coverage for Cloud TTPs with how organizations are using Cloud in their operations. AttackIQ contributed directly to Cloud Matrix–defining how it should be laid out, and specifically the separation between infrastructure as a service and SaaS as a service. The project covers AWS, Azure, GCP, Dropbox, Office 365, and other SaaS technologies.


Funding Research Participants



NIST 800-53 Security Control Mappings to ATT&CK

Large and complex security control frameworks such as NIST 800-53 do not relate to actionable TTPs in ATT&CK. The Center has created a comprehensive and open, curated set of mappings between 800-53 controls and ATT&CK techniques. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process. AttackIQ is not only helping customers test their controls against these frameworks, but also helping defenders to translate the results into what CIOs care about, which risk.


Funding Research Participants


Non-Profit Research Participants

Project Resources

Updated:10 August 2021

ATT&CK Version 9

ATT&CK Version 8


Security Stack Mappings - Azure

Users of Azure lack a comprehensive view of how native Azure security controls can help defend against real-world adversary TTPs. The Center built a scoring methodology to create mappings showing how effective native Azure security controls are in defending against specific ATT&CK techniques. Defenders are now able to use independent data to understand which Azure controls are most useful in defending against the adversary TTPs they care about.


Funding Research Participants



Security Stack Mappings - AWS

Users of AWS lack a comprehensive view of how native AWS security controls can help defend against real-world adversary TTPs. The Center built a scoring methodology to create mappings showing how effective native AWS security controls are in defending against specific ATT&CK techniques. Defenders are now able to use independent data to understand which AWS controls are most useful in defending against the adversary TTPs they care about.


Funding Research Participants


Non-Profit Research Participants


ATT&CK WorkBench

ATT&CK Workbench is an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT&CK and keep it in sync with MITRE’s knowledge base. Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organizations or individuals can run their own instances of the application to serve as the centerpiece to a customized version of the ATT&CK knowledge base, attaching other tools and interfaces as desired. Through the Workbench this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT&CK community facilitating a greater level of collaboration within the community than is possible with current tools.


Funding Research Participants


A full list of all the Center’s projects can be found here.

Project Resources

Published: 22 June 2021