MITRE ATT&CK Integration
800+ threat techniques with automatic classification, filtering, and configuration management.
MITRE ATT&CK is a globally recognized framework for understanding adversary tactics and techniques based on real-world observations.
Overview
CastellanAI integrates the MITRE ATT&CK framework to provide standardized threat technique classification and mapping.
| Metric | Count |
|---|---|
| Techniques | 800+ |
| Tactics | 14 |
| Groups | 100+ |
Security events are automatically mapped to MITRE ATT&CK techniques, providing context for threat hunting, incident response, and security analytics.
ATT&CK Tactics
The framework organizes adversary behavior into 14 tactical categories:
- 🚪 Initial Access
- ⚡ Execution
- 🛡️ Defense Evasion
- 🔄 Movement
- 💥 Impact
Initial Access Tactics
| Tactic | Description |
|---|---|
| Reconnaissance | Gathering information for planning attacks |
| Resource Development | Establishing resources for operations |
| Initial Access | Getting into the target network |
Execution & Persistence
| Tactic | Description |
|---|---|
| Execution | Running malicious code |
| Persistence | Maintaining foothold |
| Privilege Escalation | Gaining higher-level permissions |
Evasion & Access
| Tactic | Description |
|---|---|
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing credentials |
| Discovery | Figuring out the environment |
Lateral Movement & Collection
| Tactic | Description |
|---|---|
| Lateral Movement | Moving through the network |
| Collection | Gathering data of interest |
| Command and Control | Communicating with compromised systems |
Exfiltration & Impact
| Tactic | Description |
|---|---|
| Exfiltration | Stealing data |
| Impact | Disrupting availability or integrity |
Impact techniques like ransomware (T1486) require immediate response.
Viewing MITRE Techniques
Accessing the Database
Navigate to Threat Intelligence in the top navigation bar or Settings → MITRE Techniques.
Statistics Dashboard
| Statistic | Description |
|---|---|
| Total Techniques | Number of techniques in the database |
| Last Updated | When the database was last refreshed |
| Cache Status | Indicates when data is cached for fast loading |
Searching and Filtering
| Filter | Options |
|---|---|
| Search | Search by technique ID, name, or description |
| Tactic | Filter by any of the 14 tactics |
| Platform | Windows, Linux, macOS, Network, Cloud, Mobile |
Technique Details
- 📋 Card View
- 🔍 Detail Modal
Technique Cards
Each technique displays:
| Field | Description |
|---|---|
| Technique ID | Official MITRE identifier (e.g., T1059.001) |
| Name | Human-readable technique name |
| Tactic | Tactical category (color-coded) |
| Description | Brief overview |
| Platforms | Targeted platforms |
Full Technique Details
Click any technique card to view:
| Section | Content |
|---|---|
| Tactic | Category with color badge |
| Platforms | All targeted platforms |
| Added to Database | Import date |
| Description | Full technique description |
| Data Sources | Where to look for evidence |
| Mitigations | Defense strategies |
| Examples | Real-world usage examples |
Integration Features
Automatic Classification
Security events are automatically mapped using:
| Method | Description |
|---|---|
| Rule-based detection | Windows Event IDs mapped to techniques |
| AI analysis | Pattern matching for technique identification |
| Behavioral correlation | Multi-event analysis for technique chains |
Security Event Integration
When viewing security events:
- MITRE techniques appear as purple badges on each event
- Click techniques to see detailed information
- Filter events by specific techniques
Click any technique badge on a security event to jump directly to its full details.
Managing the MITRE Database
- 📥 Import
- 🔄 Auto-Update
Importing Techniques
- Navigate to Settings → MITRE Techniques
- Click Import Techniques
- Wait for the import to complete (800+ techniques)
Initial import may take several minutes depending on your connection.
Auto-Update Configuration
- Go to Settings → MITRE Techniques
- Enable Auto-Update
- Set the update frequency (default: 30 days)
- The system will automatically check for new techniques
Common Use Cases
- 🎯 Threat Hunting
- 🚨 Incident Response
- 🔧 Detection Engineering
Threat Hunting Workflow
Search for specific attack techniques to proactively identify threats:
- Go to Threat Intelligence
- Filter by tactic (e.g., "Credential Access")
- Review techniques like T1110 (Brute Force)
- Search Security Events for matching events
Incident Response Workflow
Understand the full scope of an attack:
- Open a security event detail
- Note the MITRE techniques listed
- Search for related techniques in the same tactic
- Look for technique chains indicating attack progression
Detection Engineering Workflow
Build and validate detection rules:
- Identify gaps in your ATT&CK coverage
- Go to Detection Rules
- Create rules targeting uncovered techniques
- Map each rule to its MITRE technique
Common Techniques Monitored
CastellanAI provides built-in detection for commonly observed techniques:
| Technique ID | Name | Tactic |
|---|---|---|
| T1059.001 | PowerShell | Execution |
| T1078 | Valid Accounts | Initial Access |
| T1110 | Brute Force | Credential Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1053.005 | Scheduled Task | Persistence |
| T1543.003 | Windows Service | Persistence |
| T1486 | Data Encrypted for Impact | Impact |
| T1562.001 | Disable Security Tools | Defense Evasion |
| T1003 | OS Credential Dumping | Credential Access |
Pagination
The techniques database supports pagination:
- 25 techniques per page
- Navigate between pages using Previous/Next buttons
- Shows current position (e.g., "Showing 1 to 25 of 823 techniques")
MITRE ATT&CK Resources
🔗 Official Resources
What's Next?
| Guide | Description |
|---|---|
| Event Monitoring | View security events with MITRE mappings |
| Threat Detection | How threats are detected and classified |
| Malware Scanning | File-based threat detection |