Bringing PRE into Enterprise

Adam PenningtonOct 27, 2020 · 6 min read

Written by Adam Pennington and Jen Burns

We’re excited to announce that we’ve released the latest version of MITRE ATT&CK (v8), which includes the integration of PRE-ATT&CK’s scope into Enterprise ATT&CK! This integration removes the PRE-ATT&CK domain from ATT&CK and adds two new tactics to Enterprise — Reconnaissance and Resource Development. Similar to our July release of sub-techniques, this is an update to ATT&CK that’s been under development for some time. You can find this new version of ATT&CK on our website, in the ATT&CK Navigator, as STIX, and via our TAXII server.

PRE-ATT&CK’s History

When we originally launched Enterprise ATT&CK, we focused on the behaviors that adversaries perform after they’ve broken into an environment, roughly the Exploit through Maintain phases of the MITRE Cyber Attack Lifecycle. This aligned well with the visibility of many defenders of their own networks, but it left pre-compromise adversary behaviors uncovered. After ATT&CK’s initial launch, a separate team at MITRE decided to fill in the gap to the left by following the structure of Enterprise ATT&CK and enumerating adversary behaviors leading up to a compromise. This work became PRE-ATT&CK and was released in 2017.

The Original 17 Tactics of PRE-ATT&CK Against

Read More: