Knogin
[Domaines API]

Attack Pattern Domain

The Attack Pattern domain enables threat intelligence analysts to track, analyze, and correlate adversary tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework.

Metadonnees du module

The Attack Pattern domain enables threat intelligence analysts to track, analyze, and correlate adversary tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework.

Retour à la Liste

Reference source

content/modules/domain-attack-pattern.md

Dernière Mise à Jour

5 févr. 2026

Catégorie

Domaines API

Checksum du contenu

66e6cfb84fe06dd6

Étiquettes

api-domainsgeospatial

Documentation rendue

Cette page rend le Markdown et Mermaid du module directement depuis la source publique de documentation.

Overview#

The Attack Pattern domain enables threat intelligence analysts to track, analyze, and correlate adversary tactics, techniques, and procedures (TTPs) based on the MITRE ATT&CK framework. It provides structured attack pattern profiles that can be linked to investigations, enabling cross-case correlation to identify advanced persistent threats and organized threat campaigns across both cyber and physical security domains.

Key Features#

  • MITRE ATT&CK Integration -- Direct mapping to the enterprise ATT&CK framework with official tactic and technique IDs for standardized threat categorization
  • Physical Attack Framework -- A complementary taxonomy for physical security threats covering kinetic attacks, physical breaches, and defensive countermeasures
  • Kill Chain Phase Tracking -- Maps attack patterns to Lockheed Martin Cyber Kill Chain phases for understanding attack progression from reconnaissance through actions on objectives
  • Defensive Countermeasure Mapping -- Links attack techniques to recommended defensive measures with relationship type and effectiveness strength ratings
  • Cross-Investigation Correlation -- Links attack patterns to active investigations enabling pattern recognition across cases to identify related threat campaigns
  • Threat Actor Attribution -- Associates attack patterns with known threat actor profiles to support attribution analysis
  • Indicator Association -- Links indicators of compromise (IOCs) to attack patterns for technical cross-referencing
  • Multi-Domain Coverage -- Supports cyber, physical, and hybrid threat modeling in a single unified framework
  • Adversary Capability Assessment -- Profiles adversary sophistication levels, target sectors, and known tool usage for threat profiling
  • Security Classification -- Supports multi-level security classification from unclassified through top secret for sensitive threat intelligence

Use Cases#

  • Threat intelligence analysts create structured attack pattern profiles linked to MITRE ATT&CK techniques when analyzing cyber incidents, enabling automated correlation with similar patterns across other investigations.
  • Physical security teams use the physical attack framework to model threats against critical infrastructure, mapping attack techniques to layered defensive countermeasures for security planning.
  • Investigators link multiple attack patterns to a single investigation to build a comprehensive picture of an advanced persistent threat campaign, tracking progression through kill chain phases.
  • Security architects query the defensive mapping database to identify recommended countermeasures for specific attack techniques, supporting defense-in-depth planning.
  • Analysts perform cross-case correlation to identify when the same TTPs appear across multiple investigations, potentially revealing coordinated threat campaigns.

Integration#

The Attack Pattern domain integrates with the Investigation domain for linking patterns to active cases, the Threat Actor domain for attribution analysis, the Indicator domain for IOC association, and the broader Threat Intelligence framework for comprehensive threat analysis.

Last Reviewed: 2026-02-05