Attack Flow.

A MITRE Engenuity Center for Threat-Informed Defense language and toolset for describing how adversaries chain techniques into multi-step operations, complementing ATT&CK's per-technique catalog with sequencing and decision logic. 它属于网络安全的 防御与运营 分类。

A MITRE Engenuity Center for Threat-Informed Defense language and toolset for describing how adversaries chain techniques into multi-step operations, complementing ATT&CK's per-technique catalog with sequencing and decision logic.

Attack Flow is a STIX-extensible language and authoring tooling released by MITRE Engenuity's Center for Threat-Informed Defense in 2022, with version 2 in 2023. Its goal is to capture the missing piece between ATT&CK techniques and full incident narratives: how an adversary actually sequences techniques across an intrusion, including conditions, branches, and parallel paths. An Attack Flow document models an operation as a directed graph of `attack-action` (a technique execution) and `attack-condition` nodes, with linked `attack-asset` (targeted resources) and `attack-operator` (AND/OR/XOR) elements. The CTID publishes a public corpus of Attack Flows for real incidents (Conti, SolarWinds, NotPetya, Triton, REvil, etc.) and ships a web-based authoring tool (Attack Flow Builder). Use cases include threat-intelligence sharing in a machine-readable form richer than ATT&CK alone, building synthetic intrusion narratives for detection engineering, and helping defenders reason about which techniques to disrupt to break a likely chain.

针对 Attack Flow 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: MITRE Attack Flow, Attack Flow Language。