MITRE ATT&CK has long been the de facto standard for sharing TTPs of different threat actors and for planning and executing various threat emulation exercises. However, especially in the last few years, I’ve seen more and more Security Operations Centers start using it as well, for mapping of their defensive capabilities, detection use cases and SIEM correlation rules.
Article Link: InfoSec Handlers Diary Blog - SANS Internet Storm Center