Ah, cybersecurity – an ever-evolving field that’s as fascinating as it is complex. If you’ve spent any time in this realm, you’ve probably come across the term MITRE ATT&CK. But what exactly is it, and why does it matter? Buckle up, folks – we’re about to dive into the world of adversary tactics and techniques.

MITRE ATT&CK, an acronym for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive knowledge base and framework that outlines adversary tactics and techniques based on real-world observations. Launched by the MITRE Corporation in 2013, it’s an open framework used for implementing cybersecurity detection and response programs. It’s like a treasure map for cybersecurity professionals, helping them develop specific threat models and methodologies across various sectors, including private, government, and cybersecurity product/service communities.

Now, let’s break down how this framework works. The MITRE ATT&CK framework outlines various phases of an adversary’s attack lifecycle, targeting the platforms known to be attacked. It’s structured into matrices by attack stages, ranging from initial system access all the way to data theft or machine control. It’s not just a list of possible attacks – it’s a step-by-step guide to the enemy’s playbook.

Here’s a more technical breakdown of how MITRE ATT&CK works:

Framework Structure

  • Tactics: Represent the “why” of a MITRE ATT&CK technique. They correspond to the tactical objective the adversary hopes to achieve, such as initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control.
  • Techniques: Refer to the “how” of achieving a tactical goal (e.g., gaining initial access through spear-phishing). Each technique is meant to detail how adversaries achieve the objectives set forth by the tactic.
  • Sub-Techniques: These are particular ways adversaries execute the parent technique, offering a more detailed view of the methods used by cyber threats.
  • Mitigations: These are suggestions to prevent or handle techniques and sub-techniques.
  • Groups: These represent collections of related activity that are tracked as a single threat actor (e.g., APT28, Lazarus Group).
  • Software: This refers to the specific pieces of software or code used in attacks (e.g., malware, tools).

Matrix Model

  • The ATT&CK framework is often visualised as a matrix, where tactics are columns and techniques or sub-techniques are cells within those columns. This model helps organisations understand the behaviour and actions that an adversary might take.

Data Sources

  • Information in MITRE ATT&CK is based on real-world observations and is often sourced from various reports, whitepapers, and other research on threat groups and incidents. The credibility is maintained by citing public sources of information.


  • Threat Intelligence: Helps analysts to compare log activities and attacks against known threat group TTPs (Tactics, Techniques, and Procedures).
  • Red Teaming/Adversary Emulation: Simulating adversaries based on the TTPs in the framework to test an organisation’s defences.
  • Defense Gap Assessment: Used to understand coverage and where additional defences might be needed.
  • Incident Response: Helps in the investigation and remediation process by identifying adversary TTPs.

Updating and Evolving

  • The framework is not static; it evolves. As new TTPs are identified from emerging threats, the ATT&CK matrix is updated. This helps to ensure that the framework remains a cutting-edge resource for identifying and understanding adversary behaviour.

Community Engagement

  • MITRE encourages the cybersecurity community to contribute new information or any amendments to the current content to ensure the framework is comprehensive and up to date.

Tools and Utilities

  • MITRE and other entities have developed various tools and services that utilise the ATT&CK framework, enhancing its applicability and usefulness. Examples include ATT&CK Navigator, which allows for the visualisation and manipulation of the ATT&CK matrices, and many security information and event management (SIEM) systems now incorporating ATT&CK to enhance threat detection and response activities.

The use of MITRE ATT&CK is widespread, and it’s easy to see why. It’s used by security defenders, penetration testers, red teams, and cyber threat intelligence teams, among others. By adopting this framework, organisations can efficiently manage their security processes, test the effectiveness of their security protocols, and steer improvements. It’s like a gym for your cybersecurity muscles – helping you test your strength and build up where you’re weak.

In essence, MITRE ATT&CK is a living knowledge base that helps cybersecurity professionals understand, communicate, and counter the various tactics, techniques, and procedures used by cyber adversaries.

One of the things that sets MITRE ATT&CK apart from other frameworks is the level of detail it provides. While other frameworks, like the NIST (National Institute of Standards and Technology) framework, provide broader guidelines for managing and improving cybersecurity, MITRE ATT&CK dives deep into the nitty-gritty of attacker behaviours. This granular understanding of adversary behaviours is invaluable when it comes to devising effective defensive strategies.

Of course, MITRE ATT&CK isn’t the only cybersecurity framework out there. Others include:

  • NIST Cybersecurity Framework, which provides guidelines for organisations to manage and improve their cybersecurity posture
  • ISO 27001, which establishes requirements for an information security management system
  • Cyber Kill Chain, which elucidates the stages of a cyber-attack

Each of these frameworks has its own unique focus and approach, and they all contribute to enhancing the cybersecurity posture of organisations in their own ways. However, the level of detail and technical focus of MITRE ATT&CK makes it a powerful tool in the arsenal of any cybersecurity professional.

So, wrapping up, the MITRE ATT&CK framework serves as a comprehensive guide to understanding and combating cybersecurity threats. Its detailed breakdown of attacker tactics and techniques, combined with its widespread use among private and public sector organisations, make it an invaluable resource in the ever-evolving field of cybersecurity. So, whether you’re a seasoned cybersecurity pro or just dipping your toes into the field, the MITRE ATT&CK framework is definitely worth a look.

Categorized in: