MITRE ATT&CK Framework
MITRE ATT&CK is a globally recognized knowledge base that documents adversary tactics, techniques, and procedures observed in real-world cyberattacks. It has become a cornerstone for threat detection, incident response, and adversary emulation.
Table of Contents
What is MITRE ATT&CK?
The MITRE Corporation, a US-based non-profit research organization, developed ATT&CK in 2013 as part of internal adversary emulation exercises. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
Its primary purpose is to describe, in detail, how adversaries behave once inside networks. Unlike vulnerability databases that focus on entry points, ATT&CK catalogs the full range of actions attackers take after gaining access, from persistence mechanisms to data exfiltration.
It is widely used across the cybersecurity community as a shared language for describing adversary behavior, enabling collaboration between SOC analysts, red teams, vendors, and researchers.
Scope and applicability
MITRE ATT&CK has grown into a comprehensive set of matrices, each focusing on a specific environment:
- Enterprise: Windows, macOS, Linux, cloud services, and SaaS platforms.
- Mobile: iOS and Android-specific tactics and techniques.
- ICS (Industrial Control Systems): tactics and techniques specific to operational technology environments.
Its applicability extends to:
- Threat intelligence teams mapping campaign data.
- SOCs building detection rules aligned to adversary behavior.
- Red teams using ATT&CK to structure emulation of real-world adversaries.
- Vendors benchmarking detection capabilities through ATT&CK evaluations.
Because ATT&CK is continuously updated based on real-world incidents, it remains one of the most relevant frameworks for SecOps teams.
Key requirements
Although ATT&CK is not a regulation, it provides actionable knowledge that organizations are expected to leverage for stronger defenses:
- Tactics: high-level objectives of attackers, such as persistence, privilege escalation, or lateral movement.
- Techniques: specific ways those objectives are achieved, e.g., credential dumping, phishing for initial access, or abusing valid accounts.
- Sub-techniques: more detailed variations of techniques, providing fine-grained insight into attacker behavior.
- Mitigations: defensive measures mapped to techniques, such as enforcing MFA, network segmentation, or disabling legacy protocols.
- Detection guidance: recommendations for logs, telemetry, and analytics that can identify adversary actions.
- Enforcement and penalties: there is no regulatory enforcement, but not aligning SOC capabilities with ATT&CK is often seen as a maturity gap and can leave organizations unprepared against modern threats.
Impact on SecOps
For security operations teams, MITRE ATT&CK has become indispensable:
- Detection engineering: SOC analysts can design and test detection rules directly mapped to techniques in ATT&CK. This ensures that defenses cover the real behaviors adversaries use, not just theoretical attack paths.
- Threat hunting: hunters can proactively search for adversary behaviors across logs and telemetry, guided by ATT&CK’s comprehensive taxonomy.
- Incident response: during investigations, incidents can be classified and described using ATT&CK, enabling structured reporting and cross-team communication.
- Gap analysis: SOC managers can assess which tactics and techniques are currently covered by their monitoring tools and which are missing.
- Vendor assessment: ATT&CK Evaluations allow organizations to compare security products based on how well they detect specific techniques.
- Training and knowledge sharing: ATT&CK provides a common vocabulary for describing attacks, reducing ambiguity and enabling better collaboration across teams and organizations.
By aligning operations with ATT&CK, SecOps teams shift from reactive to proactive defense, systematically improving coverage against known adversary behaviors.