What is the MITRE ATT&CK Framework?

MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).

The MITRE ATT&CK system is a curated knowledge base and model for cyber adversary behavior, representing the different stages of an adversary’s attack lifecycle as well as the channels they are known to target. The model’s strategies and techniques abstraction create a common taxonomy of individual adversary behavior that both the offensive and defensive sides of cybersecurity can understand. It also assigns a proper level of categorization to adversary actions and clear ways to address them.

The MITRE ATT&CK Framework was created by MITRE in 2013 to document attacker tactics and techniques based on real-world observations. This index continues to evolve with the threat landscape and has become a renowned knowledge base for the industry to understand attacker models, methodologies, and mitigation.

Breakdown of the MITRE ATT&CK Framework

Successful and comprehensive threat detection requires understanding common adversary techniques, which ones may especially pose a threat to your organization, and how to detect and mitigate these attacks. With that said, the volume and breadth of attack tactics make it nearly impossible for any single organization to monitor every single attack type — never mind catalog and translate those findings in a constructive way to anyone outside of their organization.

For these reasons, MITRE has developed the ATT&CK framework. ATT&CK, which is an acronym for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques. These techniques are indexed and break down into detail the exact steps and methods that hackers use, making it easy for teams to understand the actions that may be used against a platform. To go a step further, MITRE also incorporates cyber-threat intelligence documenting adversary group behavior profiles to document which attack groups use which techniques.

The ATT&CK matrix structure is like a periodic table, with column headers outlining the phase in the attack chain (from Initial Access all the way to Impact). The rows below them detail specific techniques. Framework users can further explore any of the techniques to learn more about the tactics, platforms exploited, example procedures, mitigation, and detections.

How Do You Use the MITRE ATT&CK Matrix?

The MITRE ATT&CK framework can help an organization in several ways. In general, the following are applicable benefits to adopting MITRE ATT&CK:

Adversary Emulation:

Assesses security by applying intelligence about an adversary and how they operate to emulate a threat. ATT&CK can be used to create adversary emulation scenarios to test and verify defenses.

Red Teaming:

Acts as an adversary to demonstrate the impact of a breach. ATT&CK can be used to create red team plans and organize operations.

Behavioral Analytics Development:

Links together suspicious activity to monitor adversary activity. ATT&CK can be used to simplify and organize patterns of suspicious activity deemed malicious.

Defensive Gap Assessment:

Determines what parts of the enterprise lack defenses and/or visibility. ATT&CK can be used to assess existing tools, or test new tools prior to purchasing, to determine security coverage and prioritize investment.

SOC Maturity Assessment:

Like Defensive Gap Assessment, ATT&CK can be used to determine how effective a security operations center (SOC) is at detecting, analyzing, and responding to breaches.

Cyber Threat Intelligence Enrichment:

Enhances information about threats and threat actors. ATT&CK allows defenders to assess whether they can defend against specific Advanced Persistent Threats (ATP) and common behaviors across multiple threat actors.

Implementing MITRE ATT&CK typically involves either manual mapping or integration with cybersecurity tools, the most common of which are Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Cloud Access Security Broker (CASB).

Using MITRE ATT&CK with a SIEM involves aggregating log data from endpoints, networks, and cloud services, identifying threats and mapping them to MITRE ATT&CK. Changes to security posture are then conducted in the security tools providing their log data, (i.e., EDR or CASB).

Using MITRE ATT&CK with EDR involves mapping events observed by the endpoint agent, allowing defenders to determine the phases of a threat event, assess associated risk, and prioritize response.

Using MITRE ATT&CK with a CASB involves first filtering out suspicious and threat behavior from millions of cloud events with User and Entity Behavior Analytics (UEBA), combining those events with DLP, Vulnerability, and Misconfiguration incidents, and mapping to MITRE ATT&CK. From the CASB, defenders can adjust cloud security policy to block adversary behavior.

MITRE ATT&CK now has three iterations:

ATT&CK for Enterprise

Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.

ATT&CK for Mobile

Focuses on adversarial behavior on iOS and Android operating systems.


Focuses on “pre-exploit” adversarial behavior. Pre-ATT&CK is included as part of the ATT&CK for Enterprise matrix.

MITRE ATT&CK is used worldwide across multiple disciplines including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.

How does the MITRE ATT&CK Framework help an organization?

The ATT&CK Framework is widely recognized as an authority on understanding the behaviors and techniques that hackers use against organizations today. It not only removes ambiguity and provides a common vocabulary for industry professionals to discuss and collaborate on combating these adversary methods, but it also has practical applications for security teams.

Some key use cases for the MITRE ATT&CK framework include:

Using the MITRE ATT&CK Framework to prioritize detections based on your organization’s unique environment

Even the most well-resourced teams cannot protect against all attack vectors equally. The ATT&CK framework can offer a blueprint for teams for where to focus their detection efforts. For example, many teams may begin by prioritizing threats earlier in the attack chain. Other teams may want to prioritize specific detections based on techniques used by attacker groups that are especially prevalent in their respective industries. By exploring the techniques, targeted platforms, and risk, teams can educate themselves to help inform their security plan, then leverage the MITRE ATT&CK framework to track progress over time.

Using the MITRE ATT&CK Framework to evaluate current defenses

The MITRE ATT&CK framework can also be valuable in evaluating current tools and depth of coverage around key attack techniques. There are different levels of telemetry that might be applicable to each detection. In some areas, teams may decide they need high confidence in the depth of detection, while a lower level of detection may be acceptable in other areas. By defining the threats that are a priority for the organization, teams can evaluate how their current coverage stacks up. This can also be useful in red-teaming activities; the matrix can be used to define the scope of a red teaming exercise or pentest, and then as a scorecard during and after the test.

Using the MITRE ATT&CK Framework to track attacker groups

Many organizations may want to prioritize tracking specific adversary group behaviors that they know are of threat to their industry or vertical. The ATT&CK framework is not a static document. MITRE continues to evolve the framework as threats emerge and evolve, making it a useful source of truth to track and understand the movements of hacker groups and the techniques they use.

Resources and References






Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store