MITRE ATT&CK Framework

MITRE ATT&CK has become the common language of cybersecurity. This knowledge base documents real-world adversary behaviors, organizing them into a structured taxonomy that enables consistent communication among defenders worldwide.

Understanding ATT&CK Structure

ATT&CK organizes adversary behaviors into tactics (the "why"—what the adversary is trying to achieve) and techniques (the "how"—specific methods to achieve tactical goals).

The Enterprise ATT&CK matrix defines fourteen tactics spanning the attack lifecycle: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

Each tactic contains multiple techniques. Initial Access includes techniques like Phishing, Drive-by Compromise, and Valid Accounts. Persistence includes Scheduled Task, Registry Run Keys, and Boot or Logon Autostart Execution.

Sub-techniques provide additional granularity. Phishing (T1566) includes sub-techniques for Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), and Spearphishing via Service (T1566.003).

Using ATT&CK for Threat Intelligence

ATT&CK standardizes how we describe threats. Rather than vague descriptions, reports can reference specific techniques. "The adversary used T1059.001 (PowerShell) for execution" conveys precise meaning that analysts understand immediately.

MITRE maintains profiles of threat groups, documenting which techniques each group has been observed using. This allows threat-informed defense—if APT29 targets your sector, you can review their known techniques and prioritize detections accordingly.

When consuming threat intelligence, map new information to ATT&CK. Which techniques does this report describe? Do you have detection coverage? This systematic approach identifies actionable gaps.

Using ATT&CK for Detection Engineering

ATT&CK transforms detection engineering from ad-hoc to systematic. Rather than building detections randomly, you can map coverage to the matrix.

Coverage mapping plots your existing detections against ATT&CK techniques. Which techniques can you currently detect? Which cells are empty? Visualization tools like ATT&CK Navigator show this graphically—green for covered, red for gaps.

Prioritization becomes threat-informed. don't try to detect everything—focus on techniques your likely adversaries use. If you're in healthcare, ransomware groups' techniques matter more than espionage groups targeting defense contractors.

Each technique's ATT&CK page includes detection guidance—data sources needed, things to look for, and considerations for building detections. This accelerates detection development.

ATT&CK Limitations

ATT&CK is powerful but not comprehensive. It describes observed behaviors, so novel techniques won't appear until discovered in the wild. It doesn't include all possible attack methods, only documented ones.

Coverage goals should be realistic. 100% ATT&CK coverage is impossible and unnecessary. Techniques vary dramatically in detectability—some are nearly invisible without specific instrumentation. Focus on breadth and depth where it matters for your threat model.

ATT&CK also requires ongoing maintenance. The framework updates regularly as new techniques are documented. Detections need periodic review to ensure they still align with current technique definitions.