MITRE ATT&CK
A publicly accessible knowledge base documenting real-world adversary tactics and techniques used in cyberattacks, structured as a framework for threat analysis and defense.
Definition
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated, publicly available knowledge base of adversary tactics and techniques based on real-world observations. It documents how threat actors actually conduct attacks, providing a standardized framework for threat analysis, defense planning, and security testing.
Rather than abstract threat categories, ATT&CK provides specific, observable behaviors: “This threat actor uses SSH for lateral movement (T1021.001)” rather than “attackers use sophisticated techniques.”
Structure
ATT&CK organizes adversary behavior in a hierarchy:
Tactics
The strategic goals of adversaries. Examples include:
- Reconnaissance – Gathering information before attack
- Resource Development – Setting up tools and infrastructure
- Initial Access – Getting a foothold in the target network
- Persistence – Maintaining access
- Privilege Escalation – Gaining higher-level access
- Lateral Movement – Moving through the network
- Exfiltration – Stealing data
Techniques
The specific methods used to achieve tactics. Example: T1021 (Remote Service Session Initiation) is a Lateral Movement technique. Sub-techniques include T1021.001 (SSH) and T1021.004 (RDP).
Procedures
How specific threat actors implement techniques. Example: “Threat actor X uses T1021.001 (SSH lateral movement) with custom scripts to move through Windows environments.”
Matrices
MITRE maintains separate matrices for different operational environments:
- Enterprise – Windows, Linux, macOS (most widely used)
- Mobile – iOS, Android
- ICS – Industrial Control Systems
- Cloud – AWS, Azure, GCP
Why ATT&CK Matters
Creates Common Language
Before ATT&CK, threat intelligence was fragmented. Today, all security teams reference the same 700+ techniques, enabling precise communication.
Guides Detection Engineering
Rather than writing detection rules randomly, teams use ATT&CK to systematically identify coverage gaps. “Do we detect all variants of Lateral Movement?”
Enables Threat Hunting
Instead of vague hunts for “suspicious activity,” hunters target specific techniques. “Search for evidence of T1087 (Account Discovery).”
Improves Incident Response
When an attack is detected, teams immediately understand which tactic and technique are involved, enabling faster response.
Supports Red Teaming
Red teams use ATT&CK to systematically test defenses against known attack patterns.
How Security Teams Use ATT&CK
- Threat Profiling – Map threat actors to their known techniques
- Gap Analysis – Identify detection coverage gaps against your threat landscape
- Detection Writing – Create rules targeting specific techniques
- Threat Hunting – Proactively search for technique implementations
- Red Team Exercises – Test defenses against known techniques
- Security Metrics – Track which techniques you can detect and which you cannot
Example: Using ATT&CK
A healthcare organization observes phishing attempts targeting their staff.
ATT&CK Analysis:
- Initial vector = T1566.002 (Phishing: Spearphishing Link)
- Likely follow-ups = T1110 (Brute Force), T1021 (Lateral Movement)
Actions:
- Activate detection rules for T1110 and T1021
- Conduct threat hunts for these techniques
- Red team tests phishing → credential brute force attack chain
Result: When phishing succeeds, defenses are prepared for the follow-on attack.
Accessing ATT&CK
- Website: attack.mitre.org
- Navigator Tool: Visualize coverage and gaps
- Integrations: Most security platforms (SIEM, EDR, threat intel) include ATT&CK mappings