The MITRE ATT&CK Framework: A Complete Guide for Security Teams
The MITRE ATT&CK Framework has become the de facto standard for threat intelligence professionals, security analysts, and incident responders worldwide. Whether you're hunting for adversary tactics in your network, validating your security controls, or investigating a breach, understanding MITRE ATT&CK is essential for modern security operations. This comprehensive guide will show you how to master this powerful framework.
What is the MITRE ATT&CK Framework?
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It documents how threat actors behave and what methods they use at each stage of a cyber attack.
The framework was developed by MITRE Corporation, a not-for-profit organization, using data from thousands of security research reports, threat intelligence publications, and incident investigations. It provides a structured, standardized vocabulary for discussing cyber threats.
MITRE ATT&CK includes:
- Tactics: The "why"—objectives attackers are trying to achieve
- Techniques: The "how"—specific methods used to achieve those objectives
- Sub-techniques: Specific variations of techniques with more granular detail
- Procedures: Actual implementations of techniques by specific threat actors
- Mitigations: Actions organizations can take to prevent or reduce impact
- Detection: Methods to identify when a technique is being used
Multiple MITRE ATT&CK matrices exist for different domains: Enterprise (covering Windows, Linux, macOS, cloud, network), Mobile (iOS and Android), and ICS (Industrial Control Systems).
The Kill Chain: Tactics and the Phases of Attack
MITRE ATT&CK organizes tactics into a logical progression that represents the phases of a cyber attack:
| Tactic | Description |
|---|---|
| Reconnaissance | Gathering information about targets (scanning networks, researching employees) |
| Resource Development | Acquiring resources for the attack (registering domains, obtaining infrastructure) |
| Initial Access | Getting into the network (phishing, exploiting vulnerabilities) |
| Execution | Running malicious code on target systems |
| Persistence | Maintaining access to systems (creating backdoors, installing rootkits) |
| Privilege Escalation | Gaining higher access levels on systems |
| Defense Evasion | Hiding from detection systems (disabling antivirus, clearing logs) |
| Credential Access | Stealing usernames and passwords |
| Discovery | Learning about the target's systems and environment |
| Lateral Movement | Moving from one system to another |
| Collection | Gathering data from the network |
| Command & Control | Communicating with compromised systems |
| Exfiltration | Stealing data out of the network |
| Impact | Disrupting or destroying systems and data |
Understanding these phases is crucial because it helps you understand not just what an attacker is doing, but why they're doing it.
Techniques and Sub-Techniques: The Granular Details
While tactics answer the question "what is the attacker trying to achieve," techniques answer "how are they doing it?"
For example, under the Execution tactic, there are many techniques:
- T1059 Command and Scripting Interpreter—Executing code through command line or scripting (PowerShell, Bash, Python, etc.)
- T1106 Native API—Using operating system APIs directly
- T1053 Scheduled Task/Job—Establishing persistence through scheduled execution
- T1204 User Execution—Tricking users into executing malicious code
Each technique includes a 5-character alphanumeric code (like T1059) for easy reference. Sub-techniques add further specificity. For example, T1059 has sub-techniques like:
- T1059.001 PowerShell—Using PowerShell specifically
- T1059.002 AppleScript—Using AppleScript on macOS
- T1059.003 Windows Command Shell—Using cmd.exe
- T1059.004 Unix Shell—Using bash or other Unix shells
Real-World APT Mapping: Lazarus Group Example
One of the most valuable uses of MITRE ATT&CK is mapping threat actor behavior to specific techniques. Let's examine Lazarus Group, a North Korean APT group known for major attacks like Sony Pictures (2014), Bangladesh Bank heist (2016), and WannaCry ransomware (2017).
Lazarus Group attack chain mapped to MITRE ATT&CK:
- Reconnaissance (T1592)—Gathering information about targets through social engineering, employee research
- Initial Access (T1566)—Phishing emails with malicious attachments or links
- Execution (T1566.002)—User opens attachment that executes malicious code
- Persistence (T1547)—Implant modified OS boot processes to maintain access
- Privilege Escalation (T1134)—Token impersonation to gain higher privileges
- Defense Evasion (T1140)—Deobfuscating/decoding obfuscated code
- Credential Access (T1110)—Brute force attacks on exposed credentials
- Lateral Movement (T1570)—Using legitimate administrative tools and credentials to move laterally
- Collection (T1005)—Collecting data from local systems
- Exfiltration (T1041)—Data exfiltration over command and control channel
This mapping helps security teams understand exactly what Lazarus Group does and enables them to hunt for indicators of compromise (IOCs) specific to Lazarus techniques.
APT29 (Cozy Bear) Techniques
APT29, attributed to Russian foreign intelligence, is known for sophisticated espionage operations. Their characteristic techniques include:
- Living off the Land (T1218): Using legitimate Windows tools (PowerShell, WMI, reg.exe) for malicious purposes
- Defense Evasion (T1197): Using BITS (Background Intelligent Transfer Service) for covert data exfiltration
- Signed Binary Proxy Execution (T1218.009): Using legitimate signed Windows binaries to execute code
- Multi-Stage Attacks: Delivering payloads in multiple stages to evade detection
Using MITRE ATT&CK for Threat Hunting
Threat hunting involves proactively searching for evidence of adversary activity. MITRE ATT&CK provides a structured framework for hunting:
Step 1: Select a Tactic or Technique
Choose a high-value tactic or technique that aligns with your organization's risk profile. For example, if you're concerned about data exfiltration, focus on the Exfiltration tactic.
Step 2: Develop Detections
For each technique, identify how it could be detected in your environment. Example for T1041 (Exfiltration Over C2 Channel):
// Threat Hunt Query
// Look for unusual outbound connections to known malicious IPs
event.category:network_traffic AND
destination.ip:(badip1 OR badip2 OR badip3) AND
NOT (process.name:outlook.exe OR process.name:slack.exe)Step 3: Hunt for Evidence
Query your SIEM, EDR platform, or logs for evidence of the technique being used. Use MITRE ATT&CK sub-techniques to be specific.
Step 4: Validate Findings
Determine if findings represent actual threats or false positives. Document results and update detection rules.
Defense Gap Analysis Using MITRE ATT&CK
Use MITRE ATT&CK to identify gaps in your security posture:
- Coverage Assessment: For each tactic/technique, determine if you have detection and mitigation capabilities
- Threat-Based Prioritization: Prioritize defending against techniques used by threats most relevant to your industry and organization
- Control Validation: Map your existing security controls to MITRE ATT&CK techniques to ensure comprehensive coverage
- Purple Team Exercises: Use MITRE ATT&CK to guide red team operations and validate blue team defenses
MITRE ATT&CK Scoring and Assessments
Modern security tools can assess your organization's coverage against MITRE ATT&CK techniques. These assessments provide:
- Coverage Percentage: What percentage of MITRE ATT&CK techniques you can detect or prevent
- Gap Analysis: Specific techniques where you lack detection capabilities
- Prioritized Remediation: Guidance on which gaps to address first based on threat relevance
- Progress Tracking: Measuring security posture improvement over time
Implementing MITRE ATT&CK in Your Organization
For Security Leaders
Use MITRE ATT&CK as the framework for:
- Defining security requirements and capabilities
- Communicating with executives about security gaps
- Prioritizing security investments
- Evaluating security tools and vendors
For Incident Responders
During investigations:
- Map observed attacker behavior to specific MITRE ATT&CK techniques
- Identify the threat actor (or threat actor profile) based on technique usage
- Understand the attacker's likely next steps based on typical kill chains
- Share findings using MITRE ATT&CK terminology for consistency
For Threat Intelligence Analysts
Standardize threat reporting:
- Document threat actor capabilities using MITRE ATT&CK techniques
- Compare threat actors based on shared techniques
- Track evolution of threat actor behavior over time
- Identify emerging threats based on new technique usage
Tools for Working with MITRE ATT&CK
Several tools help integrate MITRE ATT&CK into your security operations:
- MITRE ATT&CK Navigator: Visual tool to view and annotate techniques (github.com/mitre-attack/attack-navigator)
- Atomic Red Team: Framework for executing tests mapped to MITRE ATT&CK techniques
- Caldera: Adversary emulation platform with MITRE ATT&CK mappings
- STIX/TAXII: Standards for threat intelligence sharing using MITRE ATT&CK mappings
The Future of MITRE ATT&CK
MITRE ATT&CK continues to evolve as new attack techniques emerge. Recent additions include:
- Cloud Techniques: Expanded coverage of cloud-native attacks (AWS, Azure, GCP)
- Mobile Techniques: Comprehensive iOS and Android attack coverage
- ICS Techniques: Industrial control system specific attacks
- Container/Kubernetes Attacks: Growing coverage of containerized environment attacks
Security teams should regularly review new MITRE ATT&CK additions and evaluate their applicability to their organizations.
Operationalize MITRE ATT&CK in Your Environment
CYBERDUDEBIVASH AI Security Hub provides MITRE ATT&CK-mapped threat detection and incident response capabilities, helping your team hunt threats and respond to attacks using standardized framework.
Start Threat Hunting Today →