MITRE ATT&CK Framework

Contents

1 🧠 What Is the MITRE ATT&CK Framework?
2 🏛️ How It’s Organised
- 2.1 🔹 Tactics: The Adversary’s Goals
- 2.2 🔸 Techniques: The Methods
3 🧰 Use Cases for MITRE ATT&CK
4 🔄 ATT&CK vs Cyber Kill Chain
5 🔍 Where to Start
6 ✅ Summary

🧠 What Is the MITRE ATT&CK Framework?

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of cyber adversary behaviour. Maintained by MITRE, it helps security teams understand how attackers operate—and more importantly, how to detect and respond to those behaviours.

Rather than focusing on tools or malware, ATT&CK focuses on the techniques attackers use, mapped across real-world observations and threat intelligence.

🏛️ How It’s Organised

The framework is structured like a matrix, with tactics along the top (the “why”) and techniques beneath each one (the “how”).

🔹 Tactics: The Adversary’s Goals

Each column in the matrix represents a tactic—a stage in an attacker’s objective. Common tactics include:

Initial Access – Gaining a foothold (e.g. phishing)
Execution – Running malicious code
Persistence – Maintaining access
Privilege Escalation – Gaining higher permissions
Defense Evasion – Avoiding detection
Credential Access – Stealing usernames/passwords
Discovery – Mapping out the environment
Lateral Movement – Moving through the network
Command and Control – Communicating with compromised systems
Exfiltration – Stealing data
Impact – Disrupting or destroying operations (e.g. ransomware)

🔸 Techniques: The Methods

Each tactic has techniques, which describe how adversaries accomplish their goal. For example:

Under Initial Access, you might see:
- Phishing (T1566)
- Drive-by Compromise (T1189)

Each technique may also have sub-techniques, detailing more specific variants.

🧰 Use Cases for MITRE ATT&CK

Use Case	Description
Threat Detection	Map log and alert data to techniques to identify malicious behaviour
Threat Hunting	Search for specific TTPs across systems
Red Team Planning	Simulate realistic attacker behaviour
Blue Team Defence	Improve detection rules and SIEM coverage
Gap Analysis	Evaluate where defences are strong or lacking
Adversary Emulation	Recreate known attacker profiles for testing

🔄 ATT&CK vs Cyber Kill Chain

While both frameworks describe attacker behaviour, MITRE ATT&CK is more detailed and tactic-driven, while the Cyber Kill Chain focuses on high-level phases. They work well together:

Use the Kill Chain for high-level strategy
Use ATT&CK for tactical detection, hunting, and emulation

🔍 Where to Start

Visit the MITRE ATT&CK Matrix here:
🔗 https://attack.mitre.org/matrices/enterprise/
Explore specific threat actor profiles:
🔗 https://attack.mitre.org/groups/
Use free tools like:
- MITRE ATT&CK Navigator – Interactive matrix visualisation
- Atomic Red Team – Open source test cases for techniques
- Caldera – Automated adversary emulation from MITRE

✅ Summary

The MITRE ATT&CK Framework empowers security teams to think like attackers—and to detect, disrupt, and prevent their techniques more effectively.

🧠 Don’t just know you’re being attacked—understand how and why.