What is the MITRE ATT&CK Framework?

by | Aug 5, 2025 | Cybersecurity

Table of Contents
2
3

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a globally recognized knowledge base that captures the tactics and techniques used by cyber adversaries across different platforms. Created by the MITRE Corporation, it offers a structured approach to understanding how attacks unfold post-compromise and is widely used by security teams for detection, threat hunting, and adversary emulation.

In cybersecurity, precision matters. While malware signatures and static indicators of compromise have long played a role in defense, ATT&CK shifts the focus to behavior—how attackers interact with systems once they’ve gained access. This behavior-centric model allows defenders to build resilience, detect attacks earlier, and develop responses that map directly to attacker intent and capabilities.

History of MITRE ATT&CK Framework

Introduced in 2013, the ATT&CK framework started as a research project within MITRE to document post-compromise adversary behavior in Windows environments. The name “ATT&CK” stands for Adversarial Tactics, Techniques, and Common Knowledge, and it emerged from MITRE’s FORTRESS lab environment. The initial goal was to create a repeatable, data-driven model for behavior-based detection.

Over time, the framework evolved significantly, driven by real-world observations and input from the global security community. It expanded to include multiple operating systems (macOS, Linux), mobile platforms (iOS, Android), and more recently, cloud services (AWS, Azure, GCP) and industrial control systems (ICS). Today, ATT&CK serves as a universal language in cybersecurity—used by blue teams, red teams, threat intel analysts, and even CISOs.

MITRE ATT&CK Tactics and Their Role in Security Intelligence

Tactics in ATT&CK are the “why” of an attack—the adversary’s objectives at different stages of an operation. They represent the highest level of abstraction in the matrix and form the columns in the Enterprise Matrix.

Here are the 14 core tactics:

  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control (C2)
  13. Exfiltration
  14. Impact

Understanding these stages allows defenders to:

  • Map detections to attacker goals
  • Structure alerts in context
  • Anticipate the next move

MITRE ATT&CK Techniques

Techniques are the “how”—the specific actions taken by attackers to achieve a tactic. Each technique can have one or more sub-techniques, providing a deeper layer of granularity.

Example:

  • Tactic: Credential Access
  • Technique: Credential Dumping (T1003)
  • Sub-techniques:
    • LSASS Memory (T1003.001)
    • DCSync (T1003.006)

There are currently hundreds of techniques and sub-techniques in the ATT&CK Enterprise Matrix. These entries include descriptions, detection strategies, mitigation recommendations, and mappings to real-world threat actors and software.

Operationalizing Technique-Level Intelligence

The real power of ATT&CK lies in operational use:

In SIEM:

  • Map log data to ATT&CK IDs
  • Visualize attack chains
  • Create ATT&CK-based correlation rules

In EDR/XDR:

  • Tag alerts with technique IDs
  • Prioritize alerts based on ATT&CK severity

In SOAR:

  • Trigger automated responses based on technique detections

Security teams can also use ATT&CK to track detection coverage and simulate adversary behavior during tabletop exercises and red team engagements.

Enterprise Matrix

The Enterprise Matrix is the core of ATT&CK. It presents tactics as columns and techniques as rows, allowing defenders to follow adversary behavior chronologically or by objective.

It currently includes:

  • Windows, macOS, and Linux
  • Cloud platforms (AWS, Azure, GCP)
  • SaaS apps and Office 365

By overlaying your organization’s detection and response capabilities on the matrix, you can perform meaningful gap analysis and prioritize improvements.

MITRE ATT&CK Navigator

The ATT&CK Navigator is a browser-based visualization tool that makes working with the framework more intuitive. It allows teams to:

  • Highlight techniques covered by their current security stack
  • Compare detection coverage across environments
  • Overlay known threat actors, tools, and campaigns
  • Share and export layers for collaboration

This tool is especially useful for red and purple teams performing assessments and for security architects designing defense strategies.

MITRE ATT&CK Use Cases

MITRE ATT&CK is used across the cybersecurity lifecycle. Common scenarios include:

1. Threat Hunting

Hunters use the matrix to develop hypotheses: “If an attacker is using PowerShell for execution (T1059.001), they may try to evade detection with Obfuscated Files or Information (T1027).”

2. Detection Engineering

Security teams build and tune rules based on ATT&CK techniques. For instance, if you’re writing detections for lateral movement via RDP (T1021.001), ATT&CK provides context, common patterns, and mitigation strategies.

3. Red and Purple Teaming

Adversary emulation plans are structured around real-world actor behaviors, using ATT&CK techniques as a blueprint. Purple teams then test detections and defenses against these simulations.

4. Incident Response

When an alert is raised, mapping it to an ATT&CK technique (e.g., T1055 for Process Injection) gives responders immediate insight into the attacker’s intent and next likely steps.

MITRE ATT&CK vs. Cyber Kill Chain

The Lockheed Martin Cyber Kill Chain and MITRE ATT&CK are complementary, not competing, models. Here’s a quick comparison:

FeatureCyber Kill ChainMITRE ATT&CK
FocusPhases of attackTechniques used in attack
LevelHigh-levelTactical & technical
UseStrategic overviewOperational detection & response
AdvantageSimplicityDepth and precision

Many security teams use the Kill Chain to explain attacks to executives while relying on ATT&CK for in-depth analysis and defense.

Final Thoughts: The Future of Threat-Informed Defense

The framework has redefined how organizations think about cybersecurity. By shifting the focus from tools to behavior, from IOCs to TTPs (tactics, techniques, and procedures), it enables a more adaptive and resilient security posture.

As cloud-native threats evolve, as AI and automation reshape attack surfaces, ATT&CK continues to expand—driven by real adversary behavior and community contributions. Whether you’re in a SOC, on a red team, building threat intelligence, or managing risk at the executive level, ATT&CK provides a common language for modern cybersecurity operations.

The next frontier? Extending ATT&CK principles to emerging domains like AI security, IoT, and autonomous systems. The framework will adapt—and defenders who embrace it will stay one step ahead.