What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is an open framework providing a comprehensive knowledge base of attacker techniques observed in real-world cyber attacks.
It helps organisations understand, detect, analyse and defend against cyber attacks by mapping out known tactics and techniques — based on actual threats.
🧠 What does MITRE ATT&CK contain?
MITRE ATT&CK is built on three core components:
- Tactics – the objective of the attacker (such as gaining access or persistence)
- Techniques – how that objective is achieved (such as credential dumping)
- Procedures – concrete examples of how techniques have been used in practice by specific attackers
🧱 Example of an attack step
| Tactic | Technique | Procedure |
|---|---|---|
| Initial Access | Spear Phishing Attachment | APT29 sent Word documents containing macros |
| Credential Access | Credential Dumping | Mimikatz used to extract passwords from RAM |
| Lateral Movement | Remote Desktop Protocol | Logging into internal systems with stolen credentials |
🧰 Applications of MITRE ATT&CK
- Threat modelling and Red Team planning
- SIEM rule mapping and SOC analysis
- Threat Hunting and behavioural detection
- Gap analysis of detection capabilities
- Reference for XDR, EDR and SOAR integrations
🗂 Different ATT&CK matrices
MITRE maintains separate matrices for:
- Enterprise: Windows, Linux, macOS, cloud
- Mobile: Android and iOS
- ICS: Specifically for industrial systems (e.g. PLC, SCADA)
- PRE-ATT&CK (deprecated): For attacks prior to actual access
🧭 Example tactics (Enterprise)
| Tactic | Description |
|---|---|
| Initial Access | How the attacker gets in |
| Execution | How code is run |
| Persistence | How access is maintained |
| Privilege Escalation | Elevating privileges |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing passwords and tokens |
| Discovery | Reconnaissance of systems and networks |
| Lateral Movement | Spreading within the network |
| Command and Control (C2) | Establishing external communication |
| Exfiltration | Stealing data |
| Impact | Causing disruption, e.g. via Ransomware |
✅ Benefits
- Based on real threat intelligence
- Helps identify detection gaps
- Broadly applicable across EDR, SIEM, SOC and Threat Hunting
- Many tools (such as Splunk, Sentinel, MISP) support ATT&CK integration
- Supports Risk Management and maturity assessments
📌 In summary
MITRE ATT&CK is a globally recognised framework for understanding, detecting and preventing attacker techniques. It provides a common language and structure for security teams, auditors and management.