What is MITRE ATT&CK?

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations, used for threat detection, assessment, and defense improvement.

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive knowledge base cataloging real-world adversary behaviors observed in cyberattacks. It organizes techniques into tactical categories like initial access, execution, persistence, and exfiltration, providing a common language for describing and analyzing threat actor behavior.

How is the ATT&CK matrix organized?

The ATT&CK matrix is organized into tactics (the adversary's goals, shown as columns) and techniques (how they achieve those goals, shown as rows). The Enterprise matrix covers 14 tactics from Reconnaissance through Impact, with hundreds of techniques and sub-techniques. Separate matrices exist for Mobile and ICS environments.

How do security teams use MITRE ATT&CK?

Security teams use ATT&CK for detection engineering by mapping rules to techniques, threat intelligence analysis by attributing adversary behavior, red team planning by selecting realistic attack chains, gap analysis by identifying undetected techniques, security tool evaluation, incident response classification, and security maturity measurement.

How does MITRE ATT&CK support penetration testing?

Penetration testers and red teams use ATT&CK to plan realistic attack chains that mirror actual threat actors. It ensures testing covers techniques relevant to the organization's threat landscape. Post-engagement, findings mapped to ATT&CK enable defenders to prioritize detection improvements for specific adversary techniques.

What is the difference between tactics and techniques in ATT&CK?

Tactics represent the adversary's tactical objectives or the 'why' of an attack step (e.g., Credential Access). Techniques describe 'how' adversaries achieve those objectives (e.g., Kerberoasting under Credential Access). Sub-techniques provide additional granularity for specific implementations of a technique.

How do you map detection coverage to ATT&CK?

Map each SIEM rule, EDR detection, and monitoring capability to the ATT&CK techniques it can detect. Visualize coverage using the ATT&CK Navigator tool to identify gaps. Prioritize gap closure based on threat intelligence showing which techniques relevant threat actors commonly use against your industry.

What are ATT&CK groups and software?

ATT&CK Groups are tracked threat actor profiles with documented techniques, targeted industries, and attribution details. Software entries catalog tools (both malicious and dual-use) with their associated techniques. Together, they enable threat-informed defense by revealing which techniques specific adversaries and their tools actually employ.

How does ATT&CK integrate with other frameworks?

ATT&CK complements NIST CSF by providing granular technique coverage under the Detect and Respond functions. It maps to NIST SP 800-53 controls, supports CTEM validation activities, enhances D3FEND defensive technique mapping, and integrates with STIX/TAXII for automated threat intelligence sharing across platforms.