MITRE ATT&CK® Framework
Global knowledge base of adversary tactics and techniques based on real-world observations
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK matrix is used as the foundation for developing threat models and methodologies specific to the private sector, government, and the cybersecurity products and services community.
The 14 ATT&CK Tactics
Tactics represent the "why" of a technique or sub-technique. It is the tactical objective of the adversary.
1. Reconnaissance
Gathering information to plan future operations
Examples of techniques:
2. Resource development
Establishment of resources to support operations
Examples of techniques:
3. Initial access
Entry point into the target network
Examples of techniques:
4. Execution
Execution of malicious code on the system
Examples of techniques:
5. Persistence
Maintenance of access to compromised systems
Examples of techniques:
6. Privilege escalation
Obtaining higher-level permissions
Examples of techniques:
7. Defense evasion
Avoiding detection during an operation
Examples of techniques:
8. Credential access
Theft of account names and passwords
Examples of techniques:
9. Discovery
Exploration of the compromised environment
Examples of techniques:
10. Lateral movement
Movement through the environment
Examples of techniques:
11. Collection
Gathering information of interest
Examples of techniques:
12. Command and control
Communication with compromised systems
Examples of techniques:
13. Exfiltration
Theft of data from the compromised environment
Examples of techniques:
14. Impact
Manipulation, interruption or destruction of systems
Examples of techniques:
ATT&CK Use Cases
The ATT&CK framework serves as the basis for many cybersecurity use cases
Threat Intelligence
Structure and communicate intelligence about threats
Benefits:
- Mapping of adversary behaviors
- Identification of attack trends
- Threat prioritization
- Standardized CTI sharing
Detection & Analytics
Develop and test detection capabilities
Benefits:
- Identification of coverage gaps
- Creation of detection rules
- Effectiveness testing
- Continuous improvement
Adversary Emulation
Simulate the behaviors of real attackers
Benefits:
- Red Team operations
- Purple Team exercises
- Validation of defenses
- Team training
Assessment & Engineering
Evaluate and improve security posture
Benefits:
- Security gap analysis
- Defense roadmap
- Secure architecture
- Solution selection
Best Practices for Use
Tips to get the most out of the MITRE ATT&CK framework
Start gradually
Do not attempt to cover all techniques at once
- →Identify the most relevant techniques for your sector
- →Focus on current threats
- →Gradually expand your coverage
Contextualize ATT&CK
Adapt the framework to your specific environment
- →Document techniques observed in your environment
- →Create custom annotations
- →Share knowledge internally
Integrate into processes
Make ATT&CK a daily tool
- →Use ATT&CK in incident response
- →Reference techniques in alerts
- →Base Red Team exercises on ATT&CK
Keep up to date
The framework evolves regularly
- →Follow MITRE updates
- →Review your mappings periodically
- →Participate in the community
MITRE Official Resources
Ready to master MITRE ATT&CK?
Put your knowledge into practice with our practical cases based on real scenarios
Explore Practical Cases