MITRE ATT&CK serves as a comprehensive framework for understanding and defending against cyber threats by cataloging adversary tactics, techniques, and procedures (TTPs). Developed by MITRE, it provides a structured model that security professionals use to map real-world attacks and improve defenses.
Framework Overview
The framework organizes adversary behavior into matrices with 14 tactics for the Enterprise matrix, such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, Reconnaissance, and Resource Development.
Each tactic breaks down into specific techniques (over 200) and sub-techniques, with examples tied to known threat actors like APT groups.
Separate matrices exist for Mobile (Android/iOS) and ICS/OT environments to address platform-specific behaviors.
Key Components
Tactics: High-level "why" of adversary objectives, representing stages in the attack
Techniques: "How" adversaries achieve tactics, with mitigations, detections, and real-world examples.
Procedures: Specific implementations by threat groups, enabling emulation and hunting.
Practical Applications
Security operations centers (SOCs) map logs and alerts to techniques for gap analysis using tools like ATT&CK Navigator.
Red and blue teams leverage it for adversary emulation, purple teaming, threat hunting, and prioritizing detections based on prevalence.
It standardizes communication across teams, vendors, and intelligence sharing by providing a common vocabulary.
Implementation Steps
Assess Coverage: Map existing controls to techniques and identify blind spots.
Build Detections: Create SIEM rules and analytics aligned to high-impact techniques.
Hunt and Emulate: Proactively search for TTPs and test responses against real actors



