Have you looked into the ATT&CK Framework?

If you are working in cybersecurity or even adjacent to cybersecurity, you no doubt, have heard of the MITRE ATT&CK Framework. Likely you’ve been asked by your CISO to investigate adding the framework as part of your defensive strategy. Let’s look at it and see how implementing the framework can strengthen your defensive posture and make your business community safer to boot.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework is a knowledge base of cyber adversary behavior focused on three primary matrices: Enterprise, Mobile, and Industrial Control Systems (ICS). I’ll note that most references to the framework are talking about Enterprise. It provides a model that your organization can use to understand the tactics, techniques, and procedures (TTPs) that are used by adversaries. The framework includes many different adversarial groups and software (in this case malware) already in use but the power of the MITRE ATT&CK Framework is that it can be used on any attack regardless of how new or old it is.

By creating a comprehensive knowledge base of cyber adversary behavior and tactics, the ATT&CK framework enables organizations to gain a better understanding of how attackers operate, to identify potential vulnerabilities in their own systems, and to develop more effective security controls and response strategies. The framework also provides a way for organizations to share information about cyber threats and collaborate on threat intelligence and response efforts.  

What are tactics?

In the MITRE ATT&CK Framework, a tactic is the high-level goal of the attacker. In short, it’s what the adversary hopes to achieve. There are currently 14 tactics that range from reconnaissance to the exfiltration of stolen information, and all stops in-between. An attack flows from left to right as it progresses through the system. It is important to note that an attack may not necessarily enter in the matrix at the beginning nor flow all the way to the end. It varies depending on the individual attack.

What are techniques?

In the MITRE ATT&CK Framework, a technique is the method in which the adversary intends to accomplish the goal of the attack. With tactics being the what, a technique serves as the how. There are currently 193 techniques and 401 sub-techniques in the Enterprise Framework.

What are procedures?

A procedure is the specific implementation of a technique, for instance an adversary uses PowerShell to silently create an administrator account.

How to use the framework?

There are multiple ways the MITRE ATT&CK framework can be implemented to improve an organization’s defensive posture. Here are 5 steps an organization can take to use the framework effectively:

  1. Familiarize –  Begin by understanding the layout of the Enterprise Matrix, specifically the Tactics and Techniques. Explore the ATT&CK website to learn more about the components that make up the framework.
  2. Identify Threats – Use recent attacks or utilize threat intelligence to create a list of threats to your organization or industry, and map those to the framework to identify the TTPs that apply.
  3. Assess Security Posture – Once you have mapped the threats facing your organization you can use the framework to identify gaps in your defenses.
  4. Strategy – Once you have identified the likely threats and any gaps in your defensive posture, develop a strategy for new or improved security controls that will resolve these issues.
  5. Share – Use the framework, including the customizable ATTACK Navigator to communicate both within your security team and within your industry to share threat intelligence.


As you can see, the Mitre ATT&CK framework is a comprehensive model that when implemented can improve your organization’s defenses and allow you to share that information within your industry. When coupled with additional cybersecurity training, the framework helps organizations to identify and understand the various stages of an attack and to develop effective strategies for preventing, detecting, and responding to attacks. The framework is continuously updated to reflect the latest techniques and tactics used by attackers. By leveraging the Mitre ATT&CK framework, organizations can better protect their assets and reduce the risk of cyberattacks.