Data Insider

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a depository of cyberattack behaviors based on real-world observations of adversaries’ behaviors that are categorized by tactics and techniques.

Created in 2013 by the MITRE Corporation, a not-for-profit organization that works with government agencies, industry and academic institutions, the framework is a globally accessible knowledge base that provides a comprehensive representation of attack behaviors.

ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge, documents common tactics, techniques and procedures (TTPs) that cyber criminals employ when attacking networks and it outlines adversarial behaviors specific to Windows, Linux, Mac, cloud-based and mobile environments. Organizations regularly rely on its knowledge base to devise offensive and defensive measures to strengthen their overall security posture.

The ATT&CK framework can help threat hunters and other cyber defenders better classify attacks, understand adversary behavior and assess an organization's risk. Security teams can also use the framework to gain insight into how adversaries might operate in various scenarios so they can create informed strategies on how to detect — and ultimately prevent — those behaviors from affecting the security of their organization.

The ATT&CK framework’s unique ability to provide insights into adversaries’ behaviors, as well as its ability to provide a standardized, easily accessible global language, has led to its growing popularity for organizations looking to share threat intelligence and bolster their security posture.

This article will examine the MITRE organization’s approach to security, explore various components of the ATT&CK framework and discuss how you can start applying ATT&CK in real-world situations.

What is MITRE security?

MITRE security is a core capability of the MITRE Corporation, incorporating both cyber threat intelligence and an array of cybersecurity resources. MITRE advocates for a well-rounded security posture that combines traditional cyber defense approaches along with an increased reliance on cyber threat intelligence — all of which enable organizations to respond and adapt quickly to evolving threats. These resources provide a foundation for creating and building out a cybersecurity program, including:

  • Awareness and training: This incorporates employee awareness programs, technical training and student learning opportunities.
  • Standards: A framework of cybersecurity standards provides a common foundation for identifying, analyzing and sharing threat information.
  • Tools: MITRE provides a range of open source tools that help organizations analyze, detect and respond to threats.

To significantly improve organizations’ cybersecurity posture, the framework adopts a threat-based defense strategy that uses knowledge from various attacks and related events to reduce the likelihood of successful attacks in the future.

According to MITRE, a comprehensive, threat-based defense is contingent upon three elements:

  • Cyber threat intelligence analysis: This analysis provides practical information and threat detection signatures, which specialists can use to strengthen cyber defense and improve ways to anticipate, prevent, detect and respond to cyberattacks.
  • Defensive threat engagement: During early stages of the attack lifecycle, organizations have an opportunity to detect and mitigate threats early on before cyber criminals conduct extensive damage, making this a critical window for preventing and detecting future attacks. In later stages, however, techniques like incident response are used reactively to an existing threat.
  • Focused sharing and collaboration: MITRE works with sponsors and industry partners to promote cyber threat information sharing, adopt new concepts and apply solutions to bolster cybersecurity postures and awareness.
Is MITRE a government agency?

MITRE is a not-for-profit corporation that works across federal, state and local governments and throughout various industries and academia. While not a government organization, MITRE operates federally funded research and development centers (FFRDCs), unique organizations that support the U.S. government with scientific research and analysis; development and acquisition; and engineering and integration systems.

MITRE specializes in shepherding innovative ideas into areas such as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy and economic expertise, cyber threat sharing and cyber resilience.

It also has an independent research program that explores new and expanded uses of technologies to address client’s specific problems, in particular bringing its own technical prowess to assist various federal agencies. Some of its core capabilities include systems engineering, signal processing and acquisition, as well as cybersecurity, mobile technology and social software.

What is the purpose of threat modeling?

Cyber threat modeling is the process of developing and applying a representation of attack threat scenarios in a cyber environment. These threats can target a device, an application, a system, a network, an organization or a business-critical mission. Threat modeling can determine how these various platforms and environments respond to attacks in real-world situations, and can help identify vulnerabilities and other weaknesses.

The cyber threat modeling process is used in numerous aspects of cybersecurity and resilience strategy, including:

  • Threat intelligence sharing
  • Risk management
  • Technology profiling and foraging
  • Systems security engineering
  • Security operations and analysis

What is the cyberattack lifecycle?

The cyberattack lifecycle, first articulated by Lockheed Martin as the “Cyber Kill Chain,” illustrates the various phases in a cyberattack. MITRE’s own Cyber Attack Lifecycle is a critical component of its threat-based defense (mentioned above), providing organizations an enhanced opportunity to discover and respond to attacks at earlier stages. 

The MITRE phases include:

  • Reconnaissance: Adversary develops strategy on target
  • Weaponization: Develops cyber weapon and determines best method to successfully deliver
  • Delivering: Delivers cyber weapon to predetermined target system
  • Exploitation: Exploits vulnerability to install and activate malware on target system
  • Control: Manages initial target and perform internal recon
  • Execution: Executes plan to achieve objections (e.g. data exfiltration)
  • Maintain: Ensures long-term presence on target systems or networks (e.g. erase any indications of presence)

Organizations that map their own defensive tools and capabilities across the entirety of the MITRE cyber attack lifecycle will be better able to determine gaps in their security architecture and make the appropriate investments to strengthen their security defenses.


What are cybersecurity frameworks?

A cybersecurity framework is a series of documented standards and protocols that define best security practices to manage risk, reduce exposure to vulnerabilities and keep data protected from potential threats.  Because organizations of all sizes and across all industries struggle to keep critical systems and data secure, many rely on cybersecurity frameworks for guidance. A cybersecurity framework provides a comprehensive, standardized plan that anticipates many of the challenges while alleviating much of the guesswork around how critical data and infrastructure needs to be protected. In many cases, organizations can tailor an existing cybersecurity framework to meet their own specific needs or compliance requirements. 

How is the MITRE ATT&CK framework used?

The ATT&CK framework can be used by security teams in everyday defense activities — particularly those that address threat actors and their attack methods. ATT&CK is used in a myriad of ways by both red and blue teams, providing both offensive and defensive security professionals a common language and frame of reference around adversarial behaviors. 

Red teams (pen testers and offensive security professionals who regularly test and break into cyber defenses) can follow MITRE's ATT&CK framework to test their networks’ security defenses by modeling ATT&CK’s documented adversary behavior. Using ATT&CK as an enhancement to existing methodology for predictive campaigns can make it easier for red teams to anticipate threats, detect patterns, and assess the effectiveness of defense tools in their environment.

Blue teams (defensive security professionals who oversee internal network security protections and defend against cyber threats) can leverage the ATT&CK framework to better understand what adversaries are doing, as well as prioritize the most severe threats and ensure the appropriate security mechanisms are in place and effectively working. 

Below are various ways in which ATT&CK’s taxonomy can be applied:

  • Mapping defense controls: Security teams can have a clear understanding of defense tools, systems and strategies when they’re referenced against the ATT&CK tactics and techniques and their associated threats.
  • Threat hunting: Security teams can map defenses to ATT&CK to identify critical gaps in security infrastructure, which can help them detect previously overlooked threat activity.
  • Investigating: Incident response and blue teams can refer to ATT&CK techniques and tactics to understand the strengths and weaknesses in their security infrastructure, validatIng effective measures while also giving them the ability to detect misconfigurations and other operational flaws.
  • Identifying actors and groups: Security teams can align specific malicious actors and groups with associated documented behaviors.
  • Integrating solutions: Organizations that have a wide range of disparate tools and solutions can categorize and standardize their solutions according to the ATT&CK framework, hardening their overall defense strategy.

How does the MITRE ATT&CK framework compare to modern cybersecurity standards?

Although the ATT&CK framework has been in existence for years, it has recently become a popular way for organizations, government agencies and individuals to share threat intelligence, providing a common standardized language that’s easily accessible and universally understood. Its ability to provide detailed classifications about how attackers interact with systems across all environments has been one of the frequently cited factors in its growing adoption.

Other security frameworks cater to specific industries and users, with recommendations that vary depending on their specific needs and compliance requirements. Some of the most common cybersecurity frameworks include: 

  • NIST Cybersecurity Framework: The National Institute of Standards and Technology’s general-use security framework for any organization looking to strengthen its cybersecurity posture. Both cost-effective and flexible, the framework entails a five-step process for addressing cybersecurity risks and maintaining security infrastructure, which includes ways to identify, protect, detect, respond and recover from attack.
  • NIST SP 800-53: The National Institute of Standards and Technology also created the NIST SP 800-53 that outlines security requirements for most federal information systems, including all entities that use or support these systems. This framework protects classified or critical data housed by government networks with clear measures that improve the security posture of federal agencies and their contractors.
  • HITRUST: Created for healthcare organizations, the Health Information Trust Alliance’s Common Security Framework covers any information system that houses protected health data, both in transit and at rest. The framework offers concrete guidance for protecting healthcare information and staying in compliance with regulatory mandates such as HIPAA.
  • ISO 27000 Series: The International Organization of Standardization and the International Electrotechnical Commission created this standard for information security management systems with the aim of enabling managers to stay on top of cybersecurity measures and controls. The framework has several publications available, and covers everything from security controls to guidelines on how to effectively manage IT operations.
  • NERC 1300: The North American Electric Reliability Corporation created a set of security standards, which, among other things, incorporates patch management best practices, proper network security mechanisms and system continuity. This framework protects critical systems, providing measures that reduce the risk of widespread power outages and system failure.
  • ANSI/ISA 62443: The International Society for Automation and the American National Standards Institute developed this security framework for Industrial Automation and Control Systems, which has become increasingly relevant as IoT has continued its rapid growth in both consumer and manufacturing spaces. The framework consists of four categories — general, component, system, and policies and procedures —while also offering certification for IoT equipment and consumer products.

How does the MITRE ATT&CK framework compare to the Cyber Kill Chain framework?

The most significant difference between these two frameworks is that the Cyber Kill Chain provides a high-level overview of the unified security strategy, while the MITRE ATT&CK framework provides a comprehensive list of tactics and techniques without indicating a specific attack pattern or order of operation. 

Both frameworks follow the same general pattern that illustrates adversaries’ entry into the network, how they evade detection, and finally how they abscond with assets. However, an ATT&CK scenario could start with an Initial Access technique, for example, then jump to Credential Access via various methods, use techniques around Defense Evasion to cover their tracks, and then go back to the Execution phase.

The Cyber Kill Chain, on the other hand, articulates a specific sequence of events, in which the adversaries move from reconnaissance to intrusion and the subsequent phases in a prescribed order. The Cyber Kill Chain is slightly shorter than ATT&CK:


How do I get started using the MITRE ATT&CK framework?

ATT&CK can be useful for any organization that wants to elevate threat knowledge and build a more informed defense posture, regardless of how big or sophisticated the security team. While MITRE provides its materials at no cost for use, organizations can employ a myriad of MITRE consultants or other vendors who could help apply the framework to meet the specific needs of the organization.

If you’re an organization with a small security team and want to expand your threat intelligence capabilities, you can focus in on a relevant group — organized sets of intrusion activity — and look at the related attack behaviors as defined in ATT&CK relevant to your organization. 

If you’re an organization that has a team of dedicated security professionals that regularly analyze threat information, you can get started by mapping intelligence to the ATT&CK framework yourself, as opposed to relying on what others have previously mapped.

If your team is more advanced, you can increasingly map more information to ATT&CK, using it to guide how you build out your cyber defenses. You can map both internal and external information to ATT&CK, including incident response, real-time alerts​ and your company’s historic data. Once this data is mapped, you can do things like compare groups and prioritize commonly used techniques.

The bottom line

Build a more threat-informed security strategy

Many organizations rely on traditional defenses, which include an arsenal of security products, designed to block malware and other threats, and alert you to vulnerabilities that can be exploited by hackers. Although effective in some areas, these approaches are limited — and perhaps most importantly, don’t give you insight into how malicious attackers are executing their cyber assaults once they’re inside your network. Cyber threat intelligence outlined with a comprehensive framework like ATT&CK will give you a window into adversaries’ methods so you can start thinking like an attacker, and make better-informed decisions that prevent destructive, targeted attacks before they ever occur.