What Is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is a scientifically based, publicly accessible knowledge model that systematically documents the behaviors and methods of attackers.

ATT&CK stands for adversarial tactics, techniques, and common knowledge. The nonprofit MITRE organization developed the framework and first published it in 2013. The framework is based on empirical data from actual cyberattacks and is used to categorize, analyze, and defend against threats in the field of cybersecurity.

The MITRE ATT&CK framework consists of multidimensional matrices that structure attack behavior. The best known is the enterprise matrix, which users can apply to operating systems such as Windows, macOS, and Linux, as well as cloud and network environments (see figure below). You can access the enterprise matrix here.

The hierarchical structure of the matrix is explained in this table.

The following tactics are used in the MITRE ATT&CK framework:

• Reconnaissance: This involves gathering information about the target system or organization (e.g., from publicly available sources [OSINT]) to prepare for later attacks.
• Resource development: This involves building, acquiring, or preparing resources, such as malware, credentials, or infrastructure, to be used in an attack.
• Initial access: This involves accessing the target system (e.g., through phishing, exploits, malicious websites, or compromised devices) for the first time.
• Execution: This involves execution of malicious code on a target system, often via scripting languages, exploits, or user interactions.
• Persistence: This involves implementing measures to maintain access to a compromised system despite reboots, user logouts, or the use of security software.
• Privilege escalation: This involves obtaining higher access rights within a system or network (e.g., through dynamic link library [DLL] hijacking).
• Defense evasion: This involves bypassing or disabling security mechanisms such as antivirus programs, firewalls, and logging to remain undetected.
• Credential access: This involves stealing authentication information such as passwords, hashes, or tokens (e.g., via keyloggers, credential dumping, or phishing).
• Discovery: This involves internal exploration of the network or system to identify targets, user accounts, topologies, or security measures.
• Lateral movement: This involves horizontal movement within a network to compromise additional systems (e.g., via remote access or shared resources).
• Collection: This includes the collection of data, files, access information, or communication content to be used for data exfiltration or manipulation.
• Command and control: This involves the establishment and use of a communication channel between the attacker and the compromised system.
• Exfiltration: This involves the extraction of sensitive data from the target network, often in a way that is disguised or encrypted to help the attacker avoid detection.
• Impact: This includes the manipulation, destruction, or disruption of systems, data, or services (e.g., through ransomware, data deletion, or sabotage).

The figure below shows the hierarchical arrangement, using the example of the spearphishing attachment subtechnique.

Clicking on the subtechnique will take you to a detailed explanation of the subtechnique, which is structured as shown here.

There, you will find, for example, the assignment of the subtechnique to the corresponding technique. The tactics and techniques are represented by IDs, so, for example, the Spearphishing Attachment subtechnique has an ID of T1566.001. This subtechnique belongs to technique T1566 (Phishing), and if you click on that technique, you will be taken to an overview that lists the various subtechniques for phishing.

The countermeasures (a.k.a. mitigations) are described in the overview of the individual subtechniques. For T1566.001 (spear phishing attachment), for example, it looks like this.

The next figure illustrates specific real-world cases in which certain groups or malware families have used techniques from the MITRE ATT&CK framework.

You can find these entries in the Procedure Examples section. Procedures are specific steps, such as the sequence in which the attacker performs certain actions. However, procedures are not synonymous with a complete attack plan or a detailed timeline, such as in a kill chain or incident report. Rather, each procedure is an example of how a specific technique was used in practice by an attacker.

The procedure examples consist of several components:

• ID: This is a unique identifier for the given entry:
  • Cxxxx: This stands for known cyber operations (campaigns).
  • Gxxxx: This stands for known attacker groups.
  • Sxxxx: This stands for malware (software).
• Name: This is the name of the campaign, group, or malware.
• Description: This is a brief description of how a technique from the ATT&CK matrix was used in practice. Each description includes references.

The MITRE ATT&CK framework is typically used in the following areas:

• Threat intelligence: The framework is an important tool for threat intelligence, as it provides behavior-based information on known APT groups. MITRE links techniques to specific groups, such as APT29 or FIN7, and documents which techniques are used by which group.
• Security operations centers (SOCs): SOCs can use the framework to detect and prioritize attack techniques. This allows SOCs to analyze which techniques appear in logs and whether they indicate known attack patterns.
• Red teaming and blue teaming: Red teams use the framework to design realistic attack simulations based on known techniques, and blue teams use it to improve detection mechanisms and assess which attack paths are still inadequately monitored (in a process called gap analysis). Learn more about red teams and blue teams here.
• Security assessment: Organizations can use the framework to analyze how well they are protected against specific attack techniques, by comparing existing security measures with ATT&CK techniques.
• Threat simulation: Organizations can use tools such as MITRE ATT&CK Navigator, Atomic Red Team, and Caldera to model hypothetical attack paths or perform controlled simulations.

You can also use MITRE ATT&CK Navigator to simulate APT groups and analyze their behavior in detail. You can find the tool here.

ATT&CK promotes a common language in the field of cybersecurity, to facilitate communication between companies and authorities, the sharing of incident reports, and the comparability of attacks, among other things. ATT&CK complements frameworks such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, and the cyber kill chain.

However, the multitude of techniques can be overwhelming, especially for small organizations. New techniques emerge faster than they can be incorporated into the framework, and in addition, ATT&CK is context-free (i.e., it does not assess how likely or dangerous a technique is in a specific environment).

Editor’s note: This post has been adapted from a section of the book Ethical Hacking: The Practical Guide for Pentesting and Red Teaming by Florian Dalwigk. Florian is an expert in cybercrime, cyberespionage, and IT security. After studying computer science, he worked for a security agency and has been a volunteer lecturer since 2024, teaching modules on "Ethical Hacking," "IT Forensics," "Cyberespionage," "Cybercrime and Crypto Forensics," and "Post-Quantum Cryptography," among others. As an author of specialist books, he conveys his knowledge in a clear and practical way. He is interested in the interface between technological innovation and security, particularly in the context of state-controlled cyber operations and cryptographic resilience in the post-quantum era.