MITRE ATT&CK — Adversarial Tactics, Techniques, and Common Knowledge

Overview

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world cyber attack observations. The framework provides a common taxonomy for describing how adversaries operate, enabling organizations to improve threat detection, prevention, and response capabilities.

Developed and maintained by MITR Corporation, ATT&CK is widely used by security teams, threat intelligence analysts, red teams, and defenders across government, commercial, and academic sectors. It covers tactics and techniques across Enterprise (Windows, macOS, Linux, cloud, network), Mobile, and ICS environments.

Organizations use MITRE ATT&CK for threat intelligence enrichment, security control gap analysis, red team planning, detection engineering, and communicating about adversary behavior in a standardized way. The framework is free and publicly available.

Why it Matters

MITRE ATT&CK provides a comprehensive, empirically-grounded model of adversary behavior enabling organizations to systematically improve their detection and defense capabilities.

Key benefits include:

• Strengthen threat-informed defense

Align security investments with real-world adversary techniques targeting your sector and systems.

• Improve detection engineering

Map detection capabilities to ATT&CK techniques, identifying gaps and prioritizing detection development.

• Enhance threat intelligence

Enrich threat intelligence with structured technique context enabling actionable defensive improvements.

• Support red team and purple team activities

Use ATT&CK as a common language for adversary simulation and collaborative security testing.

• Enable security control assessment

Evaluate security controls against ATT&CK technique coverage to identify defensive gaps.

How it Works

MITRE ATT&CK is organized into matrices covering Enterprise, Mobile, and ICS environments. Each matrix contains tactics (adversary objectives) and techniques (how objectives are achieved). Techniques include sub-techniques, detection guidance, mitigation recommendations, and real-world procedure examples from observed adversary groups and software.

Organizations use ATT&CK by mapping observed threats and intelligence to techniques, assessing control coverage against technique matrices, developing detection rules targeting high-priority techniques, and using ATT&CK Navigator to visualize coverage and gaps.

Within SmartSuite, security teams track ATT&CK technique coverage, manage detection development priorities, link threat intelligence to framework techniques, and maintain evidence supporting security control effectiveness assessments.

Key Elements

• Tactics and Techniques Matrix

Organizes adversary behavior into tactical objectives and specific techniques with real-world examples.

• Threat Actor Profiles

Documents known adversary groups with associated TTPs enabling targeted defensive prioritization.

• Mitigation Guidance

Provides defensive recommendations for each technique supporting control implementation decisions.

• Detection Guidance

Offers data sources and detection approaches for identifying technique execution.

• ATT&CK Navigator

Provides visualization tooling for mapping coverage, priorities, and threat actor overlays.

Framework Scope

MITRE ATT&CK applies to organizations across all sectors using it for threat intelligence, detection engineering, red teaming, and security control assessment. Matrices cover Enterprise IT, cloud, mobile, and industrial control system environments.

Framework Objectives

MITRE ATT&CK provides a comprehensive adversary behavior knowledge base enabling threat-informed defense and security improvement.

• Document real-world adversary techniques enabling systematic defensive improvement
• Provide common language for communicating about threats across security teams
• Enable security control gap analysis against empirical threat behavior
• Support threat intelligence enrichment and sharing with structured context
• Facilitate red team and detection engineering activities

MITRE ATT&CK integrates with CIS Controls, NIST SP 800-53, and D3FEND. Security teams implement it for threat intelligence programs, detection engineering, control assessments, and adversary simulation activities.

Common Framework Mappings

Mapped frameworks include:

CIS Critical Security Controls

D3FEND

IEC 62443

NIST Cybersecurity Framework

NIST SP 800-53

OWASP Top Ten

SOC 2