What is the MITRE ATT&CK framework?
MITRE ATT&CK helps you model adversaries’ tactics and techniques throughout the attack lifecycle so you can learn how to strengthen your organization’s security posture. Specifically, it’s designed to help you:
- understand known and emerging behaviors
- recognize and stop threats
- identify gaps in security defenses
- reduce vulnerabilities
- develop customized threat models
The MITRE ATT&CK framework is provided to the public for free by MITRE, a nonprofit organization. First released in 2015 and originally focused on Windows enterprise system threats, it now covers Linux, macOS, and cloud platforms, as well as mobile and industrial control systems (ICS).
MITRE continuously maintains the knowledge base with input from a global community of cybersecurity professionals, and updated twice a year. For example, in 2024 MITRE released version 15, which includes emerging malicious behaviors such as using generative AI.
Where does the data in the MITRE ATT&CK framework come from?
The knowledge base contains publicly available data, threat intelligence, and incident reporting, as well as information on new tactics, techniques, and procedures (TTPs) contributed by threat researchers, analysts, and security teams from the community.
You can access this information using Structured Threat Information Expression (STIX™), a machine-readable format that allows automated workflows to ingest ATT&CK data directly from the knowledge base. For human use, ATT&CK data is also available in EXCEL spreadsheets.
What are MITRE ATT&CK tactics?
Techniques are the methods used by adversaries to carry out their tactics. In the framework, multiple techniques are associated with each tactic. MITRE provides the following information about each technique:
- overview and description
- associated sub-techniques
- examples of related procedures
- mitigations for countering the technique
- detection methods
- metadata related to the technique
What are the MITRE ATT&CK Matrixes?
While the MITRE ATT&CK framework is a comprehensive and detailed knowledge base, the matrixes are condensed versions of this information, presented in a graphical format for easy reference.
MITRE has expanded the original ATT&CK Matrix into three major matrices:
- Enterprise covers Windows, macOS, Linux, cloud (such as Iaas and SaaS), networks, and containers, and focuses on tactics and techniques used in enterprise-level attacks. This matrix now includes PRE-ATT&CK, a previously separate matrix that provides information on the early stages of a cyberattack, prior to compromise.
- Mobile contains information for the Android and iOS platforms. It presents tactics and techniques commonly used to compromise mobile devices, such as network reconnaissance, privilege escalation, and data exfiltration.
- ICS is specific to tactics and techniques that may be used to attack industrial control system networks, particularly critical infrastructure like power grids and transportation and communications systems.
As we mentioned, each matrix contains a set of relevant tactics and techniques that are summarized in a chart. These charts are color-coded to show how often each technique is used, its severity in an actual attack, and the defensive controls that you can deploy for mitigation.
What is different about the MITRE ATT&CK for Cloud Matrix?
The Cloud Matrix is a subset of the Enterprise Matrix that focuses on cloud-specific threats and adversaries. It can help your organization assess risks related to cloud environments, develop security strategies, and select security tools.
Platforms covered under the Cloud Matrix are Azure Active Directory,Office 365,Google Workspace, SaaS, and IaaS. It is applicable to all major IaaS clouds, including AWS, Azure, and GCP.
Cloud tactics and techniques differ from those of the other platforms in the Enterprise Matrix because cloud adversaries follow a unique playbook. Following is a comparison of the cloud and enterprise tactics listed in the MITRE ATT&CK matrices.
| Cloud | Enterprise |
|---|---|
| Initial Access | Reconnaissance |
| Execution | Resource Development |
| Persistence | Initial access |
| Privilege Escalation | Execution |
| Defense Evasion | Persistence |
| Credential Access | Privilege Escalation |
| Discovery | Defense Evasion |
| Lateral Movement | Credential Access |
| Collection | Discovery |
| Exfiltration | Lateral Movement |
| Impact | Collection |
| Command and Control | |
| Exfiltration | |
| Impact |
As shown above, the order and scope of tactics on these lists vary, as well the techniques associated with a given tactic. Here are some examples.
Persistence traditionally involves setting up backdoors and using other ways to maintain network or system access over the long term, following the initial compromise. In the Cloud Matrix, persistence tactics include adding credentials to a cloud account and implanting containers in a PaaS deployment.
For defense evasion in an enterprise environment, adversaries may clear shell history and logs or manipulate tokens. A cloud adversary, in contrast, could abuse cloud administrator capabilities to gain short-term access to privileges. Other techniques include disabling cloud firewalls and manipulating cloud workloads.
Exfiltration of data from the enterprise typically involves encrypting and compressing it and setting up command and control channels and protocols to move it out of the network. To steal data in cloud-based environments, however, adversaries often send it to a different cloud storage location.
MITRE ATT&CK vs. the Cyber Kill Chain. How do they compare?
They are both frameworks for addressing cyberattacks. But MITRE ATT&CK and the Cyber Kill Chain, developed by Lockheed Martin in 2011 using the military’s kill chain for identifying and stopping enemy activity, are fundamentally different.
Here are key distinctions:
- Perspective: The Cyber Kill Chain takes a high-level approach to the lifecycle of a cyberattack, while MITRE ATT&CK provides granular detail about malicious behavior via its comprehensive knowledge base.
- Scope: The Cyber Kill Chain focuses narrowly on attack stages from the perspective of adversaries. MITRE ATT&CK casts a broad net, helping users gain a deeper understanding of TTPs for cyber defense and threat hunting.
- Application: The Cyber Kill Chain is often used in the early stages of threat detection and prevention. The ATT&CK framework is used throughout the cyberattack lifecycle.
- Approach: Unlike MITRE ATT&CK, the Cyber Kill Chain takes a linear approach, claiming that all cyberattacks must follow a sequence of eight phases to achieve success. These phases are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objective, and Monetization. The appeal of this sequential approach has been weakened as today’s adversaries change and refine their techniques and skip or combine steps in the kill chain.
- Relevance: The Cyber Kill Chain is limited in its focus, emphasizing perimeter security and external threats, particularly malware. Broad adoption of cloud services, remote work, and mobility has spotlighted these limitations and led to criticism that the kill chain is outdated. In contrast, MITRE continues to update and expand its framework using a community-driven process for new information and improvements. One major change was MITRE’s creation of the Cloud Matrix and Mobile Matrix.
How do you use the MITRE ATT&CK Matrix?
According to MITRE, these are the four most common use cases for ATT&CK:
- Threat detection and analytics: The matrix helps security teams develop analytics that detect the techniques used by an adversary. They can visit the MITRE Cyber Analytics Repository to access threat detection analytics written by the global cybersecurity community.
- Threat intelligence: MITRE ATT&CK provides a common language to organize, compare, and analyze threat data. Also, security teams can use it to access specific information on the behaviors of known threat groups.
- Attack emulation and Red Teaming: Red Teams can use ATT&CK to plan their vulnerability testing operations for your organization. For instance, they can access Atomic Red Team™, a library of tests mapped to the framework.
- Assessment and engineering: ATT&CK helps your teams evaluate security capabilities and determine which tools you need to implement. They can map existing threat detection capabilities onto the matrix to identify gaps. This exercise can pinpoint high-priority areas for implementing threat detection or mitigation solutions.
Other use cases include countering insider attacks and conducting breach and attack simulations (BAS). For the former, MITRE ATT&CK lists sources of data, such as application authentication logs, which can help you determine whether a threat actor is internal or external. In the case of BAS, your security teams can use MITRE information about threat actors and the types of organizations they target to simulate the attack methods they favor.