The MITRE ATT&CK framework is a globally accessible, continuously updated knowledge base that catalogs the tactics, techniques, and procedures (TTPs) used by cyber adversaries, based on real-world observations. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. Developed by the MITRE Corporation in 2013, its primary purpose is to help organizations model, detect, prevent, and respond to cybersecurity threats by understanding how attackers operate—not just what artifacts they leave behind.
Core Components of MITRE ATT&CK
• Tactics: The why—these are the adversary’s technical objectives or goals during an attack, such as Initial Access, Privilege Escalation, or Command and Control.
• Techniques: The how—specific methods adversaries use to achieve their tactical objectives, such as phishing, credential dumping, or lateral movement.
• Sub-techniques: More granular variants of techniques, providing detailed insight into the specific ways a technique can be carried out (e.g., different forms of password guessing).
• Procedures: Real-world examples of how threat actors have used these techniques in actual attacks.
Key Features and Benefits
• Behavioral Focus: Unlike traditional models that emphasize indicators of compromise (IoCs), ATT&CK focuses on adversary behavior, enabling defenders to detect and mitigate attacks even as attackers change their tools or infrastructure.
• Standardized Vocabulary: ATT&CK provides a common language for describing threats, facilitating collaboration among security teams, vendors, and researchers worldwide.
• Community-Driven and Open: The framework is freely available and continuously updated with contributions from the global cybersecurity community.
• Practical Applications: Organizations use ATT&CK to simulate cyberattacks, test defenses, inform security policies, guide incident response, and enhance the configuration of security technologies like SIEM, XDR, and SOAR platforms.