Module 4 · MITRE ATT&CK in Operations

Last updated: April 29, 2026

MITRE ATT&CK is the industry’s shared language for describing how adversaries operate. It is a taxonomy of 14 tactics, 200+ techniques, and 500+ sub-techniques, updated continuously. Used well, it structures CTI reports, maps detection coverage, scopes red-team exercises, and communicates across teams. Used as a checklist to pad reports, it produces noise. This module covers operational use of ATT&CK.

Structure of ATT&CK

• Tactic — the adversary’s goal (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, plus Reconnaissance and Resource Development for the pre-compromise phase)
• Technique — how they achieve it (T1059 Command and Scripting Interpreter)
• Sub-technique — specific variant (T1059.001 PowerShell, T1059.003 Windows Command Shell)
• Procedure — exactly how a specific actor used the technique (free-form text, tied to group / software records)

ATT&CK also tracks Groups (named threat actors) and Software (malware and tools), each linked to the techniques they use.

The matrices

ATT&CK has several matrices, each scoped to a platform:

• Enterprise — Windows, macOS, Linux, IaaS, SaaS, Office 365, Azure AD, Network, Containers
• Mobile — Android, iOS
• ICS — industrial control systems

Use the matrix relevant to your environment. Cloud and SaaS-heavy organisations: focus on the cloud-specific tactics within Enterprise.

Operational uses

1. Describe a threat group

Every threat report should include an ATT&CK mapping: “APT29 uses T1566.002 (spearphishing link), T1059.001 (PowerShell), T1078.004 (valid cloud accounts)…” This lets defenders parse the report into detection work: “what techniques do we lack coverage for?”

2. Map detection coverage

The ATT&CK Navigator is a free web tool that lets you color techniques on the matrix based on your own criteria. Standard uses:

• Coverage map — green for “we detect,” yellow for “we partially detect,” red for “blind.” Quickly surfaces gaps
• Threat heatmap — color techniques by frequency of use among threats relevant to you
• Priority map — intersection of coverage gap + threat prevalence — which to build next

3. Scope red team exercises

“Emulate APT29” is specific. Pull their ATT&CK profile, build a red-team plan that exercises each technique. Measure blue team detection technique-by-technique.

4. Communicate across teams

SOC analyst says “saw T1021.001 on server X.” Detection engineer immediately knows: RDP-based lateral movement. Common vocabulary shrinks the translation overhead in incident response.

Writing detections against techniques

A good detection targets a technique, not a specific procedure. Example — detecting T1059.003 (Windows Command Shell):

title: Suspicious cmd.exe child of Office process
id: e8b3a4d1-...
description: Office applications spawning cmd.exe is a common procedure
  for T1059.003 initial execution.
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
      - '\OUTLOOK.EXE'
    Image|endswith: '\cmd.exe'
  condition: selection
tags:
  - attack.execution
  - attack.t1059.003
level: high

This rule covers many campaigns using the technique, not just one. As attackers evolve procedures but keep the technique, detection survives.

Coverage math — how much is enough?

There is no “100% ATT&CK coverage” goal. Realistic targets:

• 80% coverage of techniques used by the top 10 threat groups targeting your sector
• 100% coverage of techniques flagged as “High prevalence” in the ATT&CK v15 statistics
• Coverage on techniques relevant to your environment (no need for Linux Container techniques if you are Windows-only)

Measure coverage over time. Trending up is the signal.

Common misuse of ATT&CK

• Tagging every finding in a pentest with 50 ATT&CK IDs. Dilutes meaning; makes reports unreadable
• Treating ATT&CK as a checklist. It is a reference taxonomy, not a completeness score
• Detection by technique-label alone. “We detect T1059.001” can mean a strong rule or a weak keyword match. The label doesn’t guarantee quality
• Overlooking sub-technique specificity. “T1059” is too broad; “T1059.001 PowerShell” is actionable

ATT&CK and D3FEND

D3FEND is MITRE’s defensive companion — ways to counter each ATT&CK technique. Still maturing (as of 2026, useful as a reference but not as operational as ATT&CK). Worth knowing about; not yet worth depending on.

Integrating ATT&CK into your CTI program

1. Every intelligence report published includes explicit ATT&CK mapping
2. Every detection rule in your SIEM tagged with the technique(s) it covers
3. Monthly coverage dashboard — techniques × severity × prevalence — shown to Engineering leadership
4. Every red-team exercise scoped and reported in ATT&CK terms
5. Every IR report concludes with ATT&CK technique list + detection gaps identified

When ATT&CK is the common currency across CTI, SOC, IR, and Red Team — work flows naturally between them. When it isn’t, each team invents its own vocabulary and coordination cost goes up.

Data sources for coverage

MITRE publishes “Data Sources” pointing to what telemetry is needed to detect each technique. Examples:

• Process creation logs — required for Execution tactic detection
• Network traffic flow — required for C2 and Exfil detection
• Authentication logs — required for Valid Accounts detection
• Windows Registry — required for many Persistence techniques

Map coverage as a function of telemetry: “we cannot detect technique X because we don’t collect data source Y.” Drives log-collection investment decisions.

Maintaining currency

ATT&CK updates at least twice a year. New techniques are added; existing ones renamed or restructured. Stale references in your detections become confusing. Maintenance:

• Subscribe to ATT&CK release notes
• Quarterly review: do any of our detections reference deprecated technique IDs?
• Regenerate coverage maps after each release

Tools that use ATT&CK natively

• ATT&CK Navigator — free, the standard visualization
• DeTT&CT — coverage mapping with data-source awareness
• Atomic Red Team — test scripts indexed by technique
• MITRE CALDERA — automated adversary emulation, ATT&CK-aligned
• Most SIEM detection libraries — Sigma, Elastic detections, Microsoft analytics — now tag techniques explicitly

What the last module covers

Module 5 is the capstone: taking a threat intelligence report, extracting its ATT&CK mapping, turning that into a hunt hypothesis, running the hunt in your SIEM, and documenting what you found. Intel-driven hunting is where the whole track pays off.

Try it: hands-on challenge