MITRE ATT&CK is the industry’s shared language for describing how adversaries operate. It is a taxonomy of 14 tactics, 200+ techniques, and 500+ sub-techniques, updated continuously. Used well, it structures CTI reports, maps detection coverage, scopes red-team exercises, and communicates across teams. Used as a checklist to pad reports, it produces noise. This module covers operational use of ATT&CK.
Structure of ATT&CK
- Tactic β the adversary’s goal (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact, plus Reconnaissance and Resource Development for the pre-compromise phase)
- Technique β how they achieve it (T1059 Command and Scripting Interpreter)
- Sub-technique β specific variant (T1059.001 PowerShell, T1059.003 Windows Command Shell)
- Procedure β exactly how a specific actor used the technique (free-form text, tied to group / software records)
ATT&CK also tracks Groups (named threat actors) and Software (malware and tools), each linked to the techniques they use.
The matrices
ATT&CK has several matrices, each scoped to a platform:
- Enterprise β Windows, macOS, Linux, IaaS, SaaS, Office 365, Azure AD, Network, Containers
- Mobile β Android, iOS
- ICS β industrial control systems
Use the matrix relevant to your environment. Cloud and SaaS-heavy organisations: focus on the cloud-specific tactics within Enterprise.
Operational uses
1. Describe a threat group
Every threat report should include an ATT&CK mapping: “APT29 uses T1566.002 (spearphishing link), T1059.001 (PowerShell), T1078.004 (valid cloud accounts)⦔ This lets defenders parse the report into detection work: “what techniques do we lack coverage for?”
Continue reading with Basic tier (βΉ499/month)
You've read 26% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.