MITRE attack framework

MITRE ATT&CK offers an open source framework for understanding adversarial tactics, techniques, and common knowledge in use today.

It aggregates and catalogs cyber threats based on real-world adversary behavior observed across thousands of incidents, and outlines defenses to protect organizations against them.

MITRE ATT&CK helps organizations understand how adversaries operate and guides them towards developing security measures to protect their assets and operations.

MITRE ATT&CK is organized into three matrices, each representing a dedicated technology domain:

• Enterprise

• Mobile

• Industrial control systems (ICS)

Most organizations will use the enterprise matrix, which covers attacks against Windows, macOS, Linux, cloud platforms, network infrastructure, and containers.

However, companies must first understand what malicious actors are seeking to achieve.

Tactics

The enterprise matrix opens to 14 columns representing adversary tactics, i.e., high-level goals:

• Initial access (getting in) through execution

• Reconnaissance 

• Persistence

• Execution 

• Privilege escalation

• Exfiltration and impact

Next, comes the how.

Techniques and Sub-Techniques

Each tactic column leads to rows containing techniques and sub-techniques, i.e., specific methods for achieving a goal.

The latest MITRE ATT&CK v18 features 8 to 47 techniques for each tactic. For example, under Reconnaissance, there are 11 techniques, including “Active Scanning” and “Phishing for Information.” Persistence lists techniques such as "Create Account" or "Boot or Logon Autostart Execution."

Sub-techniques are nested within techniques for specific attack implementations. For instance, under "Phishing," you have "Spearphishing Attachment," "Spearphishing Link," "Spearphishing via Service," and “Spearphishing Voice.” This granularity is key, as you need a different technique to defend against phishing via email attachments than via compromised messaging platforms.

MITRE ATT&CK Matrix 

The MITRE ATT&CK Matrix catalogs adversaries into groupings such as data sources, cyber threat intelligence (CTI) groups, and defense strategies. This allows users to filter their navigation to specific adversaries, tools, and campaigns relevant to their business operations.

MITRE ATT&CK is constantly updated as adversaries and their tactics, techniques, and procedures (TTPs) evolve. Each version has new features based on empirical threat intelligence, incident response findings, and community research. This is especially important in the face of emerging threat trends, such as AI-assisted cyberattacks and the growth of ransomware-as-a-service (RaaS).

MITRE ATT&CK doesn’t simply offer threat intelligence but also shapes organizations’ security operations for multiple use cases:

• Threat intelligence gathering: Gain context for cloud indicators of compromise (IOCs); beyond "bad IP address detected," know if the address is associated with a specific technique adversaries use for command and control.

• Threat hunting: Use a hypothesis-driven approach to systematically hunt for evidence of specific techniques used, instead of randomly searching logs. 

• Attack simulation and red team exercises: Leverage real-world, standardized playbooks for testing both offensive capabilities and defensive responses; map your red team's successful tactics against your blue team's detection rates to identify coverage gaps with precision.

• Gap analysis: Visualize which techniques you can detect, which you can prevent, and most importantly, which represent blind spots in your security architecture.

• Response validation: Test whether your incident response procedures actually work against the techniques most relevant to your threat profile.

The use cases above are a proof of concept, but the bottom line is the actual benefits companies reap from them:

• Shared understanding of the threat landscape: MITRE ATT&CK offers a common language for discussing adversaries across technical teams, executives, and even board members.

• Accurate simulation of attacks and validation of defenses: Mapped exercises tell you whether you can detect and respond to techniques adversaries actually use.

• Informed development and deployment of security policies: Craft policies that specifically address the techniques most relevant to your business risk profile.

• Intelligent selections of security solutions: Ask vendors which ATT&CK techniques they address and check those claims against your coverage gaps.

The MITRE ATT&CK framework's value comes from mapping security data to specific ATT&CK techniques. But mapping without context is like having a map without knowing your starting location; it’s technically interesting, but operationally useless.

The CISA best practices guide identifies two fundamental approaches to ATT&CK mapping:

• Mapping into finished reports (creating security insights for decision-making) 

• Mapping into raw data (embedding ATT&CK context into operational security workflows).

Understanding which approach fits your business needs is crucial.

Mapping MITRE ATT&CK into finished reports

This approach starts with collating incident reports, threat intelligence, or post-mortem analyses, extracting behavioral patterns, and then translating them into ATT&CK language. This creates artifacts that inform security strategy, resource allocation, and executive communication.

The process follows six steps:

1. Find the behavior. Identify specific actions the adversary took. Look beyond IoCs, such as malware names and IP addresses, to “how the adversary interacted with specific platforms and applications.”

2. Research the behavior. Was this a standard administrative task gone rogue or a sophisticated persistence mechanism? Investigate the original source, technical details, timing, and surrounding activity. Consult malware analysis reports from reliable organizations, security reports, or your own forensic data.

3. Translate the behavior into a tactic. Map the identified behavior to one of the tactics in the MITRE framework.

4. Identify the technique used for the tactic. For example, within the Execution tactic, scan for the technique that best describes the method. ATT&CK provides detailed descriptions for each technique to help you map to the right one. 

5. Identify the sub-techniques. Was it a Windows scheduled task? A Linux Cron job? The sub-technique matters because detection and mitigation strategies for each differ significantly.

6. Compare results to those of other analysts. CISA recommends that analysts treat mapping as a team sport where they work together to identify ATT&CK techniques and ensure quality control. Different analysts examining the same behavior should arrive at the same ATT&CK mapping.

Mapping MITRE ATT&CK into raw data

While finished reports inform strategy, mapping into raw data enables operations. This approach embeds ATT&CK context directly into your detection engineering, threat hunting, and daily security workflows.

Organizations can choose from three viable starting points, each suited to different operational scenarios.

1. Start with a data source

A specific data source, say, authentication logs from your cloud identity provider, allows you to see what ATT&CK techniques generate observable activity in these logs. 

For authentication logs, you would map to techniques like "Valid Accounts," "Brute Force," and "Credential Stuffing." You would then define procedures, i.e., the specific log patterns that indicate these techniques in action. 

This approach is ideal when deploying new data sources or optimizing existing ones.

2. Start with specific tools or attributes

If threat intelligence indicates adversaries targeting your industry are using a specific software, malware family, or penetration testing tool, you can start mapping from there. After identifying techniques that the tool enables, you can then look up the groups and campaigns that have implemented these techniques.

Cobalt Strike (S0154), for example, maps to dozens of techniques across multiple tactics. By understanding this breadth, you can develop ways of identifying not just the tool itself but the behaviors it facilitates.

3. Start with analytics

Just as adversaries use software to target businesses, analysts can use cloud enterprise tools to track adversary behavior.

SIEM platforms like the AlgoSec Cloud Enterprise (ACE) have built-in detection rules that collect, log, and correlate events from multiple endpoints, cloud services, and identity providers. These events originate as raw telemetry, which are then mapped to specific MITRE ATT&CK techniques. Mapping with detection analytics from such tools is increasingly the most practical approach for organizations with mature security tooling.

Note: Mapping into raw data shouldn't exist in isolation. Operational mappings should ultimately feed into finished reports. Your day-to-day detection analytics reveal what you're actually seeing in your environment. These observations, aggregated and analyzed over time, become the foundation for strategic reporting.

Enterprises generate millions of security events daily across cloud infrastructure, endpoints, network boundaries, and SaaS applications. With this deluge, it is unreasonable to expect analysts to hand-map behaviors.

Enter AlgoSec Cloud Enterprise (ACE), a cloud enterprise tool that offers full visibility into your operations by collecting log data, aggregating and contextualizing it, and then mapping it automatically to MITRE ATT&CK techniques.

This transforms raw telemetry streams into structured threat intelligence aligned with the MITRE ATT&CK framework.

ACE’s finished reports provide a clear, risk-oriented view of your adversary exposure, using language that every analyst and decision-maker can understand.

See why more than 2,200 companies trust AlgoSec. Schedule a demo today.