How to implement and use the MITRE ATT&CK framework

How to implement and use the MITRE ATT&CK framework

Mitigating security vulnerabilities is difficult. Attackers need to exploit just one vulnerability to breach your network, but defenders have to secure everything. That’s why security programs have been shifting resources toward detection and response: detecting when the bad guys are in your network and then responding to their actions efficiently to gather evidence and mitigate the risk.

How can you build a program around detection and response? MITRE’s ATT&CK framework is one answer. ATT&CK can serve as a unifying taxonomy for different groups within an organization to share information, work together and build the necessary detection and response procedures.

’s ATT&CK has been gaining steady adoption from the security community because it organizes the steps attackers take to infiltrate your network, compromise hosts, escalate privileges, move laterally without detection, and exfiltrate data. Using a common taxonomy of attacker behavior in MITRE ATT&CK will help security teams — cyber incident response teams (CIRT), security operations centers (SOC), red and blue teams, threat hunters, IT — better test, develop, and prioritize their detection and response mechanisms to be relevant to their companies’ business, industry and intellectual property.

MITRE ATT&CK’s taxonomy is daunting and a bit overwhelming. There is so much information that it is easy to get stuck in analysis paralysis. These tips and guidance will help you quickly get your ATT&CK program up and running.


How to understand the MITRE ATT&CK content

The tactics, techniques and procedures are documented in a tabular format as the MITRE ATT&CK Enterprise Matrix. The ATT&CK Navigator on GitHub provides more options for exploring the matrix.

  • “Tactics” are the column header names and are generalized categories for why attackers use specific techniques.
  • “Techniques” appear in each box under the tactics column headers and show what attackers do to accomplish a tactic. The ATT&CK matrix assigns a number to each technique such as T1500 or T1191.
  • “Procedures” are accessible via links in the techniques boxes. They show how attackers execute a technique. Procedures provide more detailed instructions on how a specific technique has been implemented by attackers (even by attacking group) in the wild.

What makes MITRE ATT&CK great is that all the tactics, techniques and procedures (TTP) are based on what has been observed by actual attacking groups in the real world. Many of these groups use the same techniques. It is almost as if the hacking groups have their own playbook when attacking systems and they use this playbook to get new members productive quickly.


Leave a Reply