MITRE ATT&CK® is an open framework for implementing cybersecurity detection and response programs. The ATT&CK framework is available free of charge and includes a global knowledge base of adversarial tactics, techniques, and procedures (TTPs) based on real-world observations. ATT&CK mimics the behavior of real-life attackers, helping IT, security, and compliance organizations efficiently identify security gaps, evaluate risks, and eliminate vulnerabilities.
ATT&CK provides a common taxonomy that lets various constituents (SecOps teams, red and blue teams, penetration testers, security solution providers, threat intelligence vendors, etc.) communicate using the same language. ATT&CK also includes a Groups database that tracks the activities of threat actors and cybercriminal syndicates around the world.
MITRE ATT&CK Background and Scope
In 2013, researchers at the MITRE Corporation began documenting the various methods threat actors use to penetrate networks and carry out attacks. Since then, MITRE has identified hundreds of different techniques adversaries use to execute cyberattacks. ATT&CK organizes these techniques into a collection of tactics to help security practitioners efficiently detect, isolate, and remediate threats. The tactics describe what the adversary is trying to do (e.g., steal credentials) and the techniques describe the actions the adversary takes to achieve their goals (e.g., brute force methods).
MITRE publishes a series of ATT&CK matrices describing common cybersecurity tactics, techniques, sub-techniques, and mitigations for various operating environments including:
- ATT&CK for Enterprise Matrix for Windows, macOS, Linux, cloud, containers, and network systems
- ATT&CK for Mobile Matrix for Apple iOS and Android devices
- ATT&CK for Industrial Control Systems Matrix for Supervisory Control and Data Acquisition (SCADA) systems and other industrial control systems
ATT&CK for Enterprise Matrix Overview
The ATT&CK for Enterprise Matrix details the tactics and techniques threat actors use to penetrate a network, compromise IT systems, escalate privileges, and move laterally without detection. Early versions of the matrix focused on enterprise networks and on-premises IT infrastructure. Over time MITRE expanded the scope of ATT&CK for Enterprise to include IaaS, PaaS, and SaaS environments.
ATT&CK for Enterprise Matrix (v9) covers a variety of desktop and server operating systems (Windows, macOS, Linux), cloud platforms (AWS, Microsoft Azure, Google Cloud Platform), SaaS solutions (Azure AD, Microsoft 365, Google Workspace) and network resources. It captures the various tactics threat actors commonly employ before and during an attack, as summarized in the table below.
| Tactic | The Adversary is Trying to: |
| Reconnaissance | Gather information they can use to plan future operations |
| Resource Development | Establish resources they can use to support operations |
| Initial Access | Get into your network |
| Execution | Run malicious code |
| Persistence | Maintain their foothold |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid being detected |
| Credential Access | Steal account names and passwords |
| Discovery | Figure out your environment |
| Lateral Movement | Move through your environment |
| Collection | Gather data of interest to their goal |
| Command and Control | Communicate with compromised systems to control them |
| Exfiltration | Steal data |
| Impact | Manipulate, interrupt, or destroy your systems and data |
The MITRE ATT&CK Matrix is exhaustive. V9 includes 14 distinct tactics made up of 185 techniques and 367 sub-techniques. Most enterprises take a phased approach to ATT&CK, aligning security investments with perceived risks.
