Frameworks and Standards

MITRE ATT&CK

A knowledge base of adversary tactics and techniques based on real world observations, used to model and defend against attacker behavior.

Where you will see it: Used in governance, risk, and compliance work: control selection, audits, reporting, and security roadmaps.

What it is

A curated knowledge base that catalogs how attackers behave, giving defenders a shared model to plan detection and testing against real techniques.

Key points
  • Tactics describe an adversary goal, and techniques describe how the goal is achieved, often with sub techniques and procedures.
  • Used for threat modeling, detection engineering, threat hunting, and red team and purple team planning.
  • Helps teams map defensive coverage and gaps across the attack lifecycle.
  • Supports structured use of data sources and telemetry for detection and investigation.

How it works in broad strokes

  1. Choose the domain that matches your environment, such as Enterprise, then identify relevant tactics and techniques for your threats.
  2. Map existing controls, detections, and response playbooks to techniques to see coverage and gaps.
  3. Prioritize a small set of high risk techniques and build detections based on relevant data sources and analytics.
  4. Validate with controlled testing, such as atomic tests or purple team exercises, then tune based on results.
  5. Track progress as coverage improves and update mapping as ATT&CK evolves and your environment changes.

Concrete example

A SOC maps common attacker techniques such as credential dumping and lateral movement to required telemetry. It discovers gaps in endpoint logging and identity auditing, then improves data collection and detection, validating through purple team exercises.

Why it matters

If you only defend against tools, you will fall behind. ATT&CK focuses on behaviors, which are more stable and help you build durable detection and response capability.

Security angle

  • ATT&CK is especially powerful for detection engineering: it forces you to tie telemetry to specific adversary behaviors.
  • Use it to make threat hunting repeatable by turning techniques into hypotheses and hunt playbooks.
  • Use Navigator style matrices to communicate coverage to leadership and to plan testing.

Common pitfalls

  • Coloring matrices green without evidence of detection quality, response speed, and false positive handling.
  • Trying to cover every technique instead of focusing on your top threats and critical assets.
  • Ignoring data quality: detections fail when logs are incomplete, unactionable, or not retained long enough.
  • Assuming ATT&CK replaces risk assessment. It complements risk work, it does not define priorities alone.

DEEP DIVE

Behavior model, not a threat list

MITRE ATT&CK is a knowledge base of adversary behavior based on real world observations. It describes what attackers do during operations, which makes it useful for defenders who need to prioritize detections, mitigations, and testing.

ATT&CK is not a list of vulnerabilities and it is not a compliance framework. Its power is in giving teams a consistent way to talk about attacker behavior across threat intelligence, incident response, and security engineering.

If you treat it as a behavior map, it becomes a bridge between what you are seeing in logs and what adversaries are likely trying to achieve.

Tactics, techniques, and procedures: how to read it

ATT&CK organizes behavior by tactics, the attacker’s goal, and techniques, the methods used to reach that goal. Procedures are the specific ways a technique shows up in the wild, often tied to a particular group or campaign.

The model is intentionally broad. Not every technique applies to every environment, so the right mindset is selection and prioritization, not completion.

A practical way to read the matrix is to start with the tactics that matter most to you, then identify the few techniques that are common in your technology stack and your threat profile.

Using ATT&CK for detection and engineering

ATT&CK is most valuable when you connect techniques to telemetry. For each technique you care about, decide what data sources can reveal it, what detection logic is realistic, and what response action should follow.

This approach improves detection quality because it forces precision. A detection that does not specify what behavior it catches and how it will be validated is usually noise.

Teams often combine ATT&CK with purple teaming. They emulate selected techniques, observe what is detected, fix logging gaps, and iterate until coverage is reliable.

Misunderstandings that lead to false confidence

The most common misunderstanding is coloring boxes green without validation. A single detection for a technique rarely covers all ways the technique can be executed, so coverage must be measured with tests and realistic scenarios.

Another pitfall is mapping techniques to tools instead of to evidence. A product feature does not equal detection unless it is configured, tuned, and monitored by people who will act on it.

Finally, some teams treat ATT&CK as a replacement for risk management. It complements risk decisions, but you still need to decide which threats matter most and why.

How to start: prioritize and validate

Pick a small set of techniques that align with your biggest risks, such as credential abuse, persistence, lateral movement, and data exfiltration patterns relevant to your environment. Validate that you have the right telemetry before you write detections.

Build detections that are tied to clear hypotheses and response playbooks. Then test them through controlled emulation and incident simulations so you can measure signal quality and response readiness.

Expand gradually. The goal is dependable coverage for a focused set of behaviors, not an impressive looking matrix that cannot be defended when a real incident happens.