What is MITRE ATT&CK?

The MITRE ATT&CK Framework Structure

ATT&CK organizes adversary behavior into a matrix of Tactics — the high-level objectives adversaries pursue — and Techniques — the specific methods used to achieve those objectives. The Enterprise matrix, which covers attacks against Windows, Linux, macOS, and cloud environments, contains 14 tactics ranging from Reconnaissance through Impact, and over 600 techniques and sub-techniques documented with evidence from real-world threat intelligence.

Tactics: The Attack Lifecycle

Reconnaissance — gathering information before attacking. Resource Development — establishing infrastructure and capabilities. Initial Access — gaining the first foothold in the target environment. Execution — running malicious code. Persistence — maintaining access through reboots and credential changes. Privilege Escalation — gaining higher permissions. Defense Evasion — avoiding detection. Credential Access — stealing credentials. Discovery — learning about the environment. Lateral Movement — moving through the network. Collection — gathering target data. Command and Control — communicating with compromised systems. Exfiltration — stealing data. Impact — disrupting, degrading, or destroying systems.

How Organizations Use ATT&CK

Detection Gap Analysis

Security teams map their existing detection rules and monitoring capabilities to ATT&CK techniques to identify coverage gaps — attack techniques for which they have no detection capability. The visualization tools provided by MITRE — ATT&CK Navigator — allow teams to overlay their detection coverage on the ATT&CK matrix, making coverage gaps visually apparent. This drives prioritized investment in detection content development.

Threat Intelligence

ATT&CK provides a common language for describing threat actor behaviors. When threat intelligence reports a campaign using T1566.001 (Spearphishing Attachment) for initial access and T1078 (Valid Accounts) for lateral movement, a security team can immediately map that to their detection coverage and identify whether they would detect that specific attack pattern.

Red Team and Purple Team Operations

Red teams use ATT&CK as a planning framework for realistic adversary simulation, ensuring their testing covers the techniques relevant to the threats the organization faces. Purple team operations — collaborative exercises between red and blue teams — use ATT&CK as a shared reference to systematically test detection coverage for specific techniques and improve defenses based on the results.

ATT&CK for Executives and PE Sponsors

ATT&CK is a technical framework, but its implications are strategic. An organization that can demonstrate ATT&CK coverage across the techniques used by the threat actors most relevant to their industry is demonstrating security maturity in a verifiable, quantifiable way. Conversely, an organization whose security controls cannot detect the techniques in MITRE ATT&CK's top-10 most frequently observed is demonstrating that its defenses are built for compliance rather than threat reality.

For M&A due diligence, ATT&CK-based assessment provides a standardized framework for evaluating detection coverage that goes beyond compliance checklists. Asking a target company's security team to map their detection capabilities against ATT&CK and then validating that mapping through adversary simulation reveals the actual capability behind the claimed security posture.

Real-World Example: Using ATT&CK to Detect SolarWinds

After the SolarWinds campaign was disclosed, MITRE ATT&CK provided the common language for describing exactly how the attack operated across the enterprise matrix: T1195.002 (Compromise Software Supply Chain), T1027 (Obfuscated Files or Information), T1071.004 (DNS Application Layer Protocol), T1078 (Valid Accounts). Security teams worldwide used this mapping to evaluate whether their detection coverage would have identified the attack in their own environments. Organizations with detection rules covering those specific techniques compared favorably; those without found clear remediation priorities.