Attack Framework: Using MITRE ATT&CK to Deconstruct Cyber Attack Types

The MITRE ATT&CK framework is not a compliance checklist or a high-level theoretical model like the Cyber Kill Chain. It is a highly granular, empirical knowledge base derived from real-world observations of cyberattacks. The framework is structured into a matrix that cross-references the Tactics (the attacker's goals) with the Techniques (how they achieve those goals).

1. Tactics: The Adversary's Strategic Objectives

The columns of the ATT&CK matrix represent Tactics. These define the "Why" of an action—the short-term, tactical objective an attacker is trying to achieve at a specific phase of their operation. There are currently 14 Tactics in the primary Enterprise matrix, representing the entire lifecycle of an attack, from initial reconnaissance to the ultimate exfiltration or destruction of data.

Key Tactics include:

• Reconnaissance (TA0043): Gathering information to plan future operations (e.g., scanning networks, harvesting employee emails via OSINT).
• Initial Access (TA0001): The methods used to gain the initial foothold in a network (e.g., Spearphishing, exploiting public-facing applications).
• Execution (TA0002): Running malicious code on a local or remote system.
• Persistence (TA0003): Maintaining access to the system across restarts, changed credentials, or other interruptions.
• Privilege Escalation (TA0004): Gaining higher-level permissions (e.g., SYSTEM or Domain Admin rights).
• Defense Evasion (TA0005): Techniques used to avoid detection by security tools (e.g., disabling antivirus, obfuscating code).
• Credential Access (TA0006): Stealing account names and passwords to move laterally.
• Lateral Movement (TA0008): Traversing the network to access other systems and find the ultimate target.

2. Techniques and Sub-Techniques: The Technical Execution

The rows beneath each Tactic are the Techniques. They describe the "How"—the specific technical method used to achieve the Tactic. Because adversaries are constantly innovating, techniques are frequently updated and often broken down further into Sub-Techniques for greater granularity.

For example, under the Tactic of Credential Access, an attacker might use the Technique OS Credential Dumping (T1003). Because there are many ways to dump credentials, this technique is divided into Sub-Techniques such as:

• T1003.001: LSASS Memory (Dumping hashes directly from the Local Security Authority Subsystem Service using tools like Mimikatz).
• T1003.002: Security Account Manager (Extracting hashes from the local SAM database on a Windows machine).
• T1003.003: NTDS (Extracting the entire Active Directory database from a Domain Controller).

This hierarchical structure allows analysts to precisely categorize exactly what an attacker did, regardless of the specific malware variant they used to do it.

3. Procedures: The Specific Implementation

The framework also defines Procedures, which represent the exact, highly specific way a particular threat actor group executed a technique.

For instance, the technique is Phishing (T1566). The procedure might describe how APT29 specifically used spearphishing emails containing a malicious ISO file that, when mounted by the victim, executed a hidden PowerShell script to establish a Command and Control (C2) beacon. Procedures provide the actionable context required for threat hunters to search for specific anomalies within their network logs.

Understanding the matrix is only the first step. The true power of MITRE ATT&CK lies in its operational application within a Security Operations Center (SOC).

Threat Intelligence and Actor Profiling

ATT&CK provides a common language for the cybersecurity community to share Threat Intelligence. Instead of sharing a list of IP addresses, analysts share an ATT&CK Navigator layer detailing the specific TTPs associated with a threat group.

If a financial institution learns that a specific state-sponsored group (e.g., FIN7) is targeting their sector, they can look up FIN7's profile in the ATT&CK database. The profile reveals that FIN7 heavily relies on Defense Evasion via Obfuscated Files or Information (T1027) and Execution via Command and Scripting Interpreter (T1059). Armed with this behavioral profile, the SOC can proactively tune their defenses to look for these specific techniques, regardless of the unique malware hash FIN7 might use in their next attack.

Detection Engineering and Gap Analysis

ATT&CK is the foundational tool for Detection Engineering. Security teams map their existing detection capabilities (e.g., SIEM rules, EDR alerts, IDS signatures) to the ATT&CK matrix to identify gaps in their coverage.

By visualizing their defenses overlaid on the matrix, a team might realize they have excellent coverage for Initial Access techniques but zero visibility into Lateral Movement techniques like Pass the Hash (T1550.002). This gap analysis allows the security engineering team to prioritize their efforts, focusing on developing new SIEM rules or deploying new monitoring tools specifically designed to detect the missing techniques.

Incident Response and Root Cause Analysis

During an active incident, incident responders use ATT&CK to categorize their findings and predict the attacker's next move. If an analyst detects an attacker attempting Process Injection (T1055) (a Defense Evasion technique), they can refer to the matrix to understand what the attacker is likely trying to achieve next—perhaps seeking Credential Access or establishing Persistence.

Post-incident, mapping the entire attack lifecycle to the ATT&CK framework is crucial for root cause analysis. It allows the organization to understand precisely how the attacker bypassed their defenses at every stage and implement structural changes to prevent the specific techniques from being successful in the future.

Purple Teaming and Adversary Emulation

ATT&CK is instrumental in bridging the gap between offensive security (Red Teams) and defensive security (Blue Teams), a concept known as Purple Teaming.

Instead of a Red Team simply trying to breach the network using any means necessary, they conduct Adversary Emulation. Using the ATT&CK framework, the Red Team executes a specific sequence of techniques known to be used by a real-world threat actor. The Blue Team then analyzes their logs to see if their tools detected the specific techniques. This collaborative, framework-driven approach ensures that defensive controls are rigorously tested against realistic, documented adversary behaviors.

As enterprise architecture evolves, so does the ATT&CK framework. MITRE maintains specific matrices tailored to different environments.

• ATT&CK for Cloud: This matrix focuses on the unique TTPs used to compromise cloud environments like AWS, Azure, and Google Cloud, or SaaS platforms like Microsoft 365. It covers techniques like Cloud Account Compromise, Exploitation of Cloud Infrastructure, and Exfiltration to Cloud Storage.
• ATT&CK for Mobile: As smartphones increasingly access corporate data, this matrix details techniques targeting iOS and Android devices, such as Exploiting Baseband Vulnerabilities or Modifying OS components via Root/Jailbreak.
• ATT&CK for ICS: This specialized matrix addresses the unique threats facing Industrial Control Systems and Operational Technology (OT), detailing techniques like Manipulation of Control Processes or Loss of Productivity and Revenue.