The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behaviors based on real-world observations.
Unlike the linear Cyber Kill Chain, which describes the stages of an attack, MITRE ATT&CK is a matrix that describes the actions an attacker may take at any point during an intrusion.
Structure of the Matrix
The framework is organized into specific components:
- Tactics (Columns): The adversary's tactical goal. It answers "What are they trying to achieve?"
- Example: Initial Access, Persistence, Privilege Escalation, Exfiltration.
- Techniques (Cells): The specific method used to achieve the goal. It answers "How are they doing it?"
- Example: Phishing (T1566), Scheduled Task/Job (T1053).
- Procedures: The specific implementation details used by a threat actor.
- Example: APT29 using a specific PowerShell command to create a Scheduled Task.
Use Cases for CTI Analysts
1. Adversary Attribution
By mapping observed indicators to the ATT&CK matrix, analysts can identify patterns. If an attack involves Spearphishing Attachment (T1566.001) followed by PowerShell (T1059.001), it may match the known profile of a specific threat group.
2. Gap Analysis
Security teams can overlay their current defensive capabilities onto the matrix. This highlights "blind spots." For instance, a SOC may realize they have excellent detection for Malware, but very little visibility into Lateral Movement techniques.
3. Threat Intelligence Mapping
When writing reports, CTI analysts should always tag their findings with MITRE Technique IDs. This allows for standardized data sharing via STIX/TAXII and helps integrates intelligence into defensive tools.
Related Concept: For a model that focuses on the relationship between the adversary and their infrastructure, see the Diamond Model of Intrusion Analysis.