This chapter covers the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. For the CS0-003 exam, understanding ATT&CK is critical because it appears in approximately 10-15% of Security Operations questions, often requiring you to map an observed behavior to a specific technique or tactic. Mastery of this framework will help you analyze attack patterns, improve detection, and communicate effectively within a SOC environment.
Jump to a section
Imagine a city police department that has a detailed, publicly available playbook documenting every known method criminals use to break into buildings, steal assets, or disrupt operations. Each technique is given a unique ID (like T1190 for 'Exploit Public-Facing Application') and described step-by-step: what tools the criminals use, what signs to look for (e.g., broken window, alarm logs), and typical objectives. The police use this playbook to train officers, plan patrols, and quickly identify which criminal play is in progress when a call comes in. They can also track which criminal groups prefer which plays, allowing them to anticipate moves. This is exactly what MITRE ATT&CK does for cybersecurity. It provides a standardized taxonomy of adversary behaviors, from initial access to exfiltration, with IDs, descriptions, and detection suggestions. SOC analysts use it to map alerts to techniques, prioritize responses, and communicate with other teams using a common language. Just as police can say 'This is a classic B&E via fire escape (technique T1234),' a SOC analyst can say 'This is a spearphishing link (T1566.002).' The framework also links techniques to groups (e.g., APT29 uses T1059.003 for command and scripting), enabling threat intelligence-driven defense.
What is MITRE ATT&CK and Why Does It Exist?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated knowledge base that models the behavior of cyber adversaries. It was developed by MITRE Corporation starting in 2013 to address the need for a standardized taxonomy of attacker actions. Before ATT&CK, organizations used disparate frameworks (Lockheed Martin's Cyber Kill Chain, Diamond Model) that lacked the granularity needed for modern threat hunting and detection engineering. ATT&CK fills this gap by providing a matrix of tactics (the 'why' behind an action) and techniques (the 'how'). The framework is vendor-neutral and community-driven, with contributions from security researchers worldwide. It is regularly updated to reflect new attack patterns, making it the de facto standard for threat intelligence sharing.
How the Framework is Structured
ATT&CK is organized into a matrix where columns represent tactics (e.g., Initial Access, Execution, Persistence) and rows represent techniques. Each technique is assigned a unique ID (e.g., T1566 for Phishing) and may have sub-techniques (e.g., T1566.001 for Spearphishing Attachment). The matrix is available for multiple platforms: Enterprise (Windows, macOS, Linux, Cloud, Network), Mobile (iOS, Android), and ICS (Industrial Control Systems). The CS0-003 exam focuses on the Enterprise matrix.
Key components: - Tactics: The adversary's goal or reason for performing an action. There are 14 tactics in the Enterprise matrix: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. - Techniques: The specific method used to achieve a tactic. For example, under Persistence, one technique is 'Create Account' (T1136). - Sub-techniques: More specific variations of a technique. For example, 'Create Account: Local Account' (T1136.001) vs. 'Domain Account' (T1136.002). - Procedures: The exact implementation of a technique by a specific threat actor group. For example, APT29 uses PowerShell to create local accounts. - Mitigations: Recommendations to prevent or detect the technique (e.g., M1032 for Multi-factor Authentication). - Detections: Specific data sources and analytics to identify the technique (e.g., Windows Event ID 4720 for account creation).
How to Navigate the ATT&CK Matrix
The matrix is available online at attack.mitre.org. For exam purposes, you should understand how to read a technique page. Each technique page includes: - ID: e.g., T1059 - Name: e.g., Command and Scripting Interpreter - Description: Detailed explanation of the technique. - Tactics: The tactic(s) the technique can be used for (e.g., Execution). - Platforms: e.g., Windows, Linux, macOS. - Permissions Required: e.g., User, Administrator. - Data Sources: e.g., Process creation logs, PowerShell logs. - Mitigations: e.g., Restrict PowerShell execution policy. - Detection: e.g., Monitor for suspicious PowerShell commands. - Examples: Real-world use by threat groups.
Using ATT&CK in a SOC
SOC analysts use ATT&CK for several purposes: 1. Alert Triage: When an alert fires, map it to a technique to understand the adversary's intent. For example, a suspicious outbound connection on port 443 might be Command and Control (T1071.001). 2. Detection Engineering: Create rules based on ATT&CK techniques. For example, a Sigma rule for 'PowerShell Download Cradles' maps to T1059.001. 3. Threat Intelligence: When a new threat group is identified, look up their techniques in ATT&CK to understand their capabilities and prioritize defenses. 4. Gap Analysis: Assess which techniques your current detection coverage lacks and build new detections. 5. Incident Response: Use ATT&CK to map the attack chain and ensure all stages are addressed.
Key Techniques for CS0-003
While the exam does not require memorizing all techniques, you should be familiar with common ones: - Initial Access: T1566 (Phishing), T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts) - Execution: T1059 (Command and Scripting Interpreter), T1204 (User Execution), T1047 (Windows Management Instrumentation) - Persistence: T1136 (Create Account), T1053 (Scheduled Task/Job), T1098 (Account Manipulation) - Privilege Escalation: T1548 (Abuse Elevation Control Mechanism), T1068 (Exploitation for Privilege Escalation) - Defense Evasion: T1562 (Impair Defenses), T1070 (Indicator Removal on Host), T1055 (Process Injection) - Credential Access: T1003 (OS Credential Dumping), T1555 (Credentials from Password Stores), T1110 (Brute Force) - Discovery: T1087 (Account Discovery), T1069 (Permission Groups Discovery), T1518 (Software Discovery) - Lateral Movement: T1021 (Remote Services), T1550 (Use Alternate Authentication Material), T1570 (Lateral Tool Transfer) - Collection: T1005 (Data from Local System), T1119 (Automated Collection), T1560 (Archive Collected Data) - Command and Control: T1071 (Application Layer Protocol), T1573 (Encrypted Channel), T1095 (Non-Application Layer Protocol) - Exfiltration: T1048 (Exfiltration Over Alternative Protocol), T1567 (Exfiltration Over Web Service), T1020 (Automated Exfiltration) - Impact: T1485 (Data Destruction), T1496 (Resource Hijacking), T1499 (Endpoint Denial of Service)
How ATT&CK Interacts with Other Frameworks
ATT&CK complements the Cyber Kill Chain by providing more granular detail within each phase. The Diamond Model focuses on the relationships between adversary, capability, infrastructure, and victim; ATT&CK techniques can be used to describe the capability. Additionally, ATT&CK is often used alongside the NIST Cybersecurity Framework to map technical controls to functions like Detect and Respond.
Practical Example: Mapping a Real Attack
Consider a ransomware attack: 1. Initial Access: Spearphishing email with malicious attachment (T1566.001). 2. Execution: User opens the attachment, which runs a macro (T1204.002). 3. Persistence: The macro downloads a scheduled task to run daily (T1053.005). 4. Defense Evasion: The script disables Windows Defender (T1562.001). 5. Credential Access: The ransomware dumps credentials using Mimikatz (T1003.001). 6. Lateral Movement: Uses RDP with stolen credentials (T1021.001). 7. Impact: Encrypts files on all accessible systems (T1486).
Each step corresponds to an ATT&CK technique, allowing defenders to build detections for each stage.
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for visualizing and analyzing coverage. It allows you to create layers that highlight techniques you have detections for, techniques used by specific threat groups, or techniques you want to prioritize. You can export layers as JSON or share them with your team. The exam may ask about the purpose of the Navigator.
Common Pitfalls on the Exam
Confusing tactics with techniques: Remember, tactics are goals (e.g., Persistence), techniques are methods (e.g., Scheduled Task).
Assuming all techniques are unique to one tactic: Some techniques span multiple tactics (e.g., Valid Accounts can be used for Initial Access, Persistence, and Privilege Escalation).
Forgetting sub-techniques: The exam may ask for the correct sub-technique ID (e.g., T1566.002 vs T1566.001).
Overlooking platform specificity: Some techniques only apply to certain platforms (e.g., T1059.005 for Visual Basic on Windows).
Command and Configuration Example
While ATT&CK is not a tool you configure, you might use it to generate detection rules. For example, to detect 'Scheduled Task' (T1053.005), you could create a Sysmon rule:
<Sysmon eventid="1" onmatch="include">
<Rule name="Scheduled Task Creation" groupRelation="or">
<Image condition="contains">schtasks.exe</Image>
<CommandLine condition="contains">/create</CommandLine>
</Rule>
</Sysmon>Or a Windows Event Log query:
Event ID 4698 (Scheduled Task Created)Conclusion
MITRE ATT&CK is the foundational framework for modern cyber defense. By understanding its structure and how to apply it, you can improve detection, response, and communication. On the CS0-003 exam, expect scenario-based questions where you must identify the technique or tactic from a description of an attack.
Identify the Observed Behavior
Begin by collecting raw data from logs, alerts, or threat intelligence. For example, you see a process creation event: cmd.exe /c powershell -enc <base64>. This is a behavior that needs to be categorized. Document the observable: command line, parent process, network connections, etc. Do not jump to conclusions; note all artifacts.
Map Behavior to Tactic
Determine the adversary's goal. Is the behavior trying to gain initial access, execute code, maintain persistence, etc.? In the example, executing a PowerShell command likely falls under Execution (TA0002). Consider the context: if the command is run by a user opening an email attachment, Initial Access may also be relevant. Tactics are high-level and may overlap.
Map Behavior to Technique
Using the ATT&CK matrix, find the technique that matches the specific behavior. For the PowerShell command, the technique is 'Command and Scripting Interpreter' (T1059) with sub-technique 'PowerShell' (T1059.001). Look for details like whether the command is encoded (defense evasion). Use the ATT&CK website or local copy to verify.
Identify Sub-Technique
If the technique has sub-techniques, select the most specific one. For T1059, sub-techniques include T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1059.005 (Visual Basic). The example uses powershell.exe, so T1059.001 is correct. Sub-techniques provide granularity for detection and mitigation.
Document and Communicate
Record the mapping for incident reporting or threat intelligence. Use the technique ID (e.g., T1059.001) in communications. This standardizes language across teams. For example, in a SOC ticket: 'Detected T1059.001 - PowerShell execution from suspicious parent process.' This helps other analysts understand the threat quickly.
Scenario 1: SOC Triage for Phishing Campaign
A large enterprise receives alerts for multiple users clicking links in phishing emails. The SOC analyst uses ATT&CK to map the initial click to T1566.002 (Spearphishing Link). Further investigation reveals that the links download a JavaScript file, which maps to T1059.007 (JavaScript). The analyst then checks for post-execution behavior: the JavaScript creates a scheduled task for persistence (T1053.005). By mapping each step, the SOC can prioritize detection for the entire chain. In this environment, the SIEM is configured with ATT&CK tags on alerts, allowing automated triage. Common misconfiguration: tagging only the initial technique and missing lateral movement, leading to incomplete incident response.
Scenario 2: Threat Hunting for Credential Access
A threat hunter proactively searches for credential dumping techniques. They create a hypothesis: 'Attackers may use T1003.001 (LSASS Memory) to dump credentials.' They query Windows Event Logs for Event ID 4688 with ProcessName = 'procdump.exe' or 'mimikatz.exe'. They also look for suspicious access to lsass.exe (Event ID 10 from Sysmon). By focusing on ATT&CK techniques, the hunt is guided and efficient. In production, they use the ATT&CK Navigator to visualize coverage gaps. A common issue: false positives from legitimate administration tools; analysts must tune detections by excluding known good processes (e.g., legitimate Procdump from Microsoft).
Scenario 3: Incident Response for Ransomware
During a ransomware incident, responders map the attack using ATT&CK. They identify initial access via RDP brute-force (T1110.001), then privilege escalation via exploitation of a local vulnerability (T1068), and finally impact via data encryption (T1486). This mapping helps them contain the attack by blocking RDP (mitigation for T1110) and applying patches (mitigation for T1068). They also discover that the ransomware used a custom tool to disable Windows Defender (T1562.001). Performance consideration: during active incident, mapping should be done quickly; pre-built playbooks based on ATT&CK can save time. Misconfiguration: failing to map the entire chain can leave backdoors undetected.
What CS0-003 Tests on This Topic
Objective 1.1: 'Given a scenario, apply the appropriate threat intelligence and threat modeling methodologies.' This includes using MITRE ATT&CK to categorize threats. Expect questions that describe an attack step and ask you to identify the correct technique ID or tactic. Also, questions about the purpose of ATT&CK Navigator and how ATT&CK relates to other frameworks like Cyber Kill Chain.
Common Wrong Answers and Why Candidates Choose Them
Confusing Tactic and Technique: A question describes 'an attacker creates a scheduled task to maintain access.' Some candidates answer 'Execution' (tactic) instead of 'Scheduled Task' (technique). They choose the tactic because they see 'task' and think 'execute,' but persistence is the goal.
Picking the Wrong Sub-Technique: For 'phishing with a malicious link,' candidates might choose T1566.001 (Spearphishing Attachment) instead of T1566.002 (Spearphishing Link). They confuse attachment vs. link.
Selecting a Technique from Wrong Tactic: A scenario involves 'using PowerShell to download a payload.' Candidates might pick T1059.001 (Execution) but also consider T1105 (Ingress Tool Transfer) from Command and Control. The key is that the download is part of execution, not C2.
Ignoring Platform Context: A technique that only applies to Windows is applied to a Linux scenario. For example, T1059.001 (PowerShell) is Windows-focused; on Linux, the correct technique might be T1059.004 (Unix Shell).
Specific Numbers and Terms That Appear Verbatim
Technique IDs: T1566 (Phishing), T1059 (Command and Scripting Interpreter), T1003 (OS Credential Dumping), T1486 (Data Encrypted for Impact).
Tactic IDs: TA0001 (Initial Access), TA0002 (Execution), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion), TA0006 (Credential Access), TA0007 (Discovery), TA0008 (Lateral Movement), TA0009 (Collection), TA0011 (Command and Control), TA0010 (Exfiltration), TA0040 (Impact).
The number of tactics in Enterprise matrix: 14.
The number of techniques: over 190 (updated regularly).
Edge Cases and Exceptions
Techniques that span multiple tactics: e.g., T1078 (Valid Accounts) can be used for Initial Access, Persistence, Privilege Escalation, and Defense Evasion. The exam may ask which tactic is NOT associated with a technique.
Sub-techniques may be platform-specific: e.g., T1059.005 (Visual Basic) only on Windows.
Some techniques are deprecated; always use the latest version (e.g., T1105 used to be 'Remote File Copy' but now is 'Ingress Tool Transfer').
How to Eliminate Wrong Answers
Read the scenario carefully: Identify the goal (tactic) first. Then match the method (technique).
Eliminate answers that are tactics when the question asks for technique, and vice versa.
Check for platform keywords: Windows, Linux, macOS, cloud.
If multiple techniques seem plausible, choose the most specific one (sub-technique over base technique).
Remember that some techniques are used for multiple tactics; the question's context determines the correct tactic.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
The Enterprise matrix has 14 tactics and over 190 techniques, each with a unique ID (e.g., T1566).
Tactics represent the adversary's goal (e.g., Persistence), while techniques are the methods (e.g., Scheduled Task).
Sub-techniques provide granular detail; for example, T1566.001 (Spearphishing Attachment) vs T1566.002 (Spearphishing Link).
ATT&CK is used for alert triage, detection engineering, threat intelligence, and gap analysis.
The ATT&CK Navigator is a tool to visualize coverage and create layers for analysis.
On the CS0-003 exam, be prepared to map a described behavior to the correct technique ID or tactic.
Common mistakes include confusing tactics with techniques and selecting the wrong sub-technique.
These come up on the exam all the time. Here's how to tell them apart.
MITRE ATT&CK
Non-linear matrix of tactics and techniques
Granular detail with over 190 techniques
Includes sub-techniques for specificity
Vendor-neutral and community-driven
Covers multiple platforms (Windows, Linux, cloud)
Cyber Kill Chain
Linear seven-phase model
High-level phases (e.g., Delivery, Exploitation)
No sub-phases or granularity
Developed by Lockheed Martin
Originally focused on network-centric attacks
Mistake
MITRE ATT&CK is only for threat intelligence analysts.
Correct
ATT&CK is used by SOC analysts, detection engineers, incident responders, and red teams. It is a universal language for describing adversary behavior across all security roles.
Mistake
Each technique belongs to exactly one tactic.
Correct
Many techniques can be used for multiple tactics. For example, 'Valid Accounts' (T1078) can serve Initial Access, Persistence, Privilege Escalation, and Defense Evasion. The tactic depends on the context of the attack.
Mistake
ATT&CK techniques are only for Windows environments.
Correct
The Enterprise matrix covers Windows, macOS, Linux, cloud (AWS, Azure, GCP), and network devices. There are also matrices for Mobile and ICS. Always check the platform column.
Mistake
Sub-techniques are optional and not important.
Correct
Sub-techniques provide granularity necessary for precise detection and mitigation. The exam tests your ability to select the correct sub-technique ID. For example, distinguishing T1566.001 (attachment) from T1566.002 (link) is crucial.
Mistake
ATT&CK replaces the Cyber Kill Chain.
Correct
ATT&CK complements the Cyber Kill Chain by providing detailed techniques within each phase. The Kill Chain is linear, while ATT&CK is a matrix that allows for non-linear attack paths. Both are used together.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A tactic is the adversary's goal or reason for performing an action, such as 'Persistence' (TA0003). A technique is the specific method used to achieve that goal, such as 'Scheduled Task' (T1053). Tactics are the 'why,' techniques are the 'how.' On the exam, if a question asks for the goal, the answer is a tactic; if it asks for the method, it is a technique.
There are 14 tactics in the Enterprise matrix: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Memorize these for the exam.
Yes. For example, 'Valid Accounts' (T1078) can be used for Initial Access, Persistence, Privilege Escalation, and Defense Evasion. The context of the attack determines which tactic applies. The exam may test this by asking which tactic is NOT associated with a given technique.
The ATT&CK Navigator is a web-based tool for visualizing and analyzing coverage of ATT&CK techniques. It allows you to create layers that highlight techniques you have detections for, techniques used by specific threat groups, or techniques you want to prioritize. It helps identify gaps in detection coverage.
ATT&CK complements the Cyber Kill Chain by providing detailed techniques within each phase. The Cyber Kill Chain is a linear model of attack phases, while ATT&CK is a non-linear matrix. Together, they provide a comprehensive view of adversary behavior. Many organizations use both.
A sub-technique is a more specific variant of a technique. For example, the technique 'Phishing' (T1566) has sub-techniques 'Spearphishing Attachment' (T1566.001) and 'Spearphishing Link' (T1566.002). Sub-techniques provide granularity for detection and mitigation. The exam expects you to identify the correct sub-technique ID.
SOC analysts use ATT&CK to categorize alerts (e.g., 'This is T1059.001 - PowerShell'), build detection rules (e.g., Sigma rules mapped to techniques), and prioritize responses. It also aids in threat intelligence by linking techniques to threat groups. During incident response, mapping the attack chain using ATT&CK helps ensure complete containment.
You've just covered MITRE ATT&CK Framework for SOC Analysts — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?