# MITRE ATT&CK

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/mitre-att-and-ck

## Quick definition

MITRE ATT&CK is a detailed library that shows how hackers attack computer systems. It lists the steps attackers take, from initial break-in to stealing data. Security teams use this library to plan their defenses and test their systems. Think of it as a playbook that explains the moves cybercriminals make.

## Simple meaning

Imagine you are a security guard at a large office building. Your job is to stop burglars from getting in and stealing valuable items. To do your job well, you would want to know all the tricks burglars use. Do they pick locks? Do they climb through windows? Do they sneak in during a busy lunch hour? MITRE ATT&CK is like a huge, well-organized book that lists every known trick a cyber burglar might use. It does not just say 'they break in.' It breaks down the entire process into steps. It names the first step (like 'Initial Access' – how they first get in), the next step (like 'Execution' – how they run their malicious software), and all the way to the final step (like 'Exfiltration' – how they steal your data). For each step, it gives specific techniques, such as 'Phishing' or 'Using a stolen password.' This knowledge base is built from watching real cyberattacks in the real world, so it is based on what attackers actually do, not just theory. Security teams use this book to check if their defenses can stop each trick. They can run tests to see if their antivirus software catches a phishing email or if their firewall blocks a certain type of connection. It helps them find weaknesses before a real attacker does. In short, MITRE ATT&CK is a common language and a practical guide that helps defenders think like attackers, so they can build better shields.

## Technical definition

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a curated, globally accessible knowledge base developed by MITRE Corporation. It catalogs adversary behaviors observed in real-world cyber operations, structured hierarchically into tactics, techniques, sub-techniques, procedures, and mitigations. The framework is organized into matrices that cover different operational environments: Enterprise (covering Windows, macOS, Linux, cloud, network, and container platforms), Mobile (covering iOS and Android), and ICS (Industrial Control Systems). Each tactic represents a strategic objective of an attacker, such as 'Persistence,' 'Privilege Escalation,' 'Defense Evasion,' 'Credential Access,' 'Discovery,' 'Lateral Movement,' 'Collection,' 'Command and Control,' and 'Exfiltration.' Under each tactic, techniques describe how an attacker achieves that objective. For example, under 'Persistence,' the technique 'Create Account' describes how an attacker can add a new user account to maintain access. Each technique has a unique ID (e.g., T1098 for 'Create Account'), a description, detection methods, and data sources (e.g., Process command-line parameters, Windows event logs). Sub-techniques provide more granular detail, such as T1098.001 for 'Cloud Account.' The framework is widely used for threat modeling, red teaming, blue team defensive gap analysis, and security product evaluation. It is not a compliance standard but an industry reference model. Many security vendors map their detections to ATT&CK techniques, enabling organizations to standardize their security posture assessments. The MITRE ATT&CK Navigator is a free tool that allows analysts to visualize defensive coverage. The knowledge base is continuously updated through contributions from security researchers and analysis of real-world incidents. Its practical implementation involves integrating ATT&CK with SIEMs (Security Information and Event Management systems) to correlate logs and alerts to specific techniques. Security Operations Centers (SOCs) often use ATT&CK to structure incident response playbooks and threat hunting hypotheses. For example, a SOC might look for indicators of 'PowerShell execution' (T1059.001) or 'Pass the Hash' (T1550.002) because they are common techniques used by ransomware groups. Understanding ATT&CK is essential for IT professionals working in security operations, incident response, and threat intelligence roles, especially those pursuing certifications like Security+, CySA+, or CISSP.

## Real-life example

Think about how a pickpocket works in a busy train station. They do not just walk up and grab a wallet. They have a series of steps. First, they need to get into the station (Initial Access – maybe by buying a ticket or slipping through a gate). Then, they need to blend in (Defense Evasion – wearing a regular coat, not a mask). They need to spot a target (Discovery – looking for someone with a phone sticking out of a pocket). They need to get close (Lateral Movement – moving through the crowd). Then they actually lift the wallet (Collection). Finally, they slip away to a quiet corner to look at what they stole (Exfiltration). Security guards in the station can think about all these steps. They might put extra cameras near the ticket gates. They might train themselves to watch for people who stand too close to others. If the guards only thought about stopping the actual 'hand in the pocket' moment, they would miss all the other ways a thief could be stopped earlier. MITRE ATT&CK is exactly this kind of thinking, but for computers. It forces defenders to look at the full chain of an attack, not just the final, obvious action. It helps you understand that stopping an attacker early, like blocking a phishing email before anyone clicks it, is much better than trying to stop data from leaving your network. Just as a train station can improve security by analyzing the pickpocket's full journey, an IT team can use ATT&CK to prepare for all the stages of a cyberattack, not just the ones that make the news.

## Why it matters

In the world of IT, especially security operations, knowing about MITRE ATT&CK is like a mechanic knowing the parts of an engine. Without it, you are just guessing. Cyberattacks are not random; they follow patterns. ATT&CK captures those patterns. For a security professional, using ATT&CK allows you to move from reactive (waiting for an alarm) to proactive (looking for specific attacker behaviors). You can run simulated attacks (red teaming) using ATT&CK techniques and see if your defenses detect them. This is called 'assumed breach' testing. You stop asking 'Can they break in?' and start asking 'If they break in this specific way, will we catch them?' This matters because most modern breaches use common techniques that are well-documented in ATT&CK. For example, many ransomware attacks use 'Phishing' (T1566), 'PowerShell' (T1059.001), and 'Service Stop' (T1489). Knowing these IDs helps teams quickly research detection methods and they can write SIEM rules to alert on those behaviors. Vendors often claim their products can detect 'APT-level threats.' By using ATT&CK, you can test those claims yourself. You can check if your antivirus detects the specific techniques used by known groups. It provides a common language. Instead of saying 'We have good endpoint security,' you can say 'We have high detection coverage for Persistence techniques on Windows 10.' This precision improves communication between technical teams, management, and auditors. For IT professionals, being fluent in ATT&CK demonstrates a mature understanding of cybersecurity operations and is increasingly expected in SOC roles.

## Why it matters in exams

For IT certification exams, MITRE ATT&CK is not always a major core subject, but it is increasingly appearing as a supporting concept in security-related objectives. In CompTIA Security+ (SY0-601 and SY0-701), you will see ATT&CK referenced in the context of threat intelligence and security frameworks. Domain 1.6 (Explain the importance of threat intelligence) mentions using frameworks like MITRE ATT&CK to analyze threats. Questions may ask you to identify which ATT&CK tactic best describes a given attacker action – for example, is credential dumping considered 'Collection' or 'Credential Access'? In CompTIA CySA+ (CS0-002/003), ATT&CK is more important. The exam explicitly tests your ability to use threat intelligence sources, including ATT&CK, to inform detection strategies. You might see a scenario where a security analyst finds evidence of 'Pass the Hash' and you need to identify the technique ID or the corresponding tactic. The exam also expects you to understand how the framework helps in developing detection rules and performing threat hunting. For CISSP, it is considered light supporting knowledge. You should know it as a reference model for adversary behaviors but not necessarily memorize technique IDs. The exam is more conceptual. For CEH, it is also light supporting, often mentioned as a threat modeling resource. In exams like the ISC2 CC, it is not directly tested but knowing it shows broader awareness. The key for exams is to understand the purpose (standardized knowledge base of adversary behavior), the structure (tactics are goals, techniques are methods), and how it differs from other frameworks like the Cyber Kill Chain (which is more linear, while ATT&CK is more detailed and matrix-based). Questions are usually scenario-based: 'An analyst sees an attacker using a phishing email to get initial access. Which MITRE ATT&CK tactic does this fall under?' The answer would be 'Initial Access'.

## How it appears in exam questions

Exam questions about MITRE ATT&CK are often scenario-based and designed to test your ability to map a described attacker action to the correct framework component. A typical question pattern might describe a log entry: 'An event log shows that a user account named 'service_admin' was created on a domain controller at 2:00 AM by an unknown process. Which MITRE ATT&CK tactic is most likely being achieved?' The options would be 'Persistence,' 'Privilege Escalation,' 'Initial Access,' or 'Defense Evasion.' The correct answer is 'Persistence' because creating an account is a common way to maintain access. Another pattern asks about detection: 'A security team wants to detect the use of PowerShell to download malicious payloads. According to MITRE ATT&CK, which technique ID should they focus their detection efforts on?' Options might be T1059.001 (Command and Scripting Interpreter: PowerShell) or T1566 (Phishing). The correct one is T1059.001. Questions can also ask about the framework's purpose: 'Which of the following best describes the primary purpose of the MITRE ATT&CK framework?' with options like 'Compliance framework for PCI DSS' or 'Standardized list of adversary tactics and techniques.' They can also test your ability to differentiate between Tactics and Techniques. For example: 'What is the relationship between a tactic and a technique in the MITRE ATT&CK framework?' The answer: 'A tactic is the strategic goal, and a technique is the method used to achieve it.' Config-type questions might ask: 'An organization conducts a purple team exercise where the red team simulates the 'Golden Ticket' technique (T1558.001). Which security controls should the blue team check for detection?' The answer would involve auditing Kerberos authentication logs and event ID 4769. Some questions present a table of attacker actions and ask you to identify the technique. For example, 'Phishing' is a technique under 'Initial Access.' In short, questions test your ability to categorize actions and understand the framework's structure, not to memorize hundreds of IDs.

## Example scenario

You are the only IT person at a small law firm. One morning, an employee receives an email that looks like it is from the managing partner. The email says, 'Urgent: Please download the attached invoice and pay it immediately.' The employee downloads the file, which is a PDF, but when they open it, nothing seems to happen. A week later, the firm's file server starts acting strangely. Files are renamed with a '.locked' extension, and a ransom note appears. You need to explain to your boss what happened using the MITRE ATT&CK framework to show you understand the attack chain. You start with what the attacker did first. The email was a phishing message – that is T1566, a technique under the 'Initial Access' tactic. The employee opening the PDF triggered the malicious code – that falls under 'Execution' (T1204: User Execution). The attacker then needed to stay hidden – that is 'Defense Evasion' (T1036: Masquerading, perhaps naming the malware 'invoice.pdf.exe'). To spread, they used remote desktop protocol to move to the server – 'Lateral Movement' (T1021.001: Remote Desktop Protocol). Once on the server, they stopped the backup service – 'Impact' (T1489: Service Stop) to make recovery harder. Finally, they encrypted files – 'Impact' (T1486: Data Encrypted for Impact). By mapping these steps to ATT&CK, you can clearly show the sequence of events and identify which controls failed. You can then propose specific, targeted fixes. For example, to stop that phishing email, you could implement email filtering rules. To prevent easy RDP access, you could disable RDP from the internet or enforce MFA. Using ATT&CK turns a scary event into a structured lesson, improving the firm's defenses for next time.

## Common mistakes

- **Mistake:** Thinking MITRE ATT&CK is a compliance standard like PCI DSS or HIPAA.
  - Why it is wrong: ATT&CK is a knowledge base of adversary behaviors, not a set of rules or requirements. You do not 'pass' an ATT&CK audit; you use it to measure your detection capability.
  - Fix: Understand that ATT&CK is a tool for improving security posture, not a regulation checklist.
- **Mistake:** Confusing a tactic with a technique. For example, calling 'Phishing' a tactic.
  - Why it is wrong: In ATT&CK, tactics are the 'why' (the goal, like Initial Access), while techniques are the 'how' (the method, like Phishing). Using them interchangeably causes confusion.
  - Fix: Remember: Tactics are verbs describing the attacker's objective. Techniques are the specific actions that achieve that objective.
- **Mistake:** Believing that ATT&CK covers all possible attack types or is always up to date.
  - Why it is wrong: ATT&CK is based on observed real-world attacks, but new techniques emerge every day. It is constantly updated, but it will never be 100% complete.
  - Fix: Use ATT&CK as a baseline framework. Supplement it with threat intelligence feeds and original research for emerging threats.
- **Mistake:** Assuming ATT&CK is only for red teams (offensive security).
  - Why it is wrong: ATT&CK is equally important for blue teams (defenders), SOC analysts, threat hunters, and security architects. It helps them design better detection rules and understand gaps.
  - Fix: Think of ATT&CK as a common reference for both attackers and defenders to communicate effectively.
- **Mistake:** Trying to memorize all technique IDs for an exam.
  - Why it is wrong: Most exams test your understanding of the framework's structure and concepts, not specific IDs. Memorizing Txxxx values is inefficient and rarely tested.
  - Fix: Focus on the major tactics (Initial Access, Execution, Persistence, etc.) and their definitions. Learn a few common techniques as examples.

## Exam trap

{"trap":"The exam asks: 'Which component of MITRE ATT&CK describes the adversary's overall goal?' and the options include 'Technique' and 'Tactic.'","why_learners_choose_it":"Learners often confuse the two because they are closely related, or they guess 'Technique' because it sounds more specific to an action.","how_to_avoid_it":"Remember the simple mnemonic: Tactics are the Top-level goals; Techniques are the Toolset. The Tactic is the 'what' the attacker wants to achieve (e.g., get in, stay in, steal). The Technique is 'how' they do it (e.g., phishing, creating accounts)."}

## Commonly confused with

- **MITRE ATT&CK vs Cyber Kill Chain:** The Cyber Kill Chain (by Lockheed Martin) is a linear, high-level model of an attack's phases (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives). MITRE ATT&CK is much more granular, offering multiple techniques per tactic and covering many more attacker behaviors, including those not captured in the Kill Chain. The Kill Chain is simpler, while ATT&CK is more comprehensive for modern attacks. (Example: A Kill Chain would say 'Delivery' happened. ATT&CK would specify the delivery technique as 'Phishing Attachment' (T1566.001) or 'Spearphishing Link' (T1566.002).)
- **MITRE ATT&CK vs NIST Cybersecurity Framework (CSF):** NIST CSF is a high-level policy and risk management framework with five functions: Identify, Protect, Detect, Respond, Recover. It does not list specific attack techniques. MITRE ATT&CK is a detailed operational framework for technical cybersecurity teams to understand and detect real attacker behaviors. CSF tells you WHAT to do (e.g., manage risk), while ATT&CK tells you HOW to detect specific threats. (Example: An organization using NIST CSF's 'Detect' function would then use ATT&CK to define specific detection rules for techniques like 'PowerShell' or 'RDP.')
- **MITRE ATT&CK vs Diamond Model of Intrusion Analysis:** The Diamond Model is a framework for analyzing a single intrusion event, focusing on four core features: Adversary, Capability, Infrastructure, and Victim. It helps analysts understand the relationships in a specific incident. ATT&CK is a broader taxonomy of known adversary behaviors used for general knowledge, not for analyzing a single event in depth. The Diamond Model answers 'who, what, where, when' while ATT&CK answers 'how.' (Example: For a phishing attack, the Diamond Model would identify the specific phishing kit (Capability) and the email server (Infrastructure). ATT&CK would just classify the technique as 'Phishing' under 'Initial Access.')

## Step-by-step breakdown

1. **Purpose Identification** — First, understand that MITRE ATT&CK exists to provide a common language for describing cyber adversary behaviors. Its primary goal is to improve detection and response, not compliance. Organizations adopt it to standardize how they talk about threats.
2. **Understanding the Matrix Structure** — ATT&CK is organized into matrices (e.g., Enterprise, Mobile, ICS). For IT professionals, the Enterprise matrix is the most relevant. It lists tactics across the top and techniques vertically. Tactics represent the 'why' (the attacker's goal), and techniques represent the 'how' (the specific method).
3. **Exploring a Tactic** — Pick a tactic like 'Defense Evasion.' This tactic groups all the techniques an attacker uses to avoid detection. Examples include disabling security software, using obfuscated scripts, or masquerading malicious files as legitimate ones. Understanding this helps defenders focus on detection controls that look for these behaviors.
4. **Examining a Technique** — Within a tactic, click on a technique like 'Indicator Removal on Host' (T1070). This technique describes how attackers delete or modify logs to cover their tracks. The page lists sub-techniques (e.g., Clear Windows Event Logs), detection advice (monitor event ID 1102), and mitigation steps (limit permissions to clear logs).
5. **Applying to Detection Engineering** — A security engineer uses this information to write a SIEM rule. For example, they create an alert that triggers when event ID 1102 (Security log cleared) appears outside of scheduled maintenance windows. This is a practical, direct use of the framework to harden an IT environment.
6. **Using for Threat Intelligence** — ATT&CK can be used to map threat actor groups. For instance, the Conti ransomware group is known to use techniques like 'RDP' (T1021.001), 'PowerShell' (T1059.001), and 'Service Stop' (T1489). If a SOC sees these techniques in a new alert, they can quickly infer the possible threat group and respond with appropriate countermeasures.
7. **Performing Gap Analysis** — An organization can create a heatmap using the ATT&CK Navigator, showing which techniques they can currently detect (green) and which they cannot (red). This visual representation helps leadership allocate resources to close gaps in detection coverage, for example, by purchasing a new security tool or configuring existing ones better.

## Practical mini-lesson

MITRE ATT&CK is not just a list to read on a Sunday afternoon. It is a working tool that should be integrated into your daily security operations. For IT professionals, the most practical way to start using ATT&CK is to select a few critical techniques that are relevant to your environment. For example, if you manage a Windows network, techniques like 'Pass the Hash' (T1550.002) and 'Kerberoasting' (T1558.003) are highly relevant. You do not need to cover all techniques at once. Start small. Begin by mapping your existing alerts to ATT&CK techniques. Most SIEMs and EDR (Endpoint Detection and Response) solutions already include ATT&CK mappings. Review your top ten alerts and see which techniques they correspond to. This exercise alone will reveal gaps. If you have many alerts mapped to 'Execution' but very few mapped to 'Privilege Escalation,' you might be missing an attack vector. Next, use the framework for incident response. When a security incident occurs, document which ATT&CK techniques were used. This structured documentation helps you build a timeline and communicate the attack's complexity. It also makes your incident report more professional. Over time, you can build a threat profile for your organization based on the techniques that appear most often. For example, if you see repeated use of 'Phishing' (T1566), you might invest in better email security training or advanced email filtering. If you see many 'Lateral Movement' events using RDP, you might enforce network segmentation or restrict RDP access. What can go wrong? Some organizations try to map every single alert to ATT&CK and drown in complexity. Do not do that. Instead, prioritize the techniques that represent the highest risk to your business processes. Also, avoid treating ATT&CK as a perfect truth. It is a model; it simplifies reality. There will be techniques that do not exactly match your logs, and that is okay. The important thing is to use it as a guide, not a straitjacket. In practice, professionals often use the MITRE ATT&CK Navigator spreadsheet to color-code their detection coverage. They share these heatmaps at team meetings to show progress and highlight areas needing improvement. This tool turns abstract cybersecurity concepts into a tangible, actionable plan for making your organization safer.

## Memory tip

Think of MITRE ATT&CK as a dictionary for cyberattacks. Tactics are the chapter titles (goals) and techniques are the words inside (methods).

## FAQ

**Is MITRE ATT&CK free to use?**

Yes, MITRE ATT&CK is completely free and open for anyone to use. You can access the knowledge base online, download it, or integrate it into your tools. There is no cost to use the framework.

**Do I need to memorize all the technique IDs for an exam?**

No. For most IT certification exams, you need to understand the structure (tactics vs techniques) and be able to map a described attacker action to the correct tactic. Specific technique IDs are rarely tested.

**How is MITRE ATT&CK different from a vulnerability database like CVE?**

A CVE describes a specific vulnerability (a hole in software). MITRE ATT&CK describes attacker behaviors (how they exploit or use systems). They are complementary: CVE tells you what to patch, ATT&CK tells you what attacker behaviors to watch for.

**What is the difference between a tactic and a technique?**

A tactic is the goal of an attacker at a particular stage (e.g., 'Persistence' – staying inside the system). A technique is the method used to achieve that goal (e.g., 'Create Account' – making a new user to stay inside).

**Can small businesses use MITRE ATT&CK?**

Yes, but it can be overwhelming. Small businesses can start by focusing on the most common techniques relevant to them, like phishing and ransomware. ATT&CK can help them decide which security controls to prioritize.

**Is MITRE ATT&CK updated regularly?**

Yes, MITRE updates ATT&CK multiple times a year based on new research and real-world attack observations. It stays current with evolving threats.

## Summary

MITRE ATT&CK is a foundational knowledge base for anyone serious about cybersecurity operations. It provides a structured, common language to describe the behaviors of cyber adversaries, from the initial breach to the final objective. For IT professionals, understanding ATT&CK moves you from generic threat awareness to specific, actionable detection and response strategies. It is not a compliance checklist but a practical tool for improving your organization's security posture. In certification exams, expect scenario-based questions that test your ability to classify an attacker's action into the correct tactic or technique, not to memorize IDs. Knowing the difference between a tactic (the goal) and a technique (the method) is critical. The real value of ATT&CK lies in its application: mapping your security controls, performing gap analyses, and writing better detection rules. As cyber threats become more sophisticated, using a standardized framework like MITRE ATT&CK is essential for effective team communication and continuous improvement. It is a must-know concept for Security+, CySA+, and CISSP candidates, and a valuable career asset for any IT security professional.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/mitre-att-and-ck
