Press "Enter" to skip to content


Clear all

The MITRE ATT&CK Framework  

Posts: 63
Joined: 4 months ago

MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.

ATT&CK is a matrix of hacking techniques by tactics. There are several different matrices:

  • PRE-ATT&CK Matrix includes techniques used for reconnaissance, target identification, and attack planning.
  • Windows includes techniques used to hack all flavors of Windows.
  • Linux includes techniques used to hack all flavors of Linux.
  • MacOS includes techniques used to hack MacOS.
  • Mobile ATT&CK matrix includes techniques used to attack mobile devices.

The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. At the time of this writing, there are 245 techniques in the Enterprise model. MITRE regularly updates ATT&CK with the latest and greatest hacking techniques that hackers and security researchers discover in the wild.

The Differences Between PRE-ATT&CK and ATT&CK Enterprise

PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.

Cyber Kill Chain

PRE-ATT&CK Tactics ATT&CK Enterprise Tactics
  • Priority Definition
  • Target Selection
  • Information Gathering
  • Weakness Identification
  • Adversary OpSec
  • Establish & Maintain Infrastructure
  • Persona Development
  • Build Capabilities
  • Test Capabilities
  • Stage Capabilities
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control

MITRE and other third-party developers use ATT&CK to help the Red and Blue Teams implement their pentesting and defensive efforts:

  • Caldera is MITRE’s automated attach technique emulation tool
  • Cascade is MITRE’s Blue Team automation toolset
  • Attack Navigator is a web application you can use to make notes and track your ATT&CK status
  • Oilrig is Palo Alto’s Adversary Playbook built on the ATT&CK model.
  • MITRE’s Cyber Analytics Repository is a separate project from ATT&CK that tracks detailed information about how to detect techniques.
  • Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the HashPass the Ticket, and Brute Force.  Varonis threat models use the same language as ATT&CK so you can easily reference both resources when you need to research cyberattacks.

ATT&CK Enterprise Matrix


Topic Tags
%d bloggers like this: