Mitre Att&ck Framework: Everything you need to know by Peter Buttler


According to a statistics report, security breaches have increased in numbers by about 67% over the past five years. What can one use to prevent security breaches or be able to look through an attackers’ perspective? Here’s where the Mitre Att&ck Framework comes in handy. Here’s the overall agenda of what you’ll be learning through this read:

  • What is mitre att&ck framework?
  • When did it come into existence?
  • What tactics does the framework provide?
  • What are the techniques provided in the framework?
  • How does the framework works?
  • Uses of the mitre att&ck framework
  • Matrices of mitre att&ck framework

What is MITRE ATT&CK Framework?

The att&ck framework is a comprehensive matrix of strategies and techniques that are used by attackers throughout the different stages of a cyberattack. It was developed by MITRE to give defenders, red teamers a perspective of an attacker with ill intent so that they’re already aware of the mindset behind the attack.

ATT&CK is an abbreviation for  Adversarial Tactics, Techniques, and Common Knowledge. The framework is a collection of different cybersecurity techniques sorted by the scenarios they are used in. The collections of techniques will be different depending on the operating systems. All techniques are classified based on the operating systems they can be executed on, such as Linux, Windows, Mac, Mobile.

Enterprises and organizations can use the att&ck framework to enhance post-breach security by documenting the actions the attacker might have taken. Organizations can utilize the framework to identify vulnerabilities in defenses and those vulnerabilities can be taken care of by prioritizing the risk factor. 

Threat intelligence and ATT&CK framework are closely knit together and are most often times than not, are used together to prevent cyber intrusions and to prepare for one.

What are the tactics provided in the ATT&CK Framework?

The att&ck framework developed by MITRE comes in packaging with 11 tactics. Each of these tactics has subset techniques that can be used to detect a cybersecurity intrusion. 

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration 
  • Command & Control

What are the techniques of the ATT&CK Framework?

Each tactic provided in the ATT&CK framework contains a collection of techniques that have been observed, being used by perpetrators to gain access to private information. Tactics can be described as the thought of determining the “HOW” part of the attack. 

How is the hacker getting access to sensitive information? How is he able to exploit that vulnerability? The answer to these questions is provided by the MITRE ATT&CK framework.

Each technique has contextual information that is relevant to a tactic provided in the framework. Like what applications are needed to execute the attack? Or how to detect commands and processes that the tactic is used in?

MITRE ATT&CK Framework VS Cyber Kill Chain

In simple terms, both frameworks follow the same pattern. Infiltrate, snoop & steal, exfiltrate. The main difference between the two frameworks is that the framework by MITRE is more like a list of techniques sorted by the tactics and doesn’t require you to work in any sequence or order. If you want to detect intrusions, you can utilize the contextual help given with the tactic.

However, when it comes to the Cyber Kill Chain, It can be defined as a sequence of events. As it is a sequence, you can’t change the order of the techniques to be executed. For example, a red-team will start first at reconnaissance then move forward to intrusion and so-on in that order. 

Here’s what the Cyber Kill Chain has to offer in terms of tactics.

  • Reconnaissance
  • Intrusion
  • Exploitation
  • Privilege Escalation
  • Lateral Movement
  • Obfuscation/Anti-Forensics
  • Denial of Service
  • Exfiltration


As mentioned above, ATT&CK is an array of hacking techniques sorted by tactics. It depends on what you want to learn about using the framework. 

For instance, if you wanna learn how a red-team stays in the shadows while infiltration you might want to look into the defense evasion category. It’s not that you should start from that category, you may choose whatever technique you want to learn about.

There are several different matrices available for MITRE ATT&CK framework.

  • PRE-ATT&CK Matrix includes techniques that are used for gaining intel, in other words, reconnaissance, target identification and planning of attacks.
  • Windows Matrix includes techniques that can be used to exploit the different vulnerabilities in different releases of Windows.
  • Similar to Windows Matrix, the Linux one carries techniques to hack different releases of Linux operating system.
  • MacOS Matrix includes techniques required to hack a MacOS.
  • Mobile Att&ck matrix includes techniques that can be used to execute attacks on mobile devices.

Uses of MITRE ATT&CK Framework

Att&ck framework can be used for a number of things. Here are the numerous things that you can utilize this framework for, to improve your understanding as well as enhance the cyber presence of your organization. Here are the five use cases which can be executed in any number of orders.

Red Team

The ATT&CK framework has standardized the terminology that can be used by red teams to communicate with each other with ease, even if its a big organization. 

The framework allows the experts in red teams to execute real-world attack scenarios using ATT&CK as a guide, making not only training and operations more effective than they would previously be.

Blue Team

If you are not aware, there are two teams. Red and Blue. The red team is assigned the job of penetration-testing whereas the Blue team is assigned the task of defense. 

For the defense side of the coin, the ATT&CK framework provides guidance in a concise and comprehensive way. This way, blue teamers get to deeply understand what sort of mitigations are required to be placed on a network in different scenarios.

Vendor Battles

Before the release of the ATT&CK framework, there was no given way that could test out security products. With the framework, organizations can put all the cybersecurity products to the test in a structured and methodical way and whether or not the security product is fulfilling its duty or not.

Another thing to note is that after the release of the framework every new cybersecurity product is aligned with the principles of the framework. This makes the organizations’ job easier to determine the products that have the same basic functionality but a huge difference in price points. 

This essentially breaks the problem into two simple questions, which one implements the security successfully? And which one does it better?

Breach & Attack Simulation

Even though BAS is considered as a new set of tools for cybersecurity. The ATT&CK framework has validated that the toolset is an essential requirement in modern cybersecurity. Similar to vendor-battles the ATT&CK framework helps organizations to determine what BAS toolset is better to implement.

Filling the gaps in security

As you’ve read above, the framework allows the experts on the defensive end to deep-dive in the attackers’ mindset. This makes the process of defending the network a little bit easier. Why? You have the techniques and methods that the attacker will possibly use in the execution, also you have the comprehensive explanation on how to mitigate its effects.

Another thing to note is that testing the cybersecurity of your organization on a daily basis with the guidelines provided by the att&ck framework can essentially serve to fill in the gaps in security when previously they weren’t even that close to filling them.

Best practices for MITRE ATT&CK Framework

Before you consider the usage of MITRE ATT&CK framework in your organization. Here are some key points to note.

  • Use real-world software scenarios mentioned from the Group list. The group list is a repository which holds information about known threats and how to counter them in real-life situations. The scenario is pretty simple, if you are unable to defend the known threats, there’s no way you’ll be able to defend against unknown threats.
  • Regularly testing and implementing methods to fill the holes in your security is recommended using the framework. You may never know when you’re vulnerable and how costly it can be if you’re exploited.
  • Never ever assume that you are safe from a technique that you have countered once. If that same technique is implemented and executed with a slight variation, your security might crumble down to pieces.

Challenges you’ll face while using ATT&CK

The fact that ATT&CK framework has given you the complete guide book to execute cybersecurity attacks on the internet doesn’t mean that you will never be frustrated or stuck at some point in your digital-security strategy. You’ll face challenges which may seem easy from a distance but won’t be when you take a closer look.

Among one of those challenges is file-deletion. Not every action is taken that matches an ATT&CK technique can be considered malicious. For instance, the process of file-deletion is a listed technique under Defense Evasion. 

Now, here comes the challenging part, how will you determine the difference between a hacker deleting a file versus a consumer deleting the file. That’s just one of the examples.

While keeping that in mind, some ATT&CK techniques are already too difficult to detect. An example of this may be the exfiltration of data through an encrypted DNS tunnel. 

Now in this scenario, even if you tried to find out where the data is being leaked you won’t be able to. It is possible to still find out what’s the cause behind the ruckus, but that is the endgame strategy, to be able to detect and mitigate the effects of difficult cybersecurity techniques.


A cybersecurity framework is important. Mitre ATT&CK framework is the most comprehensive framework for cybersecurity. Every organization should implement it to further enhance their presence on the cloud. You may never know when your organization might be the next one on the radar of cybercriminals. It’s better to be safe than sorry.

On The Web

About the Author:

Peter Buttler is a Cybersecurity Journalist and Tech Reporter, who contributes to a number of online publications, including Infosecurity-magazine, SC Magazine UK, Tripwire, Globalsign, and CSO Australia, among others. He covers different topics related to Online Security, Big data, IoT and Artificial Intelligence. With more than seven years of IT experience, he also holds a Master’s degree in cybersecurity and technology. @peter_buttlr





May 12, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023