Home Topics Mitre attack MITRE ATT&CK framework
Explore IBM's MITRE ATT&CK solution Sign up for security topic updates
Illustration showing collage of cloud, fingerprint and mobile phone pictograms
What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework (MITRE ATT&CK) is a universally accessible, continuously updated knowledge base for modeling, detecting, preventing and fighting cybersecurity threats based on cybercriminals’ known adversarial behaviors.

The ATT&CK in MITRE ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.

MITRE ATT&CK catalogs cybercriminal tactics, techniques and procedures (TTPs) through each phase of the cyberattack lifecycle—from an attacker's initial information gathering and planning behaviors, through to the ultimate execution of the attack. The information in MITRE ATT&CK can help security teams

  • accurately simulate cyberattacks to test cyber defenses;
     

  • create more effective security policies, security controls and incident response plans; and
     

  • choose and configure security technologies to better detect, prevent and mitigate cyberthreats.

In addition, the MITRE ATT&CK taxonomy of adversary tactics, techniques and subtechniques (see below) establishes a common language that security professionals can use to share information about cyberthreats and collaborate on threat prevention.

MITRE ATT&CK isn’t software per se. But many enterprise security software solutions—such as user and entity behavior analytics (UEBA), extended detection and response (XDR), security orchestration, automation and response (SOAR) and security information and event management (SIEM)—can integrate MITRE ATT&CK’s threat information to update and enhance their threat detection and response capabilities.

MITRE ATT&CK was developed by MITRE Corporation, a non-profit, and is maintained by MITRE with input from a global community of cybersecurity professionals.

Visit the MITRE ATT&CK web site
Threat management workshop

Work with IBM Threat Management consultants to modernize your threat management program, close technology and skills gaps and make more informed, risk-based decisions.

Related content

Register for the Cost of a Data Breach report

MITRE ATT&CK matrices

MITRE ATT&CK organizes adversary tactics and techniques (and subtechniques) into matrices. Each matrix includes tactics and techniques corresponding to attacks on specific domains:

Enterprise Matrix

The Enterprise Matrix includes all adversary techniques used in attacks against enterprise infrastructure. This matrix includes submatrices for the Windows, MacOS and Linux platforms, as well as network infrastructure, cloud platforms and container technologies. It also includes a PRE matrix of preparatory techniques used in advance of an attack.

Mobile Matrix

The Mobile Matrix includes techniques used in direct attacks on mobile devices, and in network-based mobile attacks that don’t require access to a mobile device. This matrix includes submatrices for the iOS and Android mobile platforms.

ICS Matrix

The ICX Matrix includes techniques used in attacks on industrial control systems—specifically the machinery, devices, sensors and networks used to control or automate operations for factories, utilities, transportation systems and other critical service providers.

MITRE ATT&CK tactics

Each MITRE ATT&CK tactic represents a specific adversarial goal—something the attacker wants to accomplish at a given time. ATT&CK tactics correspond closely to stages or phases of a cyberattack. For example, ATT&CK tactics covered by the Enterprise Matrix include:

  • Reconnaissance: Gathering information for planning an attack.
     

  • Resource development: Establishing resources to support attack operations.
     

  • Initial access: Penetrating the target system or network.
     

  • Execution: Running malware or malicious code on the compromised system.
     

  • Persistence: Maintaining access to the compromised system (in the event of shutdown or redonfigurations).
     

  • Privilege escalation: Gaining higher-level access or permissions (e.g., moving from user to administrator access).
     

  • Defense evasion: Avoiding detection once inside a system.
     

  • Credential access: Stealing usernames, passwords and other logon credentials.
     

  • Discovery: Researching the target environment to learn what resources can be accessed or controlled to support a planned attack.
     

  • Lateral movement: Gaining access to additional resources within the system.
     

  • Collection: Gathering data related to the attack goal (e.g., data to encrypt and/or exfiltrate as part of a ransomware attack).
     

  • Command and control: Establishing covert/undetectable communications that enable the attacker to control the system.
     

  • Exfiltration: Stealing data from the system.
     

  • Impact: Interrupting, corrupting, disabling or destroying data or business processes.

Again, tactics and techniques vary from matrix to matrix (and submatrix). For example, the Mobile Matrix does not include Reconnaissance and Resource Development tactics, but includes other tactics—Network Effects and Remote Service Effects—not found in the Enterprise Matrix.

MITRE ATT&CK techniques

If MITRE ATT&CK tactics represent what attackers want to accomplish, MITRE ATT&CK techniques represent how they try to accomplish it. For example, drive-by compromise and spear phishing are types of initial access techniques; using fileless storage is an example of a defense evasion technique.

The knowledge base provides the following information for each technique:

  • A description and overview of the technique.
     

  • Any known subtechniques associated with the technique. For example, subtechniques for phishing include spear phishing attachment, spear phishing link and spear phishing via service. At this writing, MITRE ATT&CK documents 196 individual techniques and 411 subtechniques.
     

  • Examples of related procedures. These can include ways that attack groups use the technique, or types of malicious software used to execute the technique.
     

  • Mitigations—security practices (e.g., user training) or software (e.g. antivirus software, intrusion prevention systems) that can block or address the technique.
     

  • Detection methods. Typically these are log data or system data sources that security teams or security software can monitor for evidence of the technique.

Additional MITRE ATT&CK resources

MITRE ATT&CK offers several other ways to view and work with the knowledge base. Instead of researching specific tactics and techniques via the matrices, users can research based on the following:

  • Data Sources—an index of all the log data or system data sources and data components that security teams or security software can monitor for evidence of attempted attack techniques.
     

  • Mitigations—an index of all mitigations referenced in the knowledge base. Users can drill down to learn which techniques a particular mitigation addresses.
     

  • Groups—an index of adversary groups and the attack tactics and techniques they employ. At this writing, MITRE ATT&CK documented 138 groups.
     

  • Software—an index of the malicious software or services (740 at this writing) that attackers may use to execute particular techniques.
     

  • Campaigns—essentially a database of cyberattack or cyberespionage campaigns, including information about groups who launched them and any techniques and software employed.

MITRE ATT&CK Navigator

MITRE ATT&CK Navigator is an open-source tool for searching, filtering, annotating and presenting data from the knowledge base. Security teams can use MITRE ATT&CK Navigator to quickly identify and compare tactics and techniques used by particular threat groups, identify software used to execute a specific technique, match mitigations to specific techniques and more.

ATT&CK Navigator can export results in JSON, Excel or SVG graphics format (for presentations). Security teams can use it online (hosted on GitHub) or download it to a local computer.

MITRE ATT&CK use cases

MITRE ATT&CK supports a number of activities and technologies that organizations use to optimize their security operations and improve their overall security posture.

Alert triage, threat detection and response. The information in MITRE ATT&CK is extremely valuable for sifting through and prioritizing the deluge of security-related alerts generated by software and devices on a typical enterprise network. In fact, many enterprise security solutions—including SIEM (security information and event management), UEBA (user and entity behavior analytics), EDR (endpoint detection and response) and XDR (extended detection and response)—can ingest information from MITRE ATT&CK and use it to triage alerts, enrich cyber threat intelligence from other sources and trigger incident response playbooks or automated threat responses.

Threat hunting. Threat hunting is a proactive security exercise in which security analysts search their network for threats that have slipped past existing cybersecurity measures. MITRE ATT&CK information on adversary tactics, techniques and procedures provide literally hundreds of points for starting or continuing threat hunts.

Red teaming/adversary emulation. Security teams can use the information in MITRE ATT&CK to simulate real-world cyberattacks. These simulations can test the effectiveness of the security policies, practices and solutions they have in place, and help identify vulnerabilities that need to be addressed.

Security gap analysis and security operations center (SOC) maturity assessments. Security gap analysis compares an organization’s existing cybersecurity practices and technologies against current industry standard. An SOC maturity assessment evaluates the maturity of an organization’s SOC based on its ability to consistently block or mitigate cyberthreats or cyberattacks with minimal or no manual intervention. In each case, MITRE ATT&CK data can help organizations conduct these assessments using the latest data on cyberthreat tactics, techniques and mitigations.

MITRE ATT&CK versus Cyber Kill Chain

Like MITRE ATT&CK, Lockheed Martin’s Cyber Kill Chain models cyberattacks as a series of adversarial tactics. Some of the tactics even have the same names. But that’s where the similarity ends.

Cyber Kill Chain is more of a descriptive framework than a knowledge base. It’s much less detailed than MITRE ATT&CK. It covers just seven (7) tactics—Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives—compared with MITRE ATT&CK’s 18 (including Mobile- and ICS-only tactics). It doesn’t provide discrete models for attacks on Mobile or ICS platforms. And it doesn’t catalog anything approximating the level of detailed information on tactics, techniques and procedures in MITRE ATT&CK.

Another important distinction: Cyber Kill Chain is based on the assumption that any cyberattack must accomplish adversarial tactics in sequence to succeed, and that blocking any one of the tactics will ‘break the kill chain’ and thwart the adversary from achieving it’s ultimate goal. MITRE ATT&CK does not take this approach; it focuses on helping security professionals identify and block or mitigate individual adversarial tactics and techniques in whatever context they are encountered.

Related solutions
IBM security solutions

IBM works with you to help protect your business with an advanced and integrated portfolio of enterprise cybersecurity solutions and services infused with AI. 

Explore IBM security solutions
IBM X-Force® Red adversary simulation services

Simulate attacks to test, measure and improve risk detection and incident response.

Explore X-Force adversary simulation services
IBM X-Force® Threat Intelligence Services  

Leverage a team of world-class intelligence analysts to understand how the threat landscape is changing and the latest techniques threat actors are using.

Explore X-Force Threat Intelligence Services
Resources What is a cyberattack?

Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.

What is SIEM?

Security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.

What is threat hunting?

Threat hunting is a proactive approach to identifying unknown or ongoing non-remediated threats within an organization's network.

Take the next step

IBM cybersecurity services deliver advisory, integration and managed security services and offensive and defensive capabilities. We combine a global team of experts with proprietary and partner technology to co-create tailored security programs that manage risk.

Explore cybersecurity services Subscribe to the Think Newsletter