CyberArk Glossary >

What is MITRE ATT&CK Framework?

MITRE ATT&CK® is an open framework for implementing cybersecurity detection and response programs. The ATT&CK framework is available free of charge and includes a global knowledge base of adversarial tactics, techniques, and procedures (TTPs) based on real-world observations. ATT&CK mimics the behavior of real-life attackers, helping IT, security, and compliance organizations efficiently identify security gaps, evaluate risks, and eliminate vulnerabilities.

ATT&CK provides a common taxonomy that lets various constituents (SecOps teams, red and blue teams, penetration testers, security solution providers, threat intelligence vendors, etc.) communicate using the same language. ATT&CK also includes a Groups database that tracks the activities of threat actors and cybercriminal syndicates around the world.

MITRE ATT&CK Background and Scope

In 2013, researchers at the MITRE Corporation began documenting the various methods threat actors use to penetrate networks and carry out attacks. Since then, MITRE has identified hundreds of different techniques adversaries use to execute cyberattacks. ATT&CK organizes these techniques into a collection of tactics to help security practitioners efficiently detect, isolate, and remediate threats. The tactics describe what the adversary is trying to do (e.g., steal credentials) and the techniques describe the actions the adversary takes to achieve their goals (e.g., brute force methods).

MITRE publishes a series of ATT&CK matrices describing common cybersecurity tactics, techniques, sub-techniques, and mitigations for various operating environments including:

ATT&CK for Enterprise Matrix Overview

The ATT&CK for Enterprise Matrix details the tactics and techniques threat actors use to penetrate a network, compromise IT systems, escalate privileges, and move laterally without detection. Early versions of the matrix focused on enterprise networks and on-premises IT infrastructure. Over time MITRE expanded the scope of ATT&CK for Enterprise to include IaaS, PaaS, and SaaS environments.

ATT&CK for Enterprise Matrix (v9) covers a variety of desktop and server operating systems (Windows, macOS, Linux), cloud platforms (AWS, Microsoft Azure, Google Cloud Platform), SaaS solutions (Azure AD, Microsoft 365, Google Workspace) and network resources. It captures the various tactics threat actors commonly employ before and during an attack, as summarized in the table below.

Tactic The Adversary is Trying to:
Reconnaissance Gather information they can use to plan future operations
Resource Development Establish resources they can use to support operations
Initial Access Get into your network
Execution Run malicious code
Persistence Maintain their foothold
Privilege Escalation Gain higher-level permissions
Defense Evasion Avoid being detected
Credential Access Steal account names and passwords
Discovery Figure out your environment
Lateral Movement Move through your environment
Collection Gather data of interest to their goal
Command and Control Communicate with compromised systems to control them
Exfiltration Steal data
Impact Manipulate, interrupt, or destroy your systems and data

The MITRE ATT&CK Matrix is exhaustive. V9 includes 14 distinct tactics made up of 185 techniques and 367 sub-techniques. Most enterprises take a phased approach to ATT&CK, aligning security investments with perceived risks.

Learn More About the MITRE ATT&CK Framework