MITRE ATT&CK — Technology Wiki

Overview

Direct Answer

MITRE ATT&CK is a comprehensive, publicly accessible knowledge base that documents adversary tactics, techniques, and procedures (TTPs) derived from analysis of real-world cyber attacks and threat intelligence. It serves as a foundational framework for understanding how attackers operate across various platforms and environments.

How It Works

The framework organises adversary behaviour into a hierarchical structure: tactics represent the high-level objectives attackers pursue (e.g. initial access, persistence, exfiltration), whilst techniques describe the specific methods used to achieve those objectives. Each technique entry includes documented examples, mitigation strategies, and detection approaches sourced from security research, incident response data, and threat reports contributed by the security community.

Why It Matters

Organisations utilise this framework to align defensive strategies with actual attacker behaviour, reducing risk prioritisation based on speculation. Security teams reference it for threat modelling, red team exercises, and defensive architecture design, whilst compliance and audit functions use it to benchmark detection and response capabilities against industry-recognised adversary patterns.

Common Applications

Security operations centres employ it to structure incident response procedures and threat hunting activities. Penetration testers and red teams reference technique documentation to simulate realistic attack scenarios. Vendors integrate its taxonomy into endpoint detection platforms and security information and event management solutions to categorise alerts and threats.

Key Considerations

The framework represents observed behaviour but cannot capture all adversary innovations, and not all documented techniques are equally prevalent or impactful across all organisations. Regular updates are necessary to maintain alignment with evolving threat landscapes.

Related in Offensive Security

Cybersecurity

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Threat Intelligence

Evidence-based knowledge about existing or emerging threats to an organisation's digital assets and infrastructure.

Vulnerability Assessment

The process of identifying, quantifying, and prioritising security vulnerabilities in systems and applications.

Penetration Testing

A simulated cyberattack against a system to evaluate the security of its defences and identify exploitable vulnerabilities.

Red Team

A group of security professionals who simulate real-world attacks to test an organisation's defensive capabilities.

Blue Team

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Purple Team

A collaborative security approach combining red team attack knowledge with blue team defensive capabilities.

Intrusion Prevention System

A network security technology that examines network traffic to detect and prevent vulnerability exploits.

Ransomware

Malicious software that encrypts a victim's files and demands payment for the decryption key.

Malware

Malicious software designed to disrupt, damage, or gain unauthorised access to computer systems.

Phishing

A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information.

Spear Phishing

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

More in Cybersecurity

Next-Generation Firewall

Defensive Security

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Security Orchestration, Automation and Response

Defensive Security

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

Cyber Insurance

Security Governance

Insurance coverage protecting organisations against financial losses from cyberattacks, data breaches, and related incidents.

Phishing-Resistant Authentication

Identity & Access

Authentication methods such as FIDO2 passkeys and hardware security keys that are immune to phishing attacks because credentials are cryptographically bound to the legitimate service.

Extended Detection and Response

Defensive Security

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Attack Surface

Offensive Security

The total number of points where an unauthorised user can try to enter or extract data from a system.

SQL Injection

Offensive Security

A code injection technique that exploits vulnerabilities in database-driven applications through malicious SQL statements.

Supply Chain Attack

Offensive Security

A cyberattack targeting the less-secure elements of a supply chain to compromise a primary target.