Skip to content

MITRE ATT&CK

MITRE ATT&CK

Adversarial Tactics, Techniques & Common Knowledge

1. Overview: A Knowledge Base That Systematically Classifies Attacker TTPs to Measure and Improve Defensive Capability

    flowchart LR
    A["Hard to grasp attacker TTPs<br/>Detection coverage unclear<br/>Cannot identify defense gaps"] --"Systematize TTPs<br/>from real attack cases"--> B["Common knowledge base of<br/>tactics, techniques, procedures"] --"Map to detection rules<br/>threat intelligence"--> C["Measure defense coverage<br/>continuous security improvement"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A public knowledge base built by the MITRE Corporation that systematically classifies attacker Tactics, Techniques, and Procedures (TTPs) based on real cyberattack cases. It is a global cybersecurity standard framework that defenders use to understand attacker behavior, map detection rules, identify defense gaps, and leverage threat intelligence.

Characteristics: (Evidence-based) Contains roughly 130 tactics and techniques extracted from real APT group attack cases (Enterprise matrix). (Matrix structure) Visualizes the attack surface as a matrix of 14 tactics (columns) by many techniques (rows). (Granular analysis) Provides analysis at a more granular tactic/technique level than the Cyber Kill Chain — directly usable for writing detection rules.


2. Core Structure of MITRE ATT&CK

A. The TTP Hierarchy — Tactics, Techniques, Procedures

    flowchart TD
    subgraph TTP["ATT&CK Hierarchy"]
        direction TB
        TAC["Tactics<br/>The attacker's goal/intent<br/>'Why' they attack<br/>e.g. Initial Access, Persistence"]
        TEC["Techniques<br/>The means of achieving the tactic<br/>'How' it is carried out<br/>e.g. T1566 Phishing"]
        SUB["Sub-techniques<br/>Detailed variants of a technique<br/>e.g. T1566.001 Spearphishing Attachment"]
        PRO["Procedures<br/>A specific group's real-world implementation<br/>Concrete cases like APT29, Lazarus"]
        TAC --> TEC --> SUB --> PRO
    end

    style TAC fill:#1E3A5F,stroke:#1E3A5F,color:#fff
    style TEC fill:#E3F2FD,stroke:#1976D2,color:#000
    style SUB fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style PRO fill:#E8F5E9,stroke:#388E3C,color:#000
  

The 14 ATT&CK Enterprise Tactics

    flowchart LR
    T1["Initial Access"]
    T2["Execution"]
    T3["Persistence"]
    T4["Privilege Escalation"]
    T5["Defense Evasion"]
    T6["Credential Access"]
    T7["Discovery"]

    T1 --> T2 --> T3 --> T4 --> T5 --> T6 --> T7

    style T1 fill:#E8F5E9,stroke:#388E3C,color:#000
    style T2 fill:#E3F2FD,stroke:#1976D2,color:#000
    style T3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style T4 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style T5 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style T6 fill:#E0F2F1,stroke:#00796B,color:#000
    style T7 fill:#E8EAF6,stroke:#3949AB,color:#000
  
    flowchart LR
    T8["Lateral Movement"]
    T9["Collection"]
    T10["Command and Control"]
    T11["Exfiltration"]
    T12["Impact"]
    T13["Resource Development"]
    T14["Reconnaissance"]

    T8 --> T9 --> T10 --> T11 --> T12
    T13 --- T14

    style T8  fill:#FCE4EC,stroke:#C2185B,color:#000
    style T9  fill:#FFF9C4,stroke:#F9A825,color:#000
    style T10 fill:#B71C1C,stroke:#B71C1C,color:#fff
    style T11 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
    style T12 fill:#4A148C,stroke:#4A148C,color:#fff
    style T13 fill:#f5f5f5,stroke:#ccc,color:#333
    style T14 fill:#f5f5f5,stroke:#ccc,color:#333
  

B. Detection Rule Mapping and Threat Intelligence Use

    flowchart TD
    subgraph R1[" "]
        direction LR
        U1["Measure detection coverage<br/>Map SIEM detection rules<br/>to ATT&CK technique IDs<br/>Visualize defense gaps"]
        U2["Threat intelligence<br/>Identify TTPs per APT group<br/>Targeted-attack scenarios<br/>Build proactive defense strategy"]
    end
    subgraph R2[" "]
        direction LR
        U3["Red team integration<br/>ATT&CK-technique-based<br/>penetration test scenarios<br/>Realistic defense training"]
        U4["SOC operational efficiency<br/>Detection rule prioritization<br/>Incident classification<br/>Automated response playbooks"]
    end

    style U1 fill:#E3F2FD,stroke:#1976D2,color:#000
    style U2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style U3 fill:#FFF3E0,stroke:#F57C00,color:#000
    style U4 fill:#E8F5E9,stroke:#388E3C,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
  

Key Tools and Methodologies

Area of UseTool/MethodDescription
Detection mappingATT&CK NavigatorVisualizes coverage by color-coding existing detection rules on the matrix
Threat intelMITRE ATT&CK GroupsProvides TTPs for roughly 200 attack groups, including APT29, Lazarus, Kimsuky
SIEM integrationSigma rules / Elastic SIEMManages detection coverage by tagging detection rules with ATT&CK technique IDs
Red teamAtomic Red Team / CalderaValidates detection gaps via automated attack simulation per ATT&CK technique
Threat huntingHunting playbookBuilds hunting hypotheses per ATT&CK tactic and proactively detects via IOAs

Cyber Kill Chain vs. MITRE ATT&CK Comparison

Comparison ItemCyber Kill ChainMITRE ATT&CK
StructureLinear 7-stage attack flowMatrix of 14 tactics × many techniques
GranularityAttack-stage level (macro)Tactic/technique/sub-technique level (fine-grained)
Focus of useBuilding a defense strategy per attack stageWriting detection rules, threat intelligence, SOC operations
Update cycleStatic (fixed 7 stages)Continuously updated (reflects real attack cases)
Complementary useCan be used together by mapping Kill Chain stages to ATT&CK tactics

3. Expected Benefits and Practical Application of Applying MITRE ATT&CK

CategoryKey Expected BenefitApplication & Practical Use
Identify defense gapsVisualize detection coverage to find weak tactic/technique areasMap current SIEM detection rules with ATT&CK Navigator, then prioritize undetected techniques
Threat intelligenceProactively prepare for targeted attacks by understanding group-specific TTPsAnalyze TTPs of APT groups targeting Korea, such as Kimsuky and Lazarus, then set defense priorities
SOC efficiencyStandardize incident classification/response with a common languageAutomatically tag detection alerts with ATT&CK technique IDs for systematic classification and escalation
Regulatory responseLink ATT&CK with ISMS-P/NIST CSF risk managementUse ATT&CK coverage metrics in annual security assessments to measure security maturity