MITRE ATT&CK
MITRE ATT&CK
Adversarial Tactics, Techniques & Common Knowledge
1. Overview: A Knowledge Base That Systematically Classifies Attacker TTPs to Measure and Improve Defensive Capability
flowchart LR
A["Hard to grasp attacker TTPs<br/>Detection coverage unclear<br/>Cannot identify defense gaps"] --"Systematize TTPs<br/>from real attack cases"--> B["Common knowledge base of<br/>tactics, techniques, procedures"] --"Map to detection rules<br/>threat intelligence"--> C["Measure defense coverage<br/>continuous security improvement"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A public knowledge base built by the MITRE Corporation that systematically classifies attacker Tactics, Techniques, and Procedures (TTPs) based on real cyberattack cases. It is a global cybersecurity standard framework that defenders use to understand attacker behavior, map detection rules, identify defense gaps, and leverage threat intelligence.
Characteristics: (Evidence-based) Contains roughly 130 tactics and techniques extracted from real APT group attack cases (Enterprise matrix). (Matrix structure) Visualizes the attack surface as a matrix of 14 tactics (columns) by many techniques (rows). (Granular analysis) Provides analysis at a more granular tactic/technique level than the Cyber Kill Chain — directly usable for writing detection rules.
2. Core Structure of MITRE ATT&CK
A. The TTP Hierarchy — Tactics, Techniques, Procedures
flowchart TD
subgraph TTP["ATT&CK Hierarchy"]
direction TB
TAC["Tactics<br/>The attacker's goal/intent<br/>'Why' they attack<br/>e.g. Initial Access, Persistence"]
TEC["Techniques<br/>The means of achieving the tactic<br/>'How' it is carried out<br/>e.g. T1566 Phishing"]
SUB["Sub-techniques<br/>Detailed variants of a technique<br/>e.g. T1566.001 Spearphishing Attachment"]
PRO["Procedures<br/>A specific group's real-world implementation<br/>Concrete cases like APT29, Lazarus"]
TAC --> TEC --> SUB --> PRO
end
style TAC fill:#1E3A5F,stroke:#1E3A5F,color:#fff
style TEC fill:#E3F2FD,stroke:#1976D2,color:#000
style SUB fill:#F3E5F5,stroke:#7B1FA2,color:#000
style PRO fill:#E8F5E9,stroke:#388E3C,color:#000
The 14 ATT&CK Enterprise Tactics
flowchart LR
T1["Initial Access"]
T2["Execution"]
T3["Persistence"]
T4["Privilege Escalation"]
T5["Defense Evasion"]
T6["Credential Access"]
T7["Discovery"]
T1 --> T2 --> T3 --> T4 --> T5 --> T6 --> T7
style T1 fill:#E8F5E9,stroke:#388E3C,color:#000
style T2 fill:#E3F2FD,stroke:#1976D2,color:#000
style T3 fill:#FFF3E0,stroke:#F57C00,color:#000
style T4 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style T5 fill:#FFEBEE,stroke:#D32F2F,color:#000
style T6 fill:#E0F2F1,stroke:#00796B,color:#000
style T7 fill:#E8EAF6,stroke:#3949AB,color:#000
flowchart LR
T8["Lateral Movement"]
T9["Collection"]
T10["Command and Control"]
T11["Exfiltration"]
T12["Impact"]
T13["Resource Development"]
T14["Reconnaissance"]
T8 --> T9 --> T10 --> T11 --> T12
T13 --- T14
style T8 fill:#FCE4EC,stroke:#C2185B,color:#000
style T9 fill:#FFF9C4,stroke:#F9A825,color:#000
style T10 fill:#B71C1C,stroke:#B71C1C,color:#fff
style T11 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
style T12 fill:#4A148C,stroke:#4A148C,color:#fff
style T13 fill:#f5f5f5,stroke:#ccc,color:#333
style T14 fill:#f5f5f5,stroke:#ccc,color:#333
B. Detection Rule Mapping and Threat Intelligence Use
flowchart TD
subgraph R1[" "]
direction LR
U1["Measure detection coverage<br/>Map SIEM detection rules<br/>to ATT&CK technique IDs<br/>Visualize defense gaps"]
U2["Threat intelligence<br/>Identify TTPs per APT group<br/>Targeted-attack scenarios<br/>Build proactive defense strategy"]
end
subgraph R2[" "]
direction LR
U3["Red team integration<br/>ATT&CK-technique-based<br/>penetration test scenarios<br/>Realistic defense training"]
U4["SOC operational efficiency<br/>Detection rule prioritization<br/>Incident classification<br/>Automated response playbooks"]
end
style U1 fill:#E3F2FD,stroke:#1976D2,color:#000
style U2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style U3 fill:#FFF3E0,stroke:#F57C00,color:#000
style U4 fill:#E8F5E9,stroke:#388E3C,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
Key Tools and Methodologies
| Area of Use | Tool/Method | Description |
|---|---|---|
| Detection mapping | ATT&CK Navigator | Visualizes coverage by color-coding existing detection rules on the matrix |
| Threat intel | MITRE ATT&CK Groups | Provides TTPs for roughly 200 attack groups, including APT29, Lazarus, Kimsuky |
| SIEM integration | Sigma rules / Elastic SIEM | Manages detection coverage by tagging detection rules with ATT&CK technique IDs |
| Red team | Atomic Red Team / Caldera | Validates detection gaps via automated attack simulation per ATT&CK technique |
| Threat hunting | Hunting playbook | Builds hunting hypotheses per ATT&CK tactic and proactively detects via IOAs |
Cyber Kill Chain vs. MITRE ATT&CK Comparison
| Comparison Item | Cyber Kill Chain | MITRE ATT&CK |
|---|---|---|
| Structure | Linear 7-stage attack flow | Matrix of 14 tactics × many techniques |
| Granularity | Attack-stage level (macro) | Tactic/technique/sub-technique level (fine-grained) |
| Focus of use | Building a defense strategy per attack stage | Writing detection rules, threat intelligence, SOC operations |
| Update cycle | Static (fixed 7 stages) | Continuously updated (reflects real attack cases) |
| Complementary use | Can be used together by mapping Kill Chain stages to ATT&CK tactics |
3. Expected Benefits and Practical Application of Applying MITRE ATT&CK
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Identify defense gaps | Visualize detection coverage to find weak tactic/technique areas | Map current SIEM detection rules with ATT&CK Navigator, then prioritize undetected techniques |
| Threat intelligence | Proactively prepare for targeted attacks by understanding group-specific TTPs | Analyze TTPs of APT groups targeting Korea, such as Kimsuky and Lazarus, then set defense priorities |
| SOC efficiency | Standardize incident classification/response with a common language | Automatically tag detection alerts with ATT&CK technique IDs for systematic classification and escalation |
| Regulatory response | Link ATT&CK with ISMS-P/NIST CSF risk management | Use ATT&CK coverage metrics in annual security assessments to measure security maturity |