MITRE ATT&CK is a continuously updated cybersecurity database of threat actor behaviour. ATT&CK details attacker tactics, techniques, and procedures (TTPs) across the entire cyber-attack life cycle—hence the name.


The MITRE ATT&CK framework provides the cybersecurity community with information on more than 100 threat actor groups and the platforms they target.

The data within the framework comes from publicly available cyber threat intelligence and reports and security teams and threat researchers. ATT&CK is available for free to anyone who wants to use it. 

Rather than just a repository of information, the framework is also used by private and public sector organisations to improve their security posture, produce threat models and methodologies, and speed up detections. 

Detection, investigation, and response platforms like SenseOn that map detection signals to the ATT&CK framework can help analysts better and more quickly identify adversary behaviour and mitigation steps. This can significantly improve threat detection and response times. 

History of the MITRE ATT&CK Framework

The ATT&CK (short for Adversarial Tactics, Techniques, and Common Knowledge) framework was created by the MITRE Corporation, a non-profit organisation that provides research and development, systems engineering, and information support to the federal government. 

Developed in 2013 for an internal research project, FMX, the framework, which takes an attacker’s point of view, was made available to the public in 2015. However, the knowledge base has undergone several changes since then. For instance, in the 2021 April release, 13 new techniques and 20 new sub-techniques were added to the Enterprise matrix. 

Benefits of the MITRE ATT&CK Framework for Organisations

There are many advantages to using the MITRE ATT&CK framework. Here are some of the more popular use cases: 

ATT&CK Matrices

Because attackers tailor their tactics and techniques to their target’s environment, ATT&CK is broken down into three different matrices or “technology domains.” 


The Enterprise matrix focuses on threat actors’ behaviour in Windows, macOS, Linux, SaaS, IaaS, Azure AD, PRE, Google Workspace, Office 365, Network, and Containers.


The Mobile matrix focuses on threat actors’ behaviour on mobile devices (Android and iOS). 

Industrial Control Systems (ICS)

The ICS matrix focuses on threat actors’ behaviour within an ICS network.


Siloed security tools and out-of-context alerts are significant problems for most modern security operations centres (SOC). A security team working at an organisation with 1,000+ employees is likely to see at least 1,000 alerts per day — many of them false positives. Unsurprisingly, many security professionals report experiencing “alert fatigue.”

Each false-positive alert takes 32 minutes to resolve. Most organisations never address all alerts on the day they are issued and rarely get to the root cause of threats. As a result, both productivity and security suffer.  

When security professionals are stuck chasing false positives, they have less time to spend on critical tasks like endpoint hardening, proactive security, or threat investigation. Overwhelmed security professionals have also admitted to ignoring alerts when an alert queue is full. Predictably, the time it takes to identify and contain a breach is increasing. It now takes an organisation an average of 326 days to identify and stop a ransomware breach. In contrast, it only takes cybercriminals around two days to penetrate a business’ internal network.   

Each ATT&CK matrix visually lays out tactics and techniques used by adversaries.

Attack tactics are displayed at the top, with individual techniques listed underneath. Each technique also has additional information, including mitigation and detection tips.  

Here, we look at the MITRE ATT&CK enterprise matrix specifically.

1. Tactics

The top-level category of ATT&CK, tactics describe threat actors’ objectives, i.e., the “what” they are attempting to achieve. 

Currently, the enterprise matrix outlines 14 tactics:

It’s important to note that a threat actor won’t necessarily always move through the different tactics linearly (i.e., from left to right). For instance, after Initial Access, a cybercriminal may move on straight to Exfiltration and only then carry out techniques that let them maintain a foothold on systems (Persistence). 

Adversaries also don’t need to use all the ATT&CK tactics to accomplish their goals. If threat actors can achieve their objective in fewer steps, they will do so. The reason why is that doing so improves efficiency and reduces the likelihood of discovery by the target. 

2. Techniques

Techniques refers to the methods cybercriminals use to achieve their objectives.

Each tactic has a number of techniques. Different threat actors will use different techniques to reach their goals. Their chosen technique can depend on several factors, including the target’s environment, skills level, etc. 

For example, to steal credentials (i.e., Credential Access), cybercriminals might use techniques like Brute Force, Network Sniffing, etc.

Adversaries can use one technique to accomplish several objectives. As such, a single technique can be classed under several tactics. Abuse Elevation Control Mechanism appears under both Privilege Escalation and Defence Evasion

At the moment, there are 191 identified techniques. Each technique includes:

2.1 Sub-techniques

Sub-techniques are specific techniques. Whereas a technique shows the general action an adversary might take, sub-techniques are more detailed. 

For example, there are four sub-techniques under the Brute Force technique: Password Guessing, Password Cracking, Password Spraying, and Credential Stuffing.  

Adversaries can use several techniques for one tactic. In a phishing campaign, cybercriminals may use both a Spearphishing Attachment and a Spearphishing Link to increase their chance of success. 

2.2 Metadata

The metadata part of each technique/sub-technique includes things like:

2.3 Description

The description part of each technique/sub-technique describes how the technique is commonly used by threat actors.

For example, under Phishing, we are told that cybercriminals use phishing to access victims’ systems and that they may use targeted (spearphishing) and non-targeted phishing. It also warns that phishing can be conducted through third-party services like social media platforms.

2.4 Procedure examples

Procedures describe how a particular technique or sub-technique has been used in the wild. 

For example, under Password Guessing, you can see that the malware variant Emotet has been noted to brute force user accounts by using a hardcoded list of passwords. On the other hand, the malware family Xbash brute forces user accounts with a list of weak credentials from a C2 server.

2.5 Mitigations

Mitigations outline how to defend against threat actors’ tactics and techniques. A single mitigation can address multiple tactics and techniques. 

For example, creating a Data Backup addresses data encryption, data destruction, etc. 

2.6 Detections

For every technique, MITRE provides several detection methods.

For example, under Brute Force, MITRE suggests that organisations monitor for the following to detect an in-progress brute force attack:

3. Groups

Groups are attacker groups, activity groups, threat actors, intrusion sets, and campaigns. 

Each group entry contains information on the group, associated group descriptions, and the techniques and software used. 

For example, Wizard Spider, the Russian-based threat group, is linked to 37 enterprise techniques and 16 types of software, including Ryuk and Emotet. The group is also known as UNC1878, TEMP.MixMaster, and Grim Spider.

The ATT&CK Navigator visualises how a group uses various techniques based on its tactics. 

4. Software

Software refers to open-source software, commercial and custom code, operating system utilities, and other tools used to carry out behaviours described by the framework. ATT&CK divides software into two groups:

5. Data sources

Data sources refers to the raw logs or events by systems like endpoints and network devices. 

In each technique, under “Detection,” organisations can see the types of data they need to collect to detect that specific technique. 

How Does the MITRE ATT&CK Compare to the Cyber Kill Chain?

Both the MITRE ATT&CK and the Cyber Kill Chain are cybersecurity frameworks used by organisations to assist in threat hunting and detection. 

The Cyber Kill Chain was developed by the global security and aerospace company Lockheed Martin. Based on the US military’s cyber kill chain, it is a popular framework that describes the sequence of events in an attack on an organisation’s environment.  

The Cyber Kill Chain consists of the following steps:

Whereas the ATT&CK is a “mid-level adversary model” (i.e., it looks at each attack stage in great detail through its techniques and sub-techniques), the Cyber Kill Chain is a high-level model (i.e., it notes attacker goals but doesn’t describe how they’re achieved in detail).

Also, while the Cyber Kill Chain is sequential (i.e., it begins with reconnaissance and ends with actions and objectives), the ATT&CK framework is not chronological. It expects threat actors to change their tactics and techniques during an attack. 

MITRE ATT&CK in Detection and Response

Effective threat detection and response necessitates a deep understanding of adversary techniques and mitigation actions. 

By providing context, the MITRE ATT&CK framework allows analysts to figure out quickly:

Increasing the speed with which analysts can triage and investigate incidents means that organisations can get through more alerts more quickly. 

Because a high percentage of all alerts are false positives, this is an important capability. Recent research shows SOCs waste about 10,000 hours and $500,000 (around £406,000) every year to verify unreliable and incorrect alerts.

Unfortunately, analysts frequently suffer from “alert fatigue,” a phenomenon where an overwhelming number of alerts numb analysts tasked with responding to them and can lead to missed attacks.

Challenges with MITRE ATT&CK

The MITRE ATT&CK framework is not without its challenges. Some of the more important drawbacks of ATT&CK include:

The MITRE ATT&CK Framework and SenseOn

To help organisations detect and understand threats as early as possible, SenseOn has integrated the MITRE ATT&CK framework directly into its automated threat detection, investigation, and response solution. 

For every security observation that SenseOn makes, it maps it to the MITRE ATT&CK framework in real time. 

Only behaviours that are actually malicious are flagged. To do this, SenseOn models behaviour on individuals, groups of users, and entire organisations to build a baseline of normal activity. When a behaviour different from the baseline is noted, SenseOn logs it as an “Observation.” However, it doesn’t immediately flag it (although analysts can view these Observations at any point via the SenseOn dashboard).

Instead, SenseOn uses a new technology, known as a “Universal Sensor,” to collect and correlate data across the various layers of an organisation’s IT infrastructure (endpoint devices, cloud infrastructure, the network, and investigator microservices). When other behaviour related to the Observation is discovered, SenseOn creates a threat “Case.”

Cases are mapped visually. The sequence of events is laid out in chronological order, the relationship between affected devices is displayed clearly, and each technique corresponds to a technique in the ATT&CK framework. We also include a link to the correlating ATT&CK technique on the MITRE ATT&CK framework website for analysts’ convenience. 

Analysts can, therefore, immediately know what type of attack is in progress, who is likely targeting them, and what they should do to stop the attack. 

Through automation of threat detection, investigation, and response, SenseOn helps defenders prevent, detect, and respond to attacks quickly and before substantial damage is done.

Try a demo of SenseOn today.

What our customers have to say

Learn why hundreds of organisations choose SenseOn.

Loved by teams and companies you know.

We do security differently.

SenseOn was founded on the belief that the cybersecurity industry is broken. Designed by security professionals who have felt the pain of traditional tools, SenseOn’s vision is to remove the burden of mundane, repetitive work so security and IT professionals can enjoy more fulfilling careers by enabling an autonomous, intelligent and secure digital world.

Read more

See what SenseOn can do for you

Find out how you can protect your entire organization at the click of a button with our rapidly deployed, lightweight software solution.

Arrange a demo