Your Guide to MITRE ATT&CK Framework

By Daniella Balaban
image August 17, 2022 image 5 MIN READ

Your Guide to MITRE ATT&CK Framework

Cybersecurity has become a routine activity for the majority of companies. Cyberattacks no longer generate the shock and horror they once did. They’re now just par for the course. Despite this natural development, the volume and severity continue to expand, bringing requirements for further cyber protection.

But cyberattacks don’t just target businesses. 60% of American households have experienced at least one cyberattack. 75% of small businesses have fallen foul of nefarious cyber criminals. In 2020, the global cybersecurity market was valued at $156.24 billion. In 2021, it was valued at $217.87 billion. Company managers are increasingly concerned with cyber vulnerabilities linked to their employees’ activity. 

The following article describes the MITRE ATT&CK framework, which has become one of the most successful defense against cybercrime today.

What is the MITRE ATT&CK framework?

In 2015, the MITRE Corporation, a US-government-funded research organization based in Bedford, MA, and McLean, VA, launched a framework to enhance internet cybersecurity. The company was initially established by the Massachusetts Institute of Technology (MIT) in 1958. It participated in various business projects for several organizations, including developing the AWACS airborne radar system. However, MITRE is not actually an acronym, and it has nothing to do with MIT. The name was created by James McCormack, an early board member of the organization, who thought the name provided a certain gravitas.

The framework was catchily-termed the MITRE ATT&CK, and its name is formed from the initial letters of Adversarial Tactics, Techniques, and Common Knowledge. Its objective was to identify, describe, and categorize the growing list of cyberattacks and enterprise network intrusions. It is a cybersecurity knowledge base of cyberattack tactics and techniques, all taken from events worldwide. Its purpose is to establish a common cybersecurity terminology while fortifying defenses again future cyber assaults.

The “CK” in ATT&CK means Common Knowledge. This refers to the recorded list of tactics and techniques employed by cybercriminals. CK refers to the list of procedures deployed by the framework. A similar cybersecurity term is “Tactics, Techniques, and Procedures,” or TTP. However, the use of CK to complete the acronym was selected for obvious reasons.

Company managers are increasingly aware of the requirement to train their staff on the potential risks of cyberattacks



ATT&CK covers a range of computer platforms and technologies from Windows and macOS, as well as on-premise and cloud networks that include Infrastructure as a Service (IaaS) and Software as a Service (SaaS). The framework also contains references to Office 365, Azure’s Active Directory, Google Workspace, and mobile devices operating on the Android and iOS platforms.

MITRE ATT&CK Techniques, Sub-techniques, and Procedures

The MITRE ATT&CK framework comprises a series of cyberattack matrices including:

Beyond these initial stages, ATT&CK then breaks its analysis into Tactics, Techniques, and Procedures.

How do you use the MITRE ATT&CK matrix?

The MITRE ATT&CK matrix is an array of procedures used by cybercriminals to access and compromise enterprise computer networks. Each procedure is defined as a specific “tactic” in the matrix. 

The pathways are aligned from the point of reconnaissance through identification and final exfiltration. A sample section of the matrix looks like this:

Figure 2. MITRE ATT&CK Matrix – Section

The MITRE ATT&CK Matrix enables an enterprise to fortify its cybersecurity efforts in several ways. These include:

The Enterprise ATT&CK matrix currently contains 191 techniques and 385 sub-techniques. Each technique is provided with a 4-digit code—for example, “T002” refers to “Bypass User Account Control.”

These techniques illustrate how cybercriminals behave, such as the data they target and the hacking software they use. The framework also identifies which technologies cyber intruders deploy and the type of activities they regularly engage in.

The MITRE ATT&CK matrix can also be deployed for cloud networks in its ATT&CK for Cloud Matrix. The matrix includes elements of the broader enterprise matrix. Each matrix manages its own environment as on-premise networks are qualitatively different to networks hosted in the cloud. Standard local cyberattacks attack software and infrastructure maintained on the target organization’s premises. Cloud attacks will be focused on servers hosted by cloud service companies such as Amazon’s AWS, Google’s Cloud, and Microsoft’s Azure and Office 365.


Figure 3. MITRE Matrix for Cloud

How does MITRE ATT&CK compare to Lockheed Martin’s Cyber Kill Chain?

Lockheed Martin’s Cyber Kill Chain is a competitive system to the MITRE ATT&CK platform. While they may look similar in structure, Cyber Kill Chain operates on a seven-step procedure involving the following steps:

While the Enterprise ATT&CK matrix contains the following 14 tactics:

While each system is focused on the same overall process, the MITRE ATT&CK framework breaks its identified tactics down into greater detail. ATT&CK also specifies the techniques used in each tactic, while the Lockheed platform does not.

Increase awareness of cybersecurity threats and attack vectors with effective cyber awareness training

With each new cyberattack that hits the headlines, it may seem that cybercriminals have the upper hand. Recent technologies simply provide them with challenges that they will inevitably circumvent. 

However, the real picture is that there is change underway. Even home computer users are now aware of the risks of clicking on unusual links or responding to strange emails. With the dramatic rise of cybercrime, there has been an equivalent rise in awareness among individuals and enterprises. The battle against cybercrime is underway, and criminals can be beaten.

The MITRE ATT&CK framework provides a robust defense against future cybercrime. Along with the rapid pace of employee anti-cybercrime training, the criminals are running scared. Traditional pathways that they have used in the past no longer provide the rewards they once did.

CybeReady is devoted to raising company employee knowledge of cybercrime. Our mission is to make cybersecurity awareness easy, accessible, and effective for your enterprise. Using modern teaching methods combined with data science and automation, we can enable your organization to stay safe and embrace success.