MITRE ATT&CK in Cyber Threat Intelligence

The ATT&CK Matrix

  • Tactics: Adversary’s technical goals, such as
    Reconnaissance or Credential Access.
  • Techniques: Adversary’s methods to achieve tactics. For example, to achieve the tactic of Reconnaissance, an adversary can use the techniques Phishing for Information and/or Search Open Websites/Domains.
  • Sub-techniques: More specific, lower-level methods fitting under their parent technique. For example, the Phishing for Information technique has the sub-techniques Spearphishing Service, Spearphishing Attachment, and Spearphishing Link.
  • Procedures: Adversary’s specific implementations of techniques. For example, the technique Phishing for Information has a procedure example of APT28 has used spearphishing to compromise credentials.
MITRE ATT&CK Matrix for Enterprise
  • Sub-techniques (if any)
  • Procedure Examples (if any): specific examples of how adversaries have used the technique
  • Mitigations: how to defend against the technique
  • Detection: how to detect the technique
  • References: additional info about the technique

ATT&CK Tactics

  • Reconnaissance: gathering info to plan future operations
  • Resource Development: establishing resources to support operations
  • Initial Access: getting into the network
  • Execution: running malicious code
  • Persistence: maintaining access to systems
  • Privilege Escalation: gaining higher-level permissions
  • Defense Evasion: avoiding detection
  • Credential Access: stealing usernames and passwords
  • Discovery: gaining knowledge of the network
  • Lateral Movement: moving through the network
  • Collection: gathering data of interest
  • Command and Control: communicating with compromised systems to control them
  • Exfiltration: stealing data from the network
  • Impact: manipulating, interrupting, or destroying systems and data

Using ATT&CK for CTI

Common language, improved reporting

Understand adversaries

Map intel to ATT&CK

  1. Understand ATT&CK
  2. Find the behavior
  3. Research the behavior
  4. Translate the behavior into a tactic
  5. Figure out what technique applies to the behavior
  6. Compare your results to other analysts

Provide intel to defenders

Prioritize defenses

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner


Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.