MITRE ATT&CK Framework

What It Is

A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Used for threat detection, red/blue teaming, and security gap analysis.

14 Tactics (Enterprise)

#	Tactic	Description
TA0043	Reconnaissance	Gather info before attacking
TA0042	Resource Development	Set up infrastructure/accounts
TA0001	Initial Access	Get into the network
TA0002	Execution	Run malicious code
TA0003	Persistence	Maintain foothold
TA0004	Privilege Escalation	Gain higher permissions
TA0005	Defense Evasion	Avoid detection
TA0006	Credential Access	Steal credentials
TA0007	Discovery	Explore the environment
TA0008	Lateral Movement	Move through the network
TA0009	Collection	Gather data of interest
TA0010	Exfiltration	Steal data out
TA0011	Command & Control	Communicate with compromised systems
TA0040	Impact	Disrupt, destroy, or manipulate

Key Concepts

Tactics — The why (adversary goal)
Techniques — The how (method used to achieve goal)
Sub-techniques — More specific implementations
Procedures — Specific real-world usage by threat actors

Common Use Cases

Threat Detection     → Map detections to ATT&CK techniques
Red Teaming          → Use TTPs of known threat groups
Gap Analysis         → Identify coverage blind spots
Incident Response    → Classify attacker behavior
Threat Intelligence  → Enrich IOCs with context

ATT&CK Navigator

Web tool to visualize coverage: attack.mitre.org/navigator

Color-code techniques by detection coverage
Layer and compare threat group profiles
Export as JSON or SVG

Threat Group Example

APT29 (Cozy Bear) commonly uses:

T1566.001 — Spearphishing Attachment (Initial Access)
T1059.001 — PowerShell (Execution)
T1027 — Obfuscated Files or Information (Defense Evasion)
T1078 — Valid Accounts (Persistence)

Quick Reference Links

Full matrix: https://attack.mitre.org/
Groups: https://attack.mitre.org/groups/
Software: https://attack.mitre.org/software/