What is the MITRE ATT&CK Framework?

May 12, 2020 | 2 minute read

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a model and knowledge base of adversary behavior. It catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. ATT&CK is not a static framework, and is updated quarterly with new adversaries, tactics, techniques, and other information supplied by security vendors and organizations around the world.

Since its public release, MITRE ATT&CK has become a staple of the endpoint security space. As of this writing, ATT&CK has built a community for sharing techniques, a yearly conference called ATT&CKCon, adversary emulation plans, evaluations for security vendors, and various tools to interface with ATT&CK.

In our paper on Five Steps to Enhance SecOps with MITRE ATT&CK, we explain how to use two of MITRE ATT&CK’s most important components to develop a continuously improving defense. 

What are Tactics, Techniques, and Procedures?

Long before their use in cybersecurity, tactics, techniques, and procedures (TTPs) were used to describe military operations within the United States Department of Defense. Like much military terminology, TTPs are aptly used in cybersecurity, as they describe the processes and profile of a specific adversary.


Figure 1: A representation of how techniques, tactics, and procedures can be represented as part of the attack lifecycle.

Procedure: A procedure is the specific details of how an adversary carries out a technique to achieve a tactic. For example, MITRE ATT&CK lists how APT19 (G0073) uses a watering hole attack to perform a drive-by compromise (T1189) and gain initial access (TA0001) of forbes.com in 2014.


Figure 2: A representation of how techniques, tactics, and procedures for APT19’s attack on forbes.com can be represented.

TTPs give vendors, analysts, and everyone in between a common vocabulary around which to consistently communicate methods of an attack. 

Diving Deeper into MITRE ATT&CK

Choosing the Right Targets

MITRE ATT&CK has threat intelligence on almost eighty different adversaries,  from the techniques they use to the industries they target. To get the most out of your AEP, prioritize simulating adversaries you are most likely to face in real life.

For example, a healthcare organization may model an adversary like Deep Panda (MITRE ATT&CK ID G0009), since they are well-known for targeting healthcare companies like Anthem. This same thinking can be applied to all the adversary groups across industries. 

Adversary Group

Industry Target

APT 19


Deep Panda




APT 19 



Oil and Gas


Higher Education



Dragonfly 2.0

Critical Infrastructure

Table 1: Example adversaries and the industries they target.

To make things easier, you can search for an industry within the MITRE ATT&CK website and immediately see which adversaries are known to target it.


Figure 3: Searching the MITRE ATT&CK website for adversary groups known to target healthcare companies.

To learn more about how to use MITRE ATT&CK, download the white paper, Five Clear Steps to Enhance SecOps with MITRE ATT&CK.

Read the Whitepaper