What is MITRE ATT&CK?
MITRE ATT&CK® is a knowledge base of adversary tactics and techniques built on real-world observations. Specifically, MITRE developed it in 2013 to systematically categorize adversary behavior during structured emulation exercises. Moreover, it has since become a global reference used by private-sector organizations, governments, and cybersecurity vendors alike.
In practice, MITRE ATT&CK provides a common taxonomy for both offense and defense. As a result, security teams use it to share threat intelligence, run red team exercises, and improve network and system defenses against intrusions.
What are the different MITRE ATT&CK domains?
MITRE ATT&CK® organizes adversary behavior into three technology domains. Furthermore, each domain reflects a distinct operational environment with its own constraints and attack surfaces.
- Enterprise: covers attacks against traditional IT networks and cloud environments
- Mobile: focuses on threats targeting mobile communication devices
- ICS: describes adversary behavior against Industrial Control Systems, typically at Purdue architecture levels 0 to 2
How are tactics, techniques, and sub-techniques structured in MITRE ATT&CK?
MITRE ATT&CK uses a three-level hierarchy to describe adversary behavior. In fact, this structure is what makes it actionable for both threat intelligence and defensive gap analysis. Moreover, each level answers a different question about how an attack unfolds.
- Tactics: the adversary’s goal behind an action, such as gaining initial access, persisting on a system, or exfiltrating data (the “why”)
- Techniques: the specific actions an adversary takes to achieve a tactical objective, such as Spearphishing Attachment or Valid Accounts (the “how”)
- Sub-techniques: a more granular breakdown of techniques, outlining the specific methods used within each technique
How can organizations use MITRE ATT&CK?
Organizations across many sectors use MITRE ATT&CK as a practical security tool. In fact, it supports a wide range of use cases, from daily SOC operations to long-term security program improvement. Moreover, its common language makes it easier for technical and non-technical stakeholders to align on priorities.
Specifically, common use cases include:
- Threat modeling and analysis: understanding potential threats and how adversaries pursue their objectives
- Adversary emulation: replicating real-world adversary behaviors to test defenses against realistic scenarios
- Red teaming: simulating attacks to identify vulnerabilities before attackers do
- Defensive gap assessment: finding and prioritizing missing or weak security controls
- SOC maturity assessment: evaluating and improving Security Operations Center effectiveness
- Cyber threat intelligence enrichment: adding structured context to raw threat data
How is MITRE ATT&CK for ICS different from MITRE ATT&CK for Enterprise?
MITRE ATT&CK for ICS and MITRE ATT&CK for Enterprise share the same structure and methodology. However, they address fundamentally different environments and therefore differ in focus, scope, and technique specificity. In practice, understanding the differences helps organizations decide which knowledge base to apply to each part of their environment.
Specifically, three differences stand out:
- Focus: Enterprise targets IT networks and cloud environments, while ICS targets industrial control systems at Purdue levels 0 to 2
- Unique tactics: ICS introduces two tactics absent from Enterprise, specifically Inhibit Response Function (blocking safety mechanisms) and Impair Process Control (disrupting or manipulating industrial processes)
- Impact emphasis: ICS techniques describe actions that directly affect safety, availability, control, and automation of physical processes, whereas Enterprise techniques focus primarily on data confidentiality and IT system integrity
