The MITRE ATT&CK framework has quietly become the lingua franca of cyber defense. It is the thing analysts point at in incident reports, the thing red teams cite in their write-ups, and the thing that finally lets a SOC manager and a CISO talk about adversary behavior without speaking past each other. This guide walks through what MITRE ATT&CK actually is, how its tactics, techniques, and procedures fit together, and how defenders can use it without drowning in the model.

Key Takeaways

• The MITRE ATT&CK framework is a knowledge base of adversary behavior, organized into tactics (the goal), techniques (the method), and procedures (the specific implementation).
• ATT&CK is split into three domains: Enterprise, Mobile, and ICS. Most defenders spend their time in Enterprise ATT&CK.
• Sub-techniques extend techniques with more specific variants, so T1566.001 (Spearphishing Attachment) narrows down the broader T1566 (Phishing) technique.
• Group profiles map known threat actors to the techniques they have actually used in the wild, which is what makes the framework useful for threat-informed defense rather than just taxonomy.
• The real win of MITRE ATT&CK is a shared vocabulary that lines up detection rules, threat intel, red team operations, and risk reporting against the same coordinates.

Environment

• MITRE ATT&CK Enterprise matrix (current public version on attack.mitre.org).
• ATT&CK STIX 2.1 dataset published by MITRE for programmatic access.
• MITRE ATT&CK Navigator for visualizing coverage and overlays.
• Optional: the mitreattack-python library for fetching and querying technique, group, and software objects.

The Problem: Why a Common Vocabulary for Attacker Behavior

Before ATT&CK, descriptions of cyber attacks tended to be either too abstract ("the attacker used phishing") or too narrow ("they sent a malicious DOCX with a macro that pulled a payload from a Cloudflare-fronted domain"). Neither framing helped a defender decide what to do next. Abstract descriptions did not translate into detection rules. Hyper-specific descriptions did not translate into anything reusable.

MITRE built ATT&CK to sit in the middle: behaviors precise enough to detect, generic enough to reuse across campaigns. Each behavior has an ID, a definition, a list of platforms it applies to, real-world examples, suggested detections, and links to mitigations. That structure is what makes it possible to map a Splunk rule, a Sigma rule, a purple team exercise, and a threat intel report against the same reference grid.

The Solution: How the ATT&CK Framework Is Organized

Step 1. Pick the Right ATT&CK Domain (Enterprise, Mobile, or ICS)

MITRE ATT&CK actually covers three distinct domains, each focused on a different type of environment:

• Enterprise ATT&CK covers techniques against traditional IT systems: Windows, macOS, Linux, network devices, identity providers, and the major cloud platforms (AWS, Azure, GCP, Microsoft 365, Google Workspace). This is the matrix most defenders will spend their time in, and it is the one we focus on here.
• Mobile ATT&CK covers iOS and Android, including both device-resident and network-side techniques. If you run an MDM and worry about jailbroken devices or rogue apps, this is the relevant matrix.
• ICS ATT&CK covers industrial control systems and operational technology. Techniques here target SCADA, PLCs, and the engineering workstations that talk to them. Different threat model, different controls, different mitigations.

The three domains share concepts but not contents. Do not assume an Enterprise technique exists in Mobile just because the verb sounds similar; check the matrix.

Step 2. Understand Tactics, Techniques, and Procedures (TTPs)

The framework is built around three core concepts. They are easier to remember as a sentence: a tactic is why, a technique is how, and a procedure is exactly what.

Overview of an exemplary MITRE ATT&CK technique: Command and Scripting Interpreter: PowerShell

Tactics are the adversary's technical goals. what they are trying to achieve at a given stage of an attack. The Enterprise matrix currently lists 14 tactics, from Reconnaissance through Impact.

Tactics in Enterprise ATT&CK

MITRE ATT&CK Enterprise tactics

The circular diagram above shows all the major tactics, but a real intrusion does not march through them in order. A common progression looks more like this:

1. Reconnaissance, then Initial Access, then Execution.
2. Then, depending on the operator's goal, some combination of Persistence (to maintain access), Privilege Escalation (to gain more rights), Defense Evasion (to avoid detection), Discovery (to map the environment), Lateral Movement (to reach other systems), Collection and Exfiltration (to take the data), and finally Impact (to do whatever they came to do).

Tactics often flow in this rough sequence, but each one is its own bucket of techniques. That modular structure is what lets defenders study, detect, and defend against a single tactic in isolation. useful when a control or telemetry source only covers part of the kill chain.

Step 3. Drill from Techniques to Sub-Techniques

Techniques are the specific methods adversaries use to achieve their tactical goals. Each tactic has multiple associated techniques. Under Initial Access, for example, you will find:

• T1566 Phishing
• T1133 External Remote Services
• T1078 Valid Accounts

Every technique gets a unique identifier (like T1566), a list of supported platforms, suggested detections and mitigations, and a roster of real-world examples. That last part is what gives the framework its teeth. every technique page is effectively a citation index of which groups have used it and how.

Sub-techniques drill down a level. Under T1566 Phishing, MITRE defines:

• T1566.001 Spearphishing Attachment
• T1566.002 Spearphishing Link
• T1566.003 Spearphishing via Service

The hierarchical structure matters in practice. A detection rule that fires on "any T1566 activity" looks great on a coverage map and tells you nothing useful in an incident. A rule that fires on T1566.001 specifically. attachment-based delivery. tells you where to look first.

Step 4. Use Procedures to Anchor Detections in Reality

Procedures are the detailed implementations of techniques: the actual tools, malware, and steps used in an attack observed in the wild. Procedures are what distinguish APT28's version of phishing from FIN7's.

Worked example for T1566 Phishing:

• Tactic: Initial Access
• Technique: T1566 Phishing
• Procedure examples:
  • APT28 delivering specially crafted PDF files containing malicious JavaScript.
  • FIN7 deploying malware via phishing emails with macro-enabled Word documents.
  • Other groups using LinkedIn messages with malicious links rather than attachments.

Same technique, three different procedures. When you are writing a detection, the procedure is what tells you which artifacts to look for: file hashes, parent-process chains, network signatures, document macros.

Step 5. Use Threat Groups to Make ATT&CK Threat-Informed

MITRE maintains profiles of known threat groups. APTs, financially motivated crews, and other named clusters. Each group profile lists known aliases, observed techniques, targeted industries and regions, and attribution information where MITRE is willing to commit to it.

Overview of an exemplary MITRE ATT&CK group profile: APT28

For example, APT28 (also tracked as Fancy Bear) is associated with Russian state-sponsored operations, known for targeting government and military organizations, and consistently uses techniques like T1566.001 (Spearphishing Attachment) and T1059.003 (Windows Command Shell). Knowing that lets a defender prioritize: if your threat model includes APT28, you probably care more about email attachment analysis and command-line process telemetry than about, say, BIOS-level rootkits.

Group profiles give defenders three concrete benefits:

• Predicting likely attack patterns based on historical group behavior.
• Prioritizing defenses against the threat actors most relevant to the organization's industry or geography.
• Recognizing the technique combinations that suggest a specific group is behind an incident.

The group-to-technique mapping is also the foundation for "threat-informed defense". picking controls and detections based on what the threats targeting you actually do, not on what would theoretically be nice to have. If you want to work with this data programmatically, our post on mapping relationships in MITRE ATT&CK walks through the Python side.

Step 6. Apply the Framework Without Over-Engineering It

A few practical notes from using ATT&CK in anger:

• Focus on relevance. Start with the tactics and techniques most relevant to your environment and industry. Trying to cover all of Enterprise ATT&CK in one sprint is a good way to deliver nothing.
• Track currency. The framework is updated regularly. Pin a known version when you produce a coverage report, then re-baseline once a year.
• Use it as a planning tool, not a scoreboard. ATT&CK coverage heatmaps make great slides and middling priorities. A technique you "cover" with a low-fidelity alert is not the same as one you can actually detect.

Frequently Asked Questions

What is the MITRE ATT&CK framework in plain English?

MITRE ATT&CK is a public catalog of adversary behavior. what attackers try to achieve (tactics), how they try to achieve it (techniques and sub-techniques), and exactly how known groups have done it before (procedures). Each behavior gets an ID, a definition, suggested detections, and real-world examples.

What is the difference between a tactic, a technique, and a procedure?

A tactic is the attacker's goal at a stage of the attack (for example, Initial Access). A technique is the method used to reach that goal (for example, T1566 Phishing). A procedure is the specific way an actor implemented that technique in an actual intrusion (for example, FIN7 using macro-enabled Word documents).

Do I need to use all of MITRE ATT&CK to get value out of it?

No, and trying to is a common failure mode. Pick the tactics that matter most for your environment. typically Initial Access, Execution, Persistence, Credential Access, and Lateral Movement for most enterprise environments. and build detection and response from there.

How does MITRE ATT&CK compare to the Cyber Kill Chain?

The Lockheed Martin Cyber Kill Chain is a linear seven-stage model of an intrusion. MITRE ATT&CK is more granular and non-linear: it documents behaviors and how they map to tactics, without assuming that intrusions follow a strict order. The two are complementary rather than competing.

Is MITRE ATT&CK only for Windows environments?

No. Enterprise ATT&CK covers Windows, macOS, Linux, network devices, containers, and the major cloud and SaaS platforms. Mobile ATT&CK covers iOS and Android, and ICS ATT&CK covers operational technology.

Conclusion

MITRE ATT&CK is not a silver bullet, and it is not a replacement for understanding your own environment. What it is, is the cleanest shared vocabulary the industry has for talking about adversary behavior. and a structured way to line up detection engineering, threat intelligence, and red team activity against the same reference points.

The framework can look intimidating when you first open the Enterprise matrix and see hundreds of techniques staring back. The trick is to remember that nobody uses all of it at once. Most teams that get value out of ATT&CK start with a small slice (the tactics and techniques most relevant to their threat model), build detections and mitigations against that slice, then expand. Used that way, ATT&CK pays for the learning curve very quickly.

Related Posts

• Getting Started with MITRE ATT&CK: Fetching and Processing Data. Part 1 of our Python series on querying ATT&CK programmatically.
• Mapping with MITRE ATT&CK. Part 2, on mapping techniques to groups and mitigations.
• Visualizing with MITRE ATT&CK Navigator. Part 3, on turning mapped data into Navigator overlays.