CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Incident Response

Level the Security Operations Playing Field With MITRE ATT&CK

Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack. 

Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack. 

Because of this natural disadvantage, security teams should always be on the lookout for ways to become more proactive by predicting and anticipating their adversaries’ next moves. Using a kill chain framework helps security teams get inside the heads of their adversaries and understand their intent. The variation of this concept that I have found to be the most valuable is the MITRE ATT&CK matrix, because of its rich database of real-world cyber attack data.

The Kill Chain

The kill chain originated as a military concept to describe the stages of an attack and was adapted into the intrusion kill chain (or “cyber kill chain”) by Lockheed Martin in 2011 to describe attacks against computer networks. In its original form, the cyber kill chain has seven phases that outline an attack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objective

These phases are like a hypothetical playbook for adversaries, which security teams can use to anticipate and contextualize attacks. Many organizations now use a kill chain framework in some way, and while it is valuable as a high-level concept, it does not include any detail on exactly how attackers achieve the goals of each phase, therefore leaving lots of room for security researchers to elaborate on its basic structure.

What Makes ATT&CK Different

Between 2013 and 2015, the not-for-profit security corporation MITRE developed their own version of a cyber kill chain, which they call ATT&CK (adversarial tactics, techniques & common knowledge). ATT&CK focuses on post-compromise detection, as opposed to the cyber kill chain, which begins with the adversary conducting reconnaissance on their target. 

Instead of phases, ATT&CK breaks down incidents into 12 “tactics” (what the adversary is trying to do), each accompanied by numerous “techniques” (how the adversary is doing it). Tactics include Execution, Defense Evasion, and Lateral Movement. Techniques are more specific, such as PowerShell, Modify Registry, and Remote Desktop Protocol. The result is a massive matrix of adversary behavior, based on MITRE’s study of real-world cybersecurity incidents.

The Value of Using the ATT&CK Matrix in Security Operations

Successful cyber attacks need time to unfold, but organizations generally take a long time to detect an attack and recognize what is happening. The good news is that if the organization can detect and disrupt the attack at any phase, it will be unsuccessful, even if the network has already been compromised. For example, an adversary’s goal will not be just to escalate privileges within a target’s systems, but rather to use those privileges for the end goal of exfiltrating data.

Using the ATT&CK framework in your analysis of cybersecurity incidents allows you to make connections between different tactics and techniques. This helps security teams identify ongoing attacks before they are completed and gives the security team a good idea of what the adversary has already done and what they are likely to do next.

The ATT&CK framework is particularly valuable for detecting attacks because it is a behavior-based model, not a signature-based model. Because ATT&CK predicts common behaviors, it isn’t fooled by zero-day attacks, indicators of compromise that are modified by adversaries to avoid detection, or other weaknesses of signature-based systems. 

ATT&CK’s “techniques” are also set apart from conventional IOCs because a technique might be a legitimate action that is done for malicious purposes. In other words, once an adversary has compromised a system and gained privileges, they might not need to do anything else that would trip the alarms of conventional security tools. ATT&CK techniques describe the actions that the adversary might take next, even though they might look like normal activity.

MITRE’s extension of the cyber kill chain concept takes the conceptual value of breaking incidents into phases and combines it with behavior-based research that rivals the best threat intelligence sources. Whether it is built-in to your detection and response tools, or just a way to standardize how your security team talks about advanced persistent threats, the MITRE ATT&CK matrix should find a place in your security operations. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...