® 
MITRE ATT&CK
Definition
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used to understand threats, test security measures, and write detection rules.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world cyberattack observations. The framework contains over 200 techniques across 14 tactics and is the de facto standard for describing, analysing and detecting cyber threats.
How does MITRE ATT&CK work?
The framework is a matrix describing the full attack lifecycle from the attacker's perspective. The 14 tactics describe strategic goals: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration and Impact. Each tactic contains multiple techniques with sub-techniques and documentation of which threat groups use which techniques.
Applications of MITRE ATT&CK
Security teams use ATT&CK to measure detection coverage: which techniques can they detect? Red teams simulate attacks based on ATT&CK techniques. Purple teaming validates detection per technique. Threat intelligence is structured using ATT&CK taxonomy.
Impact on organisations
MITRE ATT&CK provides a common language for describing cyber threats used across the entire security industry. Without ATT&CK as reference, organisations lack a structured way to measure and improve their security coverage.
Protection
Map SIEM and EDR detection rules to ATT&CK techniques. Identify coverage blind spots. Prioritise detection investments based on relevant threat actors and their techniques.
How DEFION helps
DEFION uses MITRE ATT&CK as reference in Red Teaming, Purple Teaming and Managed Threat Hunting.