Understanding MITRE ATT&CK

Yarelys RiveraYarelys Rivera
8 min read

Table of contents

When I first started studying for my GIAC certifications, particularly during the SEC 504 course Hackers, Tools, and Incident Handling, I was intrigued and overwhelmed by the depth and constant evolution of adversary behaviors. We focused heavily on TTPs (Tactics, Techniques, and Procedures) and how they map to real-world cyberattacks. The MITRE ATT&CK framework, vast and ever-evolving, initially seemed like a lot to absorb. However, with ongoing study and practice, I began to understand how these concepts are applied in defending against cyber threats.

MITRE ATT&CK can be just as daunting for beginners. It’s a framework that organizes vast amounts of information about how attackers operate, which can feel overwhelming if you're starting. But trust me, once you break it down, it becomes an incredibly valuable tool for understanding and defending against cyber threats. In this guide, I'll help you make sense of the ATT&CK framework, how it's structured, and how you can use it to improve your cybersecurity practices. Whether you're a beginner or someone working to sharpen your skills, let's dive in and make MITRE ATT&CK less intimidating!

What Is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly accessible knowledge base that catalogs real-world adversary behaviors. Think of it as a "playbook" of how attackers operate, organized into tactics (goals) and techniques (methods). Unlike traditional threat lists, ATT&CK focuses on how attacks happen, not just what they look like. Please note that while this guide focuses on the Enterprise Matrix, MITRE also offers frameworks for Mobile and Industrial Control Systems (ICS).

💡
NOTE: This article discusses the current version of MITRE ATT&CK is 16.01.

MITRE ATT&CK version 16.1

Why It Matters

  • Common Language: Security teams use ATT&CK to communicate threats clearly.

  • Detection & Response: Helps organizations spot attacker behaviors, not just malware signatures.

  • Proactive Defense: By anticipating attacker workflows, teams can prioritize patching vulnerabilities or monitoring high-risk techniques.

Key Concepts: Tactics, Techniques, and Sub-Techniques

Tactics: The "Why" Behind Attacks

Tactics represent the "why" behind an attacker’s actions. In other words, the adversary's goals at various stages of the attack. Note that all tactics IDs start with TA, then the number. ex. Reconnaissance: TA0043

Here are the main tactics and their goals:

  • TA0043: Reconnaissance – Collect data to plan future malicious activities.

  • TA0042: Resource Development – Identify resources to support malicious operations.

  • TA0001: Initial Access – Gain first access to your network.

  • TA0002: Execution – Execute malicious code.

  • TA0003: Persistence – Maintain their foothold.

  • TA0004: Privilege Escalation – Get access to higher-level permissions.

  • TA0005: Defense Evasion – Evade defenses to avoid being detected.

  • TA0006: Credential Access – Acquire account names and passwords.

  • TA0007: Discovery – Investigate your environment.

  • TA0008: Lateral Movement – Move through your environment.

  • TA0009: Collection – Collect data relevant to their goal.

  • TA0011: Command and Control – Control compromised systems and communicate with them.

  • TA0010: Exfiltration – Steal collected data.

  • TA0040: Impact – Alter, corrupt, or destroy your systems and data.

As seen in the image above, each tactic includes several techniques.

Techniques: The "How"
Techniques are specific actions attackers use to achieve their goals. Note that all technique IDs start with T, then the number. ex. Phishing: T1566 For example:

  • Phishing (T1566): Sending deceptive emails to trick users into sharing sensitive information.

  • Use Alternate Authentication Material (T1550): Using alternative credentials or methods for authentication, such as password hashes or Kerberos tickets.

Some techniques like Use Alternate Authentication Material have sub-techniques. Let’s explore that.

Sub-Techniques: Granular Details
Sub-techniques refine techniques into detailed actions. Techniques that have sub-techniques have a gray sidebar. It is important to note that not all techniques have sub-techniques. If a technique has a sub-technique, you will see a grey area next to the technique name. To see the sub-techniques of the technique you must click in the gray area. Note that their IDs will append a sub-ID to the technique ID (ex. T1550.002)

For instance, under Use Alternate Authentication Material (T1550) there are currently four sub-techniques, two of them are:

  • T1550.002: Pass-the-Hash via NTLM, a specific method for bypassing authentication using hash values from NTLM (Windows authentication protocol).

  • T1550.004: Web Session Cookie – Stealing and using session cookies to impersonate a user without needing their password.

Another example, OS Credential Dumping (T1003), has 8 sub-techniques so far, two of which are:

  • T1003.001: LSASS Memory: Extracting passwords from memory.

  • T1003.002: Security Account Manager (SAM): Extracting passwords from registry keys.

The Pyramid of Pain: Why Behavior Matters

The Pyramid of Pain, created by David Bianco, helps us understand why focusing on TTPs is more effective in defending against adversaries than relying on traditional indicators of compromise (IOCs). Unlike IOCs, such as file hashes or IP addresses, which attackers can easily change, behaviors (TTPs) are harder to adapt quickly and provide a much more lasting challenge for threat actors.

Before MITRE ATT&CK, defenses typically focused on low-level indicators like IP addresses or file hashes. However, these indicators are easily changed or masked by attackers, making them less effective at deterring threats. The Pyramid of Pain illustrates how defenses become more effective when they target behaviors (TTPs—Tactics, Techniques, and Procedures) rather than just indicators.

  • Lower Levels: Indicators of Compromise (IOCs) like IP addresses, file hashes, or domain names are easy for attackers to change and, therefore, cause minimal “pain” for them. For example, attackers can quickly change a file hash or switch to a new IP address, making this level of defense only a minor hurdle for skilled adversaries. While IOCs can help detect attacks, they don’t provide much resistance.

  • Middle Levels: Tactics and Techniques are harder for attackers to change, but they can still adjust their methods. For example, if a defender blocks one phishing technique, attackers might adapt by using a different method. This is where MITRE ATT&CK shines as it provides a detailed catalog of how attackers achieve their objectives, allowing defenders to identify and block common attack strategies that are more difficult to change.

  • Higher Levels: Tactics, Techniques, and Procedures (TTPs) represent the strategic approaches attackers use. These are the most challenging aspects for attackers to change because they are part of their overall attack methodology. For example, an attacker’s method for lateral movement or credential dumping will rely on a consistent set of behaviors, even if they use different tools. When defenses are focused on detecting and blocking TTPs, they become much more difficult for attackers to bypass, forcing them to rethink their strategy.

By focusing on TTPs, MITRE ATT&CK helps defenders "raise the pain" for attackers—making it more challenging for them to succeed and forcing them to evolve their methods.

Tracking Threat Actors by Groups and Software

MITRE ATT&CK profiles:

  • Groups: Named threat actors (ex. APT29, Lazarus Group, Dragonfly) and their TTPs.

  • Software: Tools/malware they use (ex. Mimikatz for credential dumping, ID: S0002).

In MITRE ATT&CK, groups refer to specific threat actor teams or campaigns that engage in cyberattacks. These groups are often associated with certain tactics, techniques, and procedures (TTPs) that MITRE tracks, which help us understand their methods and behaviors. However, threat actors sometimes operate under multiple names or aliases, which can create confusion when reviewing reports or intelligence.

For example, Dragonfly (ID: G0035) is a well-known cyber espionage group attributed to Russia, targeting critical infrastructure. Within the Dragonfly umbrella, one of the notable subgroups is Berserk Bear, which has been particularly active in attacking energy sectors. Although the name "Berserk Bear" is frequently mentioned in some threat intelligence reports, it is ultimately part of the Dragonfly group, and understanding this connection is key. In MITRE ATT&CK, you'll find the complete list of aliases associated with a group, which helps clarify any potential confusion about its identity.

It’s important to remember that groups like Dragonfly and its subgroups may not only use multiple aliases but can also adapt or change their tactics over time. This makes tracking these threat actors a dynamic challenge. For example, Dragonfly uses sub-techniques like PowerShell Scripting (T1059.001) and tools like Mimikatz (S0002), which remain part of the group’s ongoing operations despite potential shifts in their campaigns.

How to Use MITRE ATT&CK

  • Threat Intelligence: Map detected activities to known adversary behaviors.

  • Detection Engineering: Build alerts for techniques like lateral movement (ex. suspicious RDP logins).

  • Red Team Exercises: Simulate attacks to test defenses.

  • Incident Response: Investigate breaches by aligning evidence with TTPs.

Getting Started

  1. Explore the Matrix: Visit MITRE’s ATT&CK Website.

  2. Use Free Tools: Try the ATT&CK Navigator for visual mapping.

  3. Focus on Relevance: Prioritize techniques common to your industry (ex. ransomware for healthcare).

  4. Join the Community: Contribute insights or use case studies from MITRE’s updates.

Key Takeaways

  • MITRE ATT&CK is about behavior, not just indicators.

  • Use it to align defenses with real-world attack patterns.

  • Start small: focus on high-impact techniques first (ex. phishing).

  • MITRE ATT&CK is a living framework, updated regularly with community contributions.

By understanding MITRE ATT&CK, you’ll shift from reactive to proactive cybersecurity—catching attackers by their habits, not just their tools.

If you're eager to get hands-on with MITRE ATT&CK, I highly recommend checking out the ATT&CK Navigator or diving into a Capture the Flag (CTF) challenge to start mapping real-world attacks to tactics and techniques.

0
Subscribe to my newsletter

Read articles from Yarelys Rivera directly inside your inbox. Subscribe to the newsletter, and don't miss out.

mitre-attackcybersecurityCyberSecSecuritysecurityawarenessThreat actors

Written by

Yarelys Rivera
Yarelys Rivera

Welcome to CyberYara! I created this space to share insights on cybersecurity, programming, and the latest in tech. With a background in cybersecurity, leadership, and technology, I enjoy breaking down complex topics and making them accessible to a wider audience. My journey into cybersecurity began when I witnessed firsthand how frequent phishing attacks disrupted an organization I worked for. That experience led me to dive deep into security practices, earning certifications like GFACT, GSEC, and GCIH after intensive training at SANS Cyber Academy. I also completed the Google Cybersecurity Certificate and hold a Scrum Master Certification (PSM I). Beyond cybersecurity, I enjoy learning and sharpening my technical skills in Python, SQL, HTML & CSS, and AI. I also have extensive experience in operations and leadership, having managed diverse teams and ensured compliance across multiple projects. My background in journalism and psychology gives me a unique perspective on tech—how we communicate it, how we secure it, and how it impacts people. On this blog, you’ll find practical cybersecurity tips, programming tutorials, discussions on tech trends, and more. Whether you’re a beginner or a seasoned professional, I hope CyberYara sparks curiosity, learning, and meaningful conversations. Thanks for stopping by!