Decoding the MITRE ATT&CK Framework
Decoding the MITRE ATT&CK Framework
What is MITRE ATT&CK?
The MITRE ATT&CK® framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for both offensive and defensive security professionals.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
Tactics vs Techniques
| Term | Definition | Example |
|---|---|---|
| Tactic | The “Why” - the adversary’s tactical goal. | Initial Access (TA0001) |
| Technique | The “How” - the method used to achieve the goal. | Phishing (T1566) |
| Procedure | The exact execution of a technique. | Sending an email with an Excel macro. |
Why Purple Teams Love It
For Purple Teaming, MITRE ATT&CK is the gold standard. It allows Red Teams to emulate specific threat actors (like APT29) by chaining techniques together, while Blue Teams can map their SIEM detections directly to the framework to identify coverage gaps.
Learn more on the official MITRE ATT&CK website.
If your SOC is tracking alerts without mapping them to ATT&CK, you are missing out on identifying the broader kill chain!
This post is licensed under CC BY 4.0 by the author.