MITRE ATT&CK: The Blue Team Analyst's Framework
The shared vocabulary for describing attacker behavior, detection engineering, and defense gaps
MITRE ATT&CK: The Blue Team Analyst's Framework
If you've spent any time in a SOC or reading threat intel reports, you've seen MITRE ATT&CK. It's the shared vocabulary blue teamers use to describe what attackers do. This post covers what ATT&CK is, how to use it for detection engineering, and the complementary projects that extend it.
What is ATT&CK?
MITRE ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It's a globally accessible knowledge base of adversary behaviors derived from real-world observations.
- Started in 2013 from MITRE's Fort Meade Experiment (FMX)
- Security pros emulated APT TTPs against a network, documented observed behaviors
- Initially Windows-focused, now covers macOS, Linux, cloud, mobile, and ICS
- As of v18: 14 tactics, 216 techniques, and 475 sub-techniques (numbers grow with each release)
Tactics, Techniques, Procedures (TTPs)
ATT&CK is built around three layers:
- Tactics — the adversary's goal ("why")
- Techniques — the method used to achieve that goal ("how")
- Procedures — specific implementations by threat groups ("what exactly")
Example:
- Tactic: Credential Access
- Technique: OS Credential Dumping (T1003)
- Sub-technique: LSASS Memory (T1003.001)
- Procedure: APT28 uses Mimikatz to dump LSASS
The Enterprise Matrix — 14 Tactics
The order roughly follows an attack lifecycle:
1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control
13. Exfiltration
14. Impact
Each tactic column contains dozens of techniques. Click any technique in the matrix for:
- Description
- Procedure examples (which groups have used it)
- Data sources for detection
- Detection guidance
- Mitigations
ATT&CK Navigator
The ATT&CK Navigator is a visual tool for exploring and annotating the matrix.
Use Cases
- Compare threat groups — overlay APT28 and APT29 layers to see overlapping TTPs
- Map defensive coverage — highlight techniques your detections cover vs. gaps
- Plan red/blue team exercises — scope which techniques to test
- Visualize incident frequency — color techniques by how often you see them
The Navigator generates JSON layers that can be exported, shared, and versioned.
ATT&CK vs Cyber Kill Chain
People often ask which to use. They solve different problems.
| Aspect | ATT&CK | Cyber Kill Chain |
|---|---|---|
| Structure | Matrix of techniques per tactic | Seven sequential stages |
| Granularity | Specific techniques case-by-case | Generic attack phases |
| Updates | Continuously updated | No updates since 2011 |
| Focus | Detailed behavioral analysis | High-level attack progression |
| Best for | Detection engineering, TTP mapping | Executive reports, strategic view |
Many SOC teams use a hybrid approach. The Unified Kill Chain (UKC) combines both into 18 phases.
Complementary MITRE Projects
ATT&CK doesn't exist alone. MITRE has several related projects that extend it.
CAR (Cyber Analytics Repository)
Pre-built detection analytics mapped to ATT&CK techniques.
- Pseudocode and tool-specific implementations (Splunk, EQL, Sigma)
- Validated analytics with operating theory and rationale
- An ATT&CK Navigator layer showing analytic coverage
Use it when: you need a starting point for writing detections — CAR gives you reference logic.
MITRE Engage
A framework for adversary engagement — active defense through denial and deception.
- Cyber Denial — preventing adversary operations
- Cyber Deception — misleading adversaries with intentional artifacts (honey tokens, decoy files)
- Five categories: Prepare, Expose, Affect, Elicit, Understand
D3FEND
Detection, Denial, and Disruption Framework Empowering Network Defense.
- Knowledge graph of defensive countermeasures (originally NSA-funded)
- 267 defensive techniques across 7 tactics (Model, Harden, Detect, Isolate, Deceive, Evict, Restore)
- 680+ digital artifacts mapped to ATT&CK techniques
- Complements ATT&CK by mapping defenses to offensive techniques
Think of it as "ATT&CK for defenders" — defensive techniques are directly mapped to the offensive techniques they counter.
Adversary Emulation Plans
Published by MITRE Engenuity's Center for Threat-Informed Defense (CTID).
- Step-by-step plans to emulate specific threat groups (APT3, APT29, FIN6)
- Let organizations test defenses against real-world adversary behaviors
- Open-source on GitHub
Practical Use in a SOC
Here's how a blue team analyst actually uses ATT&CK day-to-day:
1. Threat Intelligence → Detection
- Read a threat intel report about a new APT campaign
- Extract the TTPs mentioned (e.g., "uses PowerShell for execution, LSASS dumping for credential access")
- Map them to ATT&CK techniques (T1059.001, T1003.001)
- Check which of these you detect today — fill the gaps
2. Incident Investigation
- During an investigation, classify every adversary action by ATT&CK technique
- Build a timeline showing the technique progression
- Share findings using technique IDs — every analyst immediately understands
3. Detection Engineering Workflow
Identify target technique → Research detection data sources
→ Write rule (Sigma, Splunk SPL, Elastic EQL) → Test with emulation
→ Deploy to production → Monitor false positive rate
4. Coverage Assessment
- Export your current detection rules
- Map each rule to ATT&CK techniques
- Load into Navigator
- Visualize coverage — find critical gaps
- Prioritize new rules based on threat intel + asset criticality
5. Red/Blue Team Exercises
- Red team picks a threat group (e.g., APT29)
- Uses CTID's emulation plan to replicate their TTPs
- Blue team practices detection, alerts get reviewed
- Map detected vs missed techniques on Navigator
- Post-exercise: build detections for the misses
Example Analyst Workflow
Scenario: threat intel report says APT33 is targeting your industry.
- Open attack.mitre.org/groups/G0064 — the APT33 group page
- Note their techniques: spearphishing (T1566), PowerShell (T1059.001), credential dumping (T1003)
- Open ATT&CK Navigator, create an "APT33" layer
- Overlay your existing detection coverage layer
- Identify gaps where APT33 has techniques you don't detect
- Check CAR for reference analytics on those techniques
- Write Sigma rules or Splunk queries for your SIEM
- Test with Atomic Red Team or a custom emulation
- Deploy and monitor
Key Takeaways
- ATT&CK is the shared language for describing attacker behavior
- Structure: Tactics (why) → Techniques (how) → Procedures (what)
- Use the Navigator for visual TTP mapping and coverage analysis
- ATT&CK and Kill Chain solve different problems — use both
- CAR gives you reference detection analytics
- D3FEND maps defenses to offensive techniques
- Adversary Emulation Plans let you test against real TTPs
- ATT&CK is the glue between threat intel, detection engineering, and IR