Understanding the MITRE ATT&CK® Framework: A Modern Lens on Adversary Behavior

What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is one of the most widely adopted and respected resources in the field of cyber threat intelligence. Serving as a common language for security professionals across industries and departments, it provides a consistent and structured way to describe adversary behavior. Developed and maintained by MITRE, a non-profit organization dedicated to addressing complex security challenges for both government and industry, ATT&CK offers an extensive knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world intrusions.

By mapping out the entire attack lifecycle—from initial reconnaissance and compromise to lateral movement, data exfiltration, and impact—the framework empowers defenders to anticipate, detect, and respond to cyber threats with greater precision. Beyond serving as a catalog of adversarial methods, ATT&CK also enables organizations to track specific threat actors, analyze their motivations, and anticipate their likely future behaviors. When security teams align threat activity with known adversary groups, they gain deeper insight into attacker tradecraft, campaign objectives, and potential next steps.

This predictive capability transforms security from a purely reactive function into a proactive threat management discipline. By leveraging ATT&CK for attribution, detection, and response, organizations strengthen their situational awareness, improve defense strategies, and enhance their overall cyber resilience against an increasingly complex and evolving threat landscape.

As of 2024, ATT&CK continues to evolve rapidly, reflecting the dynamic and increasingly sophisticated threat landscape. With its broad coverage of tactics, techniques, procedures, and adversary behaviors, the framework has become an indispensable tool for threat hunting, incident response, security operations, and red teaming.

Framework overview

The MITRE ATT&CK framework serves as a comprehensive taxonomy of adversarial behaviors, covering each stage of the attack chain. Unlike theoretical models, ATT&CK is grounded in empirical evidence from real-world intrusions observed across industries and geographies.

The framework is organized into three main domains:

• Enterprise ATT&CK: Covers attacks targeting traditional IT environments such as Windows, Linux, macOS, and cloud platforms.
• Mobile ATT&CK: Focuses on techniques and threats targeting mobile devices and operating systems.
• ICS ATT&CK: Addresses adversarial techniques targeting industrial control systems and operational technology environments.

By providing a shared language and classification system, ATT&CK fosters collaboration between security teams, vendors, researchers, and policymakers.

MITRE ATT&CK framework key components

1. Tactics

Tactics represent the “why” behind adversary actions, their high-level objectives during an intrusion. As of 2024, the 14 core tactics include:

• Reconnaissance – Studying the target environment, identifying potential weaknesses, and gathering information about systems, users, or processes.
• Resource Development – Building or acquiring the tools needed for the attack, such as malware, exploit kits, or phishing infrastructure.
• Initial Access – Finding the way in—whether through phishing, exploiting a vulnerability (CVE), or another intrusion vector.
• Execution – Launching the malicious code or payload inside the environment.
• Persistence – Establishing a foothold to remain in the environment undetected, even if systems are rebooted or credentials change.
• Privilege Escalation – Gaining higher-level access to increase control over systems and unlock greater opportunities for exploitation.
• Defense Evasion – Avoiding detection by security tools such as EDR or XDR platforms.
• Credential Access – Stealing account names, passwords, or authentication tokens to expand access.
• Discovery – Mapping out the environment to find valuable systems, data, or other assets.
• Lateral Movement – Moving across the network to reach additional systems or escalate the attack further.
• Collection – Gathering and staging data of interest (for example, using tools like Mimikatz).
• Command and Control (C2) – Communicating with external servers to receive instructions or send out stolen information.
• Exfiltration – Extracting data and transferring it out of the target environment.
• Impact – Carrying out the attacker’s ultimate objective, whether it’s data destruction, encryption (ransomware), or disruption of operations.

These tactics map closely to stages in an attack lifecycle, making it easier for defenders to contextualize and prioritize threats.

2. Techniques and sub-techniques

Techniques define the “how” adversaries achieve their tactical goals. Sub-techniques provide even more granular detail on the methods used. As of 2024, ATT&CK catalogs 202 techniques and 435 sub-techniques, underscoring the breadth and complexity of the threat landscape.

3. Procedures

Procedures are the real-world implementations of techniques: specific methods, tools, or malware families observed in active campaigns. This makes ATT&CK actionable for defenders who want to study the actual tradecraft of adversaries.

Recent developments and expansion

The ATT&CK framework has grown significantly over the past several years. Since 2020, there has been a 79% increase in documented indicators of attack (IOAs). By 2024, the framework encompasses:

• 148 adversary groups
• 677 pieces of software and malware families
• 28 documented campaigns
• 43 mitigation strategies
• 37 unique data sources

This expansion reflects not only the increasing scale of cyber threats but also the community-driven nature of ATT&CK. Security researchers, intelligence analysts, and organizations worldwide contribute to ensuring ATT&CK remains accurate and up to date.

The MITRE ATT&CK framework in cybersecurity

Threat monitoring and detection

ATT&CK provides a foundation for building detection rules and analytics. By aligning security logs and telemetry to ATT&CK techniques, organizations can better spot malicious activity within their environments.

Incident response and forensics

During incident response, ATT&CK enables teams to map adversary behavior against known techniques, helping them understand the scope of an attack, attribute activity to threat groups, and close security gaps.

Threat hunting

Security teams leverage ATT&CK to proactively search for hidden or advanced threats. By mapping hunts to specific ATT&CK techniques, hunters can prioritize high-risk behaviors and validate detection coverage.

Security engineering and red teaming

Red teams use ATT&CK to simulate realistic adversary campaigns, while blue teams use it to validate defenses and identify blind spots. This promotes a purple team approach, where attackers and defenders collaborate to strengthen resilience.

Example techniques

• T1566.001 – Phishing: Spearphishing Attachment
  Adversaries send weaponized attachments to deliver malware or steal credentials.
• T1071.001 – Application Layer Protocol: Web Protocols
  Attackers exploit standard web protocols (e.g., HTTPS) to disguise malicious command and control (C2) traffic.
• T1059.003 – Command and Scripting Interpreter: Windows Command Shell
  Malicious actors use Windows command shells to execute payloads, scripts, or administrative commands.

These examples demonstrate how ATT&CK provides both broad tactical insight and fine-grained technical detail.

How does Bitsight help? 

Understanding how adversaries operate is key to building a strong defense. To help organizations operationalize MITRE ATT&CK, we’ve introduced TTP Intelligence Cards: a new feature within Bitsight Adversary Intelligence that moves beyond theoretical frameworks to show how TTPs (Tactics, Techniques, and Sub-Techniques) are actually being used in the wild.

This capability transforms ATT&CK data into immediate, actionable context, enabling teams to prioritize defensive efforts based on real-world activity. By linking each TTP directly to the threat actors who use it, the vulnerabilities they exploit, and the sectors they target, Bitsight empowers organizations to focus on the techniques that pose the greatest risk to them.

How it works

We’ve introduced a dedicated MITRE ATT&CK section within the Adversary Intelligence module, providing a comprehensive, filterable list of all ATT&CK TTPs. Users can sort by ID or filter by ATT&CK level, gaining instant insight into the full threat landscape.

Selecting any TTP opens a new TTP Intelligence Card, which consolidates all related intelligence into three powerful tabs:

• Insights: A quick overview with the official MITRE ATT&CK description, plus highlights of the top sectors and regions targeted by adversaries leveraging this TTP.
• Related Entities: A filterable and exportable list of all APT groups and CVEs associated with the TTP, with direct links to their intelligence and CVE cards. (CVE cards are available to users of the Vulnerability Intelligence module.)
• Related TTPs: A hierarchical visualization showing parent Tactics and child Sub-Techniques, helping users easily navigate and understand relationships within the ATT&CK framework.

Turning intelligence into action

This release marks the first step in actualizing the Bitsight Threat Intelligence vision: delivering the most contextualized, actionable insights tied directly to the MITRE ATT&CK framework. By uniting adversary behavior, vulnerabilities, and campaign intelligence into a single, connected experience, Bitsight helps security teams move from frameworks to foresight, transforming data into defense.

And this is just the beginning. With complementary advancements across the Bitsight ecosystem, from IQ Campaign Reports and Quarterly Sectoral Reports, to Identity Intelligence enhancements and expanded API integrations, we’re building a truly unified threat intelligence platform. One that gives organizations the clarity, speed, and context they need to understand the threat, assess the risk, and take decisive action.

Conclusion

The MITRE ATT&CK framework has become a cornerstone of modern cyber defense. Its structured catalog of tactics, techniques, and procedures offers unparalleled visibility into how adversaries operate. By adopting ATT&CK, organizations can:

• Enhance threat intelligence programs
• Improve detection and response capabilities
• Strengthen defensive architectures
• Foster a culture of continuous learning and adaptation

In an era where cyber threats are evolving faster than ever, ATT&CK provides the strategic clarity and operational detail needed to defend against sophisticated adversaries. Leveraging this framework is no longer optional, it is essential for building and maintaining a resilient cybersecurity posture.