Getty Images


5 Mitre ATT&CK framework use cases

The Mitre ATT&CK framework helps security teams better protect their organizations. Read up on five Mitre ATT&CK use cases to consider adopting, from red teaming to SOC maturity.

The Mitre ATT&CK framework outlines the tactics, techniques and procedures malicious actors use to breach organizations to help enterprise security teams mitigate these threats and attacks.

The Mitre ATT&CK framework is invaluable to organizations looking to elevate their security capabilities. But, with more than 180 techniques and hundreds more subtechniques, the framework can seem complex and daunting.

To make it easier for security teams to get started, let's look at five Mitre ATT&CK use cases that help improve cybersecurity programs.

What is the Mitre ATT&CK framework?

Created in 2013, the ATT&CK framework -- short for Adversarial Tactics, Techniques and Common Knowledge -- defined adversaries' objectives and methods to breach Windows network security controls. It focused on the following four primary challenges:

  • Adversary behaviors.
  • Outdated and out-of-sync lifecycle models.
  • Relevance to actual production environments.
  • Standardized taxonomy.

Over the years, the framework has evolved as organizations and the threat landscape innovated and escalated.

Mitre now offers guidance on how to respond to various cyberattack tactics and techniques and provides advice on how to use its framework. Mitre ATT&CK also demonstrates how to emulate attack scenarios and perform gap analysis to accurately assess vulnerabilities and evaluate security operations center (SOC) maturity.

Mitre ATT&CK use cases

Security teams getting started with the framework should consider the following five key use cases.

1. Red teaming

Red teaming is a cybersecurity technique in which red offensive teams test organizations' security postures by attacking them. Red teams are aggressors that simulate attackers looking for vulnerabilities in security infrastructure, practices and processes. Security teams should conduct red team evaluations without having information on the targeted enterprise's infrastructure beforehand.

The Mitre ATT&CK framework-associated red team exercise includes the following objectives:

  • To identify missed vulnerabilities.
  • To assess whether current defenses work as intended.
  • To find unconventional attack sources.
  • To discover overlooked cybersecurity strategies.

2. SOC maturity controls

SOC analysts are key to discerning harmless anomalies from serious threats. To do this, they must analyze and correlate data from multiple sources, which takes time and effort. If a SOC is not proficient in identifying and responding to security incidents quickly, attackers can easily gain access to enterprise resources.

The Mitre ATT&CK framework can help assess whether SOC practices and technologies are sufficient to safeguard an enterprise from attacks. SOC teams can run tests against techniques outlined in the framework to determine their organization's practices and processes to detect potential threats and suspicious behavior and create alerts. Security teams can then use this information to shore up their security maturity.

3. Insider threats

An insider threat is any risk initiated by an employee, partner, contractor or anyone else authorized to interact with high-value or sensitive information. Insider threat incidents, whether malicious or accidental, can result in data leakage or resource theft.

While the Mitre ATT&CK framework primarily focuses on external attacks, it also provides strategies relevant to insider attacks. Namely, it outlines data sources that help identify attacks and determine whether a threat actor is internal or external. For example, the framework recommends security teams use application authentication logs to trace insider attacks because logs focus on user identity, whereas using other tools, such as data from endpoint detection and response tools, might focus more on the device.

4. Penetration testing

Pen testing involves security teams or third parties deliberately -- and with permission -- trying to breach systems and devices to find vulnerabilities. It is an effective way to discover flaws in an organization's defenses.

The ATT&CK framework helps organizations ensure security controls are sufficient to safeguard against threat actors' tactics and techniques. Security teams can also use it after a pen test to remediate discovered vulnerabilities, while also ensuring they do not introduce additional issues, such as a device misconfiguration.

5. Breach and attack simulation

Security teams use breach and attack simulation (BAS) tools to automate full-scale attacks against their infrastructure and determine their defenses' effectiveness. BAS exercises expose vulnerabilities and help security teams remediate their security strategies effectively and efficiently. Simulations also help teams reinforce their security infrastructure and improve threat detection and response.

The Mitre website lists prominent threat actor organizations and the types of businesses and governments they target. Security teams can use this information to simulate attack methods preferred by these organizations. Some vendors offer BAS tools that specifically map to the Mitre ATT&CK framework.

Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing