How to Use MITRE ATT&CK® to Map Defenses and Understand Gaps

Howard Poston
November 11, 2020 by
Howard Poston

Developing detection and prevention controls for techniques in the enterprise matrix

The MITRE ATT&CK® framework is a useful way to standardize cybersecurity terminology and provides a framework for organizations to plan and evaluate their cybersecurity defenses.  This is demonstrated by the fact that many cybersecurity tool developers now provide explicit mappings of their tools’ capabilities to the MITRE ATT&CK framework.

Using the techniques and procedures outlined in the MITRE ATT&CK framework, organizations can develop controls specifically to detect and prevent certain attack behaviors.  However, it is important to do so carefully and acknowledge the risks of such an approach.

The risks of mapping defenses to ATT&CK techniques

While the MITRE ATT&CK framework is a very valuable and useful tool, it isn’t perfect.  When mapping defenses to MITRE ATT&CK techniques, two major risks exist:

  • Missing Techniques: The MITRE ATT&CK framework attempts to provide a comprehensive overview of the methods (Techniques) by which an attacker can achieve various operational objectives (Tactics).  However, it is possible that some techniques may not be included in the MITRE ATT&CK matrices.
  • Overlooked Procedures: Most MITRE ATT&CK techniques can be performed in a number of different ways (called Procedures).  The ability to detect one procedure does not guarantee that a tool is capable of detecting all of the ways in which a technique may be performed.

The fact that MITRE ATT&CK isn’t perfect doesn’t mean that it isn’t useful.  If an organization has protected itself against at least one procedure from every technique, then it is much more secure than if it hasn’t.  However, it is important not to fall into a false sense of security and to make an effort to identify and close gaps whenever possible.

How to identify gaps in security tool coverage

The MITRE ATT&CK framework provides a large amount of information about the various ways in which a particular technique can be performed.  This is a good starting point for testing the coverage of security tools.

Within a technique (or sub-technique), MITRE ATT&CK provides a description of how it can be performed (procedures), detected, and mitigated.  If possible, verify that a given security tool is capable of performing some or all of the described detection and mitigation steps.

Then, use a cybersecurity assessment to determine the effectiveness of these tools.  In some cases, a particular technique may be tested using off-the-shelf tools.  In others, a formal penetration test or red team assessment may be necessary to achieve the desired level of realism.  MITRE’s ATT&CK-based analytics development method provides a good framework for accomplishing this.

After testing the controls, verify that they were appropriately detected and mitigated.  If not, iterate until the cybersecurity defenses are capable of detecting that particular procedure.

Benefits of testing defense mapping against the environment

Cyberattackers’ tools and techniques can change, but they are not the only thing that can.  Over time, an organization’s network environment can expand and evolve.  This includes everything from migrating resources to the cloud to connecting new devices to the network to deploying or updating web applications.

These modifications can change an organization’s cybersecurity risk and exposure to potential attacks.  As new procedures are developed and an organization’s environment evolves, it is vital to keep up and periodically retest to see if any new vulnerabilities and attack vectors have been introduced as the organization’s attack surface has evolved.

Improving Cybersecurity with MITRE ATT&CK

The MITRE ATT&CK framework is an invaluable tool for cybersecurity.  The information that it provides gives organizations a wealth of information regarding potential attack vectors and how they can effectively protect themselves against them.

However, MITRE ATT&CK does have gaps, and it is important to recognize and plan for this.  Instead of assuming that ATT&CK-based defenses will work, do research and personally test detection and prevention capabilities against known and novel attacks.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at