Use cases for implementing the MITRE ATT&CK® framework

Howard Poston
November 11, 2020 by
Howard Poston

The MITRE ATT&CK ® framework is a vast repository of cybersecurity knowledge.  Each of the MITRE ATT&CK framework outlines a number of goals that an attacker may need to achieve while performing a cyberattack (Tactics), the methods used to achieve these goals (Techniques), particular tools and threat actors known to use these methods (Procedures), and methods for detecting and responding to each method.  All of this information is organized into a set of matrices based upon the target environment in question (Enterprise vs. Mobile vs. ICS) and the stage in the cyberattack lifecycle (PRE-ATT&CK vs. Enterprise, etc.).

This wealth of information can be used in a number of different ways.  MITRE ATT&CK provides six sample use cases for the information contained within its framework.

1. Adversary emulation

When performing a penetration test of an organization, the goal is to test its resiliency against realistic cyber threats.  As part of this, the ability to realistically simulate the operations of particular threat actors can be a significant asset.  Additionally, it is essential that an organization have defenses in place against the most commonly-used tactics of cybercriminals and other threat actors.

MITRE ATT&CK can be used to help verify that an organization’s defenses provide adequate protection against real-world threats.  MITRE ATT&CK provides information about both potential attack vectors and the adversaries known to use them.

2. Red teaming

A red team assessment is designed to identify potential weaknesses in an organization’s defenses.  Typically, these assessments are performed with no knowledge of the target’s internal environment.

MITRE ATT&CK can be used for a variety of purposes in a red team assessment including:

  • Comprehensive Coverage: Mapping a red team assessment to the MITRE ATT&CK framework helps a red team to ensure that nothing is accidentally overlooked.
  • Clearer Communications: MITRE ATT&CK standardizes cybersecurity terminology and the potential attack vectors, which can be useful for communicating results to the client.
  • Avoiding Certain Attack Vectors: MITRE ATT&CK can be used to identify attack vectors that may be out of scope for an assessment.
  • Identifying Opportunities: MITRE ATT&CK outlines different methods for achieving certain goals, which can be used to identify ways to bypass defenses.

3. Behavioral analytics development

Traditional indicators of compromise (IoCs) and malware signatures are rapidly losing effectiveness.  Cyber threat actors can easily make minor modifications to their malware and tools that renders past IoCs and signatures obsolete.  As a result, only about half of malware is caught by signature AV.

The methods by which an attacker carries out an attack (their behaviors) is more difficult and expensive to change.  This makes behavioral analytics a better way to detect attacks and perform attribution.

MITRE ATT&CK Techniques describe *how* a particular goal can be achieved without specifying a particular tool (though tools are referenced in the Procedures sections of each Technique).  Defenders can identify attacks based upon this tool and can potentially perform attribution based upon the list of threat actors known to use that particular technique (also listed under Procedures).

4. Defensive gap assessment

A defensive gap assessment is designed to identify the holes in an organization’s cyber defenses that an adversary may attempt to exploit during an attack.  These holes can be difficult to discover in some cases because they require looking for what isn’t there.

MITRE ATT&CK provides a listing of methods by which an attacker could achieve their objectives at each stage of the cyberattack lifecycle, including a list of methods to detect and defend against these techniques.  MITRE ATT&CK can be used as a framework for a defensive gap assessment, with analysts checking if each potential attack vector applies to an organization and, if so, if solutions are in place to detect and/or protect against it.

5. SOC maturity assessment

An organization’s security operations center (SOC) is responsible for detecting and responding to cyberattacks against the organization.  If an organization’s SOC cannot detect and appropriately respond to a certain type of an attack, then the organization is vulnerable to an adversary using this particular technique.

The MITRE ATT&CK framework can be used to measure the maturity and effectiveness of an organization’s SOC.  By performing tests against each of the techniques outlined within the MITRE ATT&CK framework, an organization can test the effectiveness of their SOC and defenses against the cyber threats that it is likely to face.

6. Cyber threat intelligence enrichment

Cyber threat intelligence is essential to an organization’s ability to protect itself against modern threats.  It includes information about the tools, techniques, and procedures used by each of the active threat actor groups.

The MITRE ATT&CK framework can help an organization to make its threat intelligence actionable.  Using the information provided within the framework, an organization can identify behaviors common to particular threat actors and determine whether their existing defenses are capable of detecting and responding to attacks by these adversaries.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at