Using MITRE ATT&CK with cyber threat intelligence

Howard Poston
February 9, 2021 by
Howard Poston

The MITRE ATT&CK framework is a tool developed by the MITRE Corporation. It is designed to provide information about how a cyberattack works and the various means that an attacker can carry out their goals at each stage of an attack.

MITRE ATT&CK is primarily a repository of information without a clear guide on how to work through and take advantage of it. Cyber threat intelligence provides this guidance, and MITRE ATT&CK offers a few tools to help organizations to use it to operationalize their threat intelligence.


Cyber threat actors commonly operate in groups. Many cybersecurity organizations track advanced persistent threats (APTs), organized cybercrime groups and other cyber threats. These groups are defined and tracked by identifying commonalities between cyberattack campaigns believed to originate from the same threat actors.

The MITRE ATT&CK Framework includes a listing of these groups. For each of the 110 groups currently tracked, MITRE ATT&CK includes a list of the Techniques and Software known to be used by these groups.

This enables an organization to leverage MITRE ATT&CK to develop defenses and mitigations based upon threat intelligence linked to various cyber threat groups. Knowledge that a particular group is active and that an organization is likely to be a target of its attacks — based on industry, location, size, etc. — can help with the prioritization of defenses based on the Techniques and Software that the group is known to use.

MITRE ATT&CK procedures

The MITRE ATT&CK framework is designed hierarchically. MITRE Tactics describe goals that an attacker may wish to accomplish during their attacks, and Techniques and Sub-Techniques describe particular methods for achieving these goals.

Each Technique and Sub-Technique also contains a list of associated Procedures. These include different groups and software known to use that particular type of attack. This information can be combined with threat intelligence for incident response or defense development.

From an identified malware sample, an organization can determine the potential Techniques and Sub-Techniques that may be in use, which is helpful for incident investigation or developing defenses against that particular threat. The reverse is also true: the knowledge that a particular Technique is currently common (based on threat intelligence) can inspire an organization to develop defenses designed to detect or prevent attacks against threat actors or malware known to use that particular Technique.

MITRE ATT&CK detection and mitigation

In addition to Procedures, MITRE ATT&CK includes a list of Detection and Mitigation steps for each Technique or Sub-Technique. These are designed to improve an organization’s ability to prevent or respond to a particular threat.

Based on threat intelligence, an organization may determine that a particular MITRE ATT&CK Technique or Sub-Technique poses a significant risk to the organization. The list of Detection and Mitigation examples associated with this Technique or Sub-Technique provides guidance for operationalizing this threat intelligence to help reduce this risk.

Operationalizing cyber threat intelligence with MITRE ATT&CK

The MITRE ATT&CK Framework provides a wealth of information about cyber threats and how to respond to them. However, the sheer amount of information can be overwhelming, and the Framework does not provide a means of prioritizing these actions.

Cyber threat intelligence provides this missing piece. By using cyber threat intelligence to prioritize defensive operations and MITRE ATT&CK as guidance for how to carry them out, an organization can dramatically decrease its cybersecurity risk exposure.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at