MITRE ATT&CK and threat intelligence
Mapping real adversary behaviour with the ATT&CK framework, plus IOCs, TTPs and the pyramid of pain.
~4 min read
From abstract stages to observed behaviour
The Cyber Kill Chain (from fundamentals) describes intrusion in seven broad stages. It's a useful mental model but too coarse to drive detection: "installation" doesn't tell a defender what to look for. MITRE ATT&CK fills that gap: a continuously updated, freely available knowledge base of the specific tactics and techniques adversaries actually use, built from observed real-world incidents. It has become the common language for describing attacker behaviour across the industry.
Tactics vs techniques
The framework is a matrix with two key levels:
- Tactics: the adversary's why, their tactical goal at a stage (the columns of the matrix). Each has an ID like
TA0001. - Techniques: the how, the specific method used to achieve a tactic (with sub-techniques for finer detail). Each has an ID like
T1566(Phishing).
So "the attacker used spear-phishing attachment (T1566.001) to achieve Initial Access (TA0001)" precisely describes a step in a way any defender can map to a detection.
The Enterprise matrix is the main one (there are also Mobile and ICS matrices). As of ATT&CK v19 its Enterprise tactics are:
| Tactic | Goal |
|---|---|
| Reconnaissance | Gather information to plan operations |
| Resource Development | Establish resources (infrastructure, accounts) to support operations |
| Initial Access | Get into the network |
| Execution | Run malicious code |
| Persistence | Maintain the foothold across reboots/logins |
| Privilege Escalation | Gain higher-level permissions |
| Stealth | Hide and conceal actions, appearing as normal behaviour |
| Defense Impairment | Break security mechanisms, tooling and pipelines |
| Credential Access | Steal account names and passwords |
| Discovery | Understand the environment |
| Lateral Movement | Move through the environment |
| Collection | Gather data of interest |
| Command and Control | Communicate with and control compromised systems |
| Exfiltration | Steal data out |
| Impact | Manipulate, interrupt or destroy systems and data |
(Earlier versions had a single Defense Evasion tactic; recent ATT&CK splits this into Stealth and Defense Impairment. The exact wording matters less than understanding the flow: get in, run, stay, escalate, hide, steal creds, explore, spread, collect, control, exfiltrate, impact.)
Why defenders use ATT&CK
- Detection engineering: for each technique, ATT&CK documents data sources and detection ideas, so a SOC can ask "can we detect T1059 (command/scripting interpreter abuse)?" and build coverage deliberately.
- Gap analysis / heat maps: colour the matrix by what you can detect to see your blind spots at a glance.
- Threat-actor profiling: ATT&CK catalogues known groups (e.g. APT29) and the techniques they favour, so you can prioritise defences against the actors who actually target your sector.
- Red/purple teaming: red teams emulate a specific actor's techniques; purple teaming pairs them with defenders to validate detections technique by technique.
- Communication: a shared, precise vocabulary across reports and tools.
IOCs, TTPs and the pyramid of pain
Threat intelligence distinguishes what you detect on:
- IOCs (Indicators of Compromise): concrete artefacts of an intrusion: file hashes, malicious IPs and domains, registry keys, filenames. Easy to share and block, but brittle; an attacker changes a hash or IP trivially.
- TTPs (Tactics, Techniques and Procedures): the attacker's behaviour and methodology. Much harder for an attacker to change, because it reflects how they actually operate.
David Bianco's Pyramid of Pain ranks indicators by how much pain it causes the attacker when you can detect and block them: hash values and IP addresses sit at the bottom (trivial to change), while TTPs at the apex are the most painful to alter. The lesson driving modern detection: shift from chasing disposable IOCs toward detecting behaviour. That is exactly what ATT&CK enables, and why behaviour-based EDR beat signature-only antivirus.
Other useful frameworks (recognise them)
- The Diamond Model: analyses an intrusion as four linked vertices: adversary, capability, infrastructure, victim. A way to structure analysis and pivot between related events.
- Cyber Kill Chain: the seven-stage model; good for the big picture, complemented by ATT&CK's detail.
- STIX/TAXII: standard formats and transport for sharing threat intelligence between organisations and tools.
Quick recall
- ATT&CK is a knowledge base of real-world adversary behaviour: tactics (the why, e.g. TA0001 Initial Access) × techniques (the how, e.g. T1566 Phishing), mainly the Enterprise matrix.
- Flow: recon → resource dev → initial access → execution → persistence → priv-esc → stealth/defense impairment → credential access → discovery → lateral movement → collection → C2 → exfiltration → impact.
- Used for detection engineering, gap analysis (heat maps), actor profiling, and red/purple teaming.
- IOCs (hashes, IPs, domains) are easy to share but brittle; TTPs (behaviour) are durable. The Pyramid of Pain says detecting TTPs hurts attackers most.
- Also know: Diamond Model (adversary/capability/infrastructure/victim) and STIX/TAXII (intel sharing).