What Is MITRE ATT&CK?

• Tactics: The attacker’s goals (e.g. Initial Access, Lateral Movement, Exfiltration).
• Techniques: How attackers achieve those goals (e.g. Phishing, SMB exploitation).
• Sub-techniques: More specific implementations of a technique.

Applications of MITRE ATT&CK

• Threat Modeling: Understand how attackers might target your systems and analyze potential attack paths.
• Detection Engineering: Build SIEM rules and detections for specific techniques (e.g. alerts for T1021.002 SMB connections).
• Gap Analysis: Identify where security controls lack coverage for certain TTPs.
• Incident Response: Classify attacker activity based on ATT&CK IDs and communicate consistently (e.g. “the attacker used T1071.003”).
• Reporting: Use a standard language to explain technical threats clearly to management.

The ATT&CK Mapping Process

⭐ 1. Gather Context

You start with input such as:

• Threat intelligence reports from vendors
• News about new attacker campaigns
• Logs, forensic artifacts, and EDR alerts from real incidents
• Red team assessments
• Hypothetical “what if” attack scenarios

Example: An alert shows a user accessed a suspicious website, then tried to authenticate to multiple servers via SMB.

⭐ 2. Identify Tactics & Techniques

Ask:

• What Tactic does this activity fall under (e.g. Initial Access, Lateral Movement)?
• What Technique best describes the method used?

Tools you’d use:

• MITRE ATT&CK Navigator
• The search bar on the MITRE ATT&CK website
• Keyword searches related to suspicious behavior

Examples:

• Phishing email → Tactic: Initial Access → Technique: Phishing (T1566)
• Lateral movement via SMB → Tactic: Lateral Movement → Technique: SMB/Windows Admin Shares (T1021.002)

⭐ 3. Document the Mapping

Next, document your findings in a table or ticket:

⭐ 4. Map to Detection and Controls

Identify how to detect the technique and verify if controls exist.

Example:

• T1021.002 – SMB Lateral Movement:
• Detection: Monitor for unusual SMB traffic between workstations.
• Mitigation: Disable admin shares where possible.

⭐ 5. Communicate & Report

Mapping helps you:

• Write incident reports with precise language.
• Brief managers or stakeholders clearly.
• Develop new detection rules.
• Perform control gap analysis.

Example language in a report:

“The adversary gained initial access via T1566.002 (Phishing: Spearphishing Link) and attempted lateral movement using T1021.002 (SMB/Windows Admin Shares).”

⭐ 6. Visualize with ATT&CK Navigator

Many professionals use the ATT&CK Navigator to:

• Load a blank matrix
• Highlight observed techniques
• Color-code:
  • Red → observed in attack
  • Yellow → potential risk area
  • Green → covered by detections

This creates a visual report of your environment’s vulnerabilities.

Scenario Walkthrough: Phishing → Credential Theft

Gather Context:

• Email alert flagged suspicious link.
• User entered credentials into fake login page.

Identify Tactics & Techniques:

• Initial Access: T1566.002 – Phishing: Spearphishing Link
• Credential Access: T1056.003 – Input Capture: Web Portal Capture

Document Mapping:

“User compromised via T1566.002. Credentials harvested via T1056.003.”

Check Detections:

• Does the SIEM detect clicks to suspicious domains?
• Are there rules to alert on credential reuse?

Report:

Include technique IDs in incident reports for consistency.

Tools You’d Use

• MITRE ATT&CK Navigator – for mapping techniques visually.
• Excel / GRC Tools – for tracking coverage vs. gaps.
• SIEM platforms (Splunk, ELK, Sentinel, etc.) – for writing detection rules.
• Threat Intel Platforms – to correlate intel reports to ATT&CK techniques.

In Short

On the job, ATT&CK mapping connects real-world events to a common language of attacker behavior. It’s crucial for detection engineering, incident response, reporting, and proactive threat modeling.