MITRE ATT&CK Framework Explained
What Is the MITRE ATT&CK Framework?
The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Created by the MITRE Corporation, it provides a common language for security teams to describe, analyze, and defend against cyber threats. Instead of chasing individual indicators of compromise (IoCs), ATT&CK shifts focus to the behavior behind an attack — the how rather than the what.
ATT&CK organizes attacks into a matrix of tactics (the "why" — the objective of a step), techniques (the "how" — the method used to achieve the tactic), and procedures (the specific implementation of a technique used by a real adversary group). This structure lets defenders reason about coverage gaps, prioritize detections, and communicate threat intelligence with precision.
Tactics vs. Techniques vs. Procedures
Understanding the three layers of ATT&CK is essential:
- Tactics represent the strategic objective. There are 14 tactics in the enterprise matrix, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. Each tactic answers: "What is the adversary trying to achieve right now?"
- Techniques describe the method used. For example, under Persistence you might find T1098 (Account Manipulation) or T1053 (Scheduled Task/Job). A single tactic may contain dozens of techniques.
- Procedures are the ground truth — the specific tools, commands, or malware variants that implement a technique. For instance, APT29 using
schtasks.exeon Windows to create a scheduled task is a procedure for T1053.005.
The Enterprise Matrix Overview
The enterprise ATT&CK matrix is a grid with tactics as columns and techniques as rows. Each technique maps to one or more tactics and includes a unique ID (e.g., T1059), a name, a description, detection suggestions, and mitigation strategies. The matrix covers Windows, macOS, Linux, cloud (AWS, Azure, GCP), container, and network environments.
As of the latest release, the matrix contains over 200 techniques and 400+ sub-techniques, updated biannually by the MITRE team with input from the global security community.
Technique Spotlight: T1059 — Command and Scripting Interpreter
T1059 is one of the most frequently observed techniques in the wild. It covers the abuse of command and scripting interpreters to execute arbitrary code. Sub-techniques include:
- T1059.001 — PowerShell (used in 70%+ of intrusions involving scripting)
- T1059.003 — Windows Command Shell (cmd.exe)
- T1059.004 — Unix Shell (bash, sh, zsh)
- T1059.005 — Visual Basic Script
- T1059.006 — Python
- T1059.007 — JavaScript/JScript
Detection of T1059 often involves monitoring process creation events (Event ID 4688 for Windows, auditd for Linux) for suspicious parent-child relationships — for example, Microsoft Word spawning powershell.exe.
Technique Spotlight: T1078 — Valid Accounts
T1078 is the technique of using legitimate credentials to access systems. It is the top initial-access vector according to numerous breach reports. Sub-techniques cover default accounts (T1078.001), domain accounts (T1078.002), local accounts (T1078.003), cloud accounts (T1078.004), and service accounts (T1078.005).
Detecting T1078 requires behavioral baselining — anomalous login times, unusual source IPs, impossible travel, and service accounts acting outside their normal scope. Shieldlix's detection engine correlates these signals across identity, endpoint, and network logs to surface credential misuse.
How Security Teams Use ATT&CK
Detection Engineering
Teams map their existing detection rules to ATT&CK techniques to visualize coverage. A SIEM rule that flags rundll32.exe executing without a parent of explorer.exe might map to T1218.011 (Signed Binary Proxy Execution). The framework helps engineers answer: "Which adversary behaviors are we well-prepared for, and which are blind spots?"
Threat Intelligence
Threat reports published by vendors and research groups often include ATT&CK technique IDs. This allows defenders to immediately cross-reference the adversary's behavior against their own detection stack. If a new ransomware group is reported using T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery), you can instantly check whether your environment monitors those techniques.
Gap Analysis
By overlaying your detection capabilities onto the ATT&CK matrix, gaps become visually obvious. If your team has 20 detections for Execution but only 2 for Persistence, you know where to invest next. Gap analysis is a core input for security roadmaps and budget justifications.
How Shieldlix Maps Detections to MITRE ATT&CK
Shieldlix's detection engine is built with MITRE ATT&CK as its organizing principle. Every detection rule — whether based on Sigma, Suricata, or custom logic — is tagged with its corresponding ATT&CK technique ID. The platform provides:
- A coverage heatmap showing which tactics and techniques your environment can detect
- Automated recommendations for rules that fill coverage gaps
- Threat intelligence enrichment that surfaces the specific ATT&CK techniques used by active adversary groups
- Reporting that maps every alert to its MITRE tactic and technique for compliance (PCI DSS, SOC 2, etc.)
With Shieldlix, you don't just collect logs — you understand your defensive posture in the language of ATT&CK. Pair it with our SIEM for a complete detection and response workflow.