MITRE ATT&CK Framework
Type: Adversary behavior knowledge base / cybersecurity framework
Maintained by: MITRE Corporation (nonprofit R&D organization)
URL: attack.mitre.org
Key Facts
- Structured taxonomy of adversary Tactics, Techniques, and Procedures (TTPs) organized by attack lifecycle phases
- Enterprise ATT&CK: 14 tactics (Reconnaissance → Initial Access → Execution → Persistence → Privilege Escalation → … → Impact)
- Each tactic contains multiple techniques; techniques contain sub-techniques; each links to observed real-world threat actor campaigns
- Complementary matrices: Mobile ATT&CK, ICS ATT&CK (critical infrastructure), PRE-ATT&CK (pre-compromise)
- APT tracking: each known threat actor (APT28, Lazarus Group, etc.) is mapped to their observed ATT&CK techniques
OSINT Application
- Malware analysis: extract techniques from vendor reports, VirusTotal/MalwareBazaar runs, and map to ATT&CK IDs (T1059, T1003, etc.)
- Attribution: overlap of ATT&CK technique clusters across incidents is one input (not sole determinant) in threat actor attribution
- Detection engineering: defenders build detection rules per ATT&CK technique IDs