My Games
Account 🔐
Sign Up
Login
Global Leaderboard
Case Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
mitre-att&ck
Mitre-Att&ck
Definition
MITRE ATT\&CK is a **public, living knowledge base** of the tactics, techniques, and procedures (TTPs) that real-world adversaries use during cyberattacks. It’s maintained by **MITRE Corporation**, a U.S. nonprofit that works on security research. ATT\&CK stands for **Adversarial Tactics, Techniques, and Common Knowledge**. The framework breaks down attacks into **tactics** (the “why”), **techniques** (the “how”), and **sub-techniques** (specific details), all mapped in a way that helps defenders understand and detect malicious behavior. The structure looks like a big matrix: * **Tactics** – The columns (goals like Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command & Control, Exfiltration, Impact) * **Techniques** – The cells (ways to achieve that goal, like Phishing, PowerShell, or Valid Accounts) * **Sub-techniques** – Specific methods under a broader technique (e.g., under Phishing: Spearphishing Attachment, Spearphishing Link) Why it’s valuable in investigations: * **Shared language** – Analysts can say “T1566.001” and everyone knows it means Spearphishing Attachment (well not really, but they can look it up). * **Threat hunting** – You can map logs and detections to techniques to see which parts of the attack chain you’re catching (and which you’re missing). * **Adversary emulation** – Red teams use it to replicate the TTPs of specific threat groups. * **Intelligence linking** – Campaigns can be compared by which techniques they use. Real-world examples: * Mapping a ransomware incident: Initial Access (T1566 – Phishing) → Execution (T1059 – Command and Scripting Interpreter) → Impact (T1486 – Data Encrypted for Impact). * Threat intel reports often cite MITRE IDs so defenders can quickly check their detection coverage. * Groups like APT29 (Cozy Bear) and FIN7 have their observed behaviors documented in ATT\&CK, helping defenders anticipate future moves. Further reading: * MITRE ATT\&CK main site: [https://attack.mitre.org/](https://attack.mitre.org/) * MITRE ATT\&CK Navigator (interactive mapping tool): [https://mitre-attack.github.io/attack-navigator/](https://mitre-attack.github.io/attack-navigator/) * CISA guide to using ATT\&CK for defense: [https://www.cisa.gov/stopransomware/mitre-attack-framework](https://www.cisa.gov/stopransomware/mitre-attack-framework) * CrowdStrike’s “Practical Guide to ATT\&CK”: [https://www.crowdstrike.com/cybersecurity-101/mitre-attack-framework/](https://www.crowdstrike.com/cybersecurity-101/mitre-attack-framework/)
Explore More Terms
Bytes;exfil
Hack-And-Leak
Adx
Command-And-Control
Malware
.png)
