ATT&CK Use Cases

The five primary ways organizations use the MITRE ATT&CK framework.

This section is not in the original MITRE documentation, but it provides helpful context for understanding how ATT&CK is applied in practice.

1. Adversary Emulation

MITRE publishes profiles for specific adversary groups that can be used in conjunction with ATT&CK to evaluate the security of a company's environment. By applying cyber threat intelligence about specific adversaries, teams can create simulated threat simulations.

2. Red Teaming

Through ATT&CK, security teams can develop and launch simulated attacks on their network, testing the abilities of their defenses to detect and defend company assets.

3. Behavioral Analytics Development

ATT&CK can guide the development and testing of systems that spot unusual activities indicating a potential security breach.

4. Defensive Gap Assessment

ATT&CK serves as a guide to evaluate the effectiveness of current security measures by identifying weak spots, helping security teams prioritize improvements, and making educated decisions about the best security products for their organization.

5. SOC Maturity Assessment

ATT&CK can evaluate how well a Security Operations Center (SOC) can detect, analyze, and respond to security threats.

6. Cyber Threat Intelligence Enrichment

Since many groups use the same techniques listed in ATT&CK, attribution to a specific group should not be based solely on the observed methods. Proper attribution requires more detailed analysis.

"Attribution to a group is a complex process involving all parts of the Diamond Model, not solely on an adversary's use of TTPs." — MITRE

ATT&CK Coverage

Organizations should not try to cover every single ATT&CK technique — that is not practical. Not everything an attacker might do requires an alert or tracking. For example, adversaries have been known to use ipconfig.exe to learn about target systems, but administrators also use it for troubleshooting. Similarly, local, domain, or cloud accounts can be used for legitimate reasons; though they should be monitored, the fact that adversaries have used them doesn't mean every company needs an alert every time they are used.

"Similarly to how it's unrealistic to expect coverage of 100% of ATT&CK techniques, it's unrealistic to expect coverage of all procedures of a given method, especially since we often cannot know all of them in advance." — MITRE

Each attack technique can have multiple ways for an attacker to carry it out, and these techniques are constantly evolving. It is difficult to anticipate all methods an attacker will use. Keeping up with techniques, sub-techniques, and procedures — and understanding how variations affect coverage — is an ongoing effort.