MITRE ATT&CK

MITRE ATT&CK is a publicly available knowledge base that documents known tactics, techniques, and procedures (TTPs) used by cyber adversaries. It organizes how attackers behave across different stages of an intrusion, providing a common language to describe, analyze, and share information about cyber attacks.

The framework is maintained by MITRE, a not-for-profit organization, and is based on real-world observations. It is structured into matrices that group adversary behavior by high-level tactics (the attacker’s objective, such as initial access or impact) and the techniques used to achieve those objectives (for example, spearphishing, credential dumping, or command and control methods).

Use in industrial and regulated environments

In industrial operations, OT networks, and regulated manufacturing environments, MITRE ATT&CK is commonly used to:

• Map cyber threat intelligence (CTI) to specific adversary behaviors relevant to plants, control systems, and supporting IT
• Assess defensive coverage of security controls across the attack lifecycle
• Support incident investigation and post-incident reviews by classifying observed attacker actions
• Standardize communication between security, OT, and risk teams when discussing threats and detection gaps

In addition to the enterprise matrix, specialized matrices exist for mobile and industrial control systems (ICS). The ICS matrix focuses on techniques and tactics specific to control systems, field devices, and OT environments, which are often present in manufacturing plants and critical infrastructure.

Operational meaning

Operationally, MITRE ATT&CK is often embedded into security tools and workflows. Examples include:

• Security operations centers (SOC) tagging alerts and incidents with ATT&CK techniques to standardize triage and reporting
• Detection engineering teams designing and testing rules or analytics explicitly mapped to ATT&CK techniques
• Risk and governance teams using ATT&CK mappings to structure threat models, tabletop exercises, and control assessments
• OT/IT teams using the ICS matrix to prioritize monitoring and hardening activities that align with techniques most relevant to their assets

Relation to cyber threat intelligence

In the context of cyber threat intelligence (strategic, operational, tactical, and technical), MITRE ATT&CK is commonly used to:

• Describe adversary playbooks in terms of tactics and techniques, rather than only listing indicators such as IPs or hashes
• Normalize threat reports from different providers so they can be compared and integrated
• Help bridge communication between intelligence analysts and engineers by linking narrative threat reports to concrete behaviors that can be detected or mitigated

Common confusion

MITRE ATT&CK is:

• Not a security standard, certification, or compliance framework. It is a knowledge base and reference model.
• Not the same as a vulnerability database. It focuses on attacker behaviors, not individual software vulnerabilities.
• Sometimes confused with specific tools or products. ATT&CK itself is tool-agnostic, although many commercial and open-source tools map features to its tactics and techniques.

In industrial environments, it may also be confused with general ICS security guidance or vendor hardening guidelines. ATT&CK complements those resources by describing how adversaries operate, rather than prescribing how systems must be configured.