MITRE-ATT&CK framework overview

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MITRE-ATT&CK Framework Overview

    The MITRE ATT&CK framework is a comprehensive knowledge base of adversarial tactics, techniques, and procedures (TTPs) used in cyberattacks. It helps organizations develop targeted threat models and response methodologies by documenting adversary behaviors throughout different attack stages. The framework supports the cyberthreat intelligence community in quickly identifying threats and coordinating effective responses.

    Show full answer Show less

    Integration with Security Operations

    Within ServiceNow Security Operations, the MITRE ATT&CK framework integrates through a pre-loaded TAXII client that ingests threat data into Threat Intelligence. It correlates indicators of compromise (IoCs) from SIEM alerts and events with relevant TTPs and security incidents. Threat Intelligence enriches this data by exchanging information with third-party tools such as EDR, Sandbox, and TIP. Additionally, the framework provides CVE context to Vulnerability Response, enabling security teams to assess threats to critical assets.

    MITRE-ATT&CK Matrices, Tactics, and Techniques

    • Matrices: The framework includes matrices for Enterprise, Industrial Control Systems (ICS), and Mobile adversary behaviors. The previously separate Pre-ATT&CK matrix is now part of the Enterprise matrix.
    • Tactics: Represent the adversary’s objectives at each attack stage (the "why").
    • Techniques: Describe how adversaries achieve tactical objectives (the "how"). Techniques can map to multiple tactics, reflecting their varied use in attacks.

    Understanding the sequence of tactics and techniques allows security teams to anticipate attacker moves and interrupt the kill chain.

    Intent-Based Response Approach

    ServiceNow enables an intent-based response model leveraging MITRE ATT&CK to correlate incidents and predict attacker behavior. This approach allows security teams to focus resources strategically by managing incident lifecycles from detection through containment, using IoCs and contextual threat information. Integrating Security Incident Response with MITRE ATT&CK treats incidents as interconnected parts of broader enterprise attacks.

    Benefits for ServiceNow Customers

    • Empowers analysts with detailed MITRE ATT&CK TTPs for improved incident analysis and response.
    • Automates threat detection and containment workflows aligned to the framework’s playbooks.
    • Helps prioritize IoCs and supports proactive threat hunting using MITRE ATT&CK data.
    • Provides insight into the organization’s security posture within the context of known adversary behaviors.

    Administration and Usage

    ServiceNow’s AI Platform allows customers to configure and maintain the MITRE ATT&CK repository, map data sources, and assess overall detection coverage. The framework is actively used across Threat Intelligence and Security Incident Response modules to detect, correlate, and analyze threats efficiently.

    The MITRE-ATT&CK framework is a knowledge base of common tactics, techniques, and procedures (TTP) that your organization can access to develop specific threat models and methodologies against cyberattacks.

    Overview

    The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework documents and tracks various adversarial techniques that are used during different stages of a cyberattack.

    By using the MITRE-ATT&CK framework's knowledge base, the cyberthreat intelligence community can quickly identify threats and coordinate cyberattack responses.

    MITRE-ATT&CK and Security Operations

    See the following diagram to learn how the MITRE-ATT&CK information flows with Security Operations applications.

    How MITRE ATT&CK works with Security Operations' applications.

    MITRE-ATT&CK matrices, tactics, and techniques

    The core of the MITRE-ATT&CK framework is a matrix of adversary tactics and techniques. The sequence of the tactics represents what an adversary is trying to accomplish at the stage of an incident. When your security team understands this sequence, you have an opportunity to anticipate an adversary's next move and break the kill chain. ATT&CK consists of the following matrices:
    • Enterprise ATT&CK: Describes the behaviors and actions that an adversary takes to compromise and operate in an enterprise network and cloud.
      Note:
      The Pre ATT&CK matrix has been deprecated by MITRE and is merged with the Enterprise matrix.
    • ICS ATT&CK: Describes the actions that an adversary takes while operating within an Industrial Control Systems (ICS) network.
    • Mobile ATT&CK: Describes the adversary behaviors and actions that focus on mobile devices.

    Tactics represent the why of an ATT&CK technique. It is the adversary’s tactical objective for performing an action.

    Techniques represent how an adversary achieves a tactical objective by performing an action.

    Techniques may be associated with more than one tactic. For example, Access Token Manipulation is used by an adversary to achieve either the tactic of Privilege Escalation or Defense Evasion.

    Using an intent-based approach for incident responses

    An intent-based response uses a dynamic and contextual kill chain framework that can help your organization to correlate security incidents and to identify a large scope of attacks. Your security team can use an intent-based response to understand how the organization is being attacked and what the attacker might do next. This type of response enables you to predict an attacker's behavior so that you can focus your resources effectively.

    Using Security Incident Response, your security team can manage the life cycle of each security incident from analysis to containment by focusing on indicators of compromise (IOCs) like IP addresses, file hashes, and domains.

    By integrating Security Incident Response with the MITRE-ATT&CK framework, security incidents are handled as links in a larger enterprise-wide attack.

    How your organization can benefit from MITRE-ATT&CK in Security Operations

    Benefits of using MITRE ATT&CK

    Using the MITRE-ATT&CK framework can help your organization do the following:

    • Equip security analysts with MITRE-ATT&CK tactics, techniques, and procedures (TTPs) to better analyze and respond to security incidents.
    • Automate the incident workflows using the playbook for detecting and containing threats in the context of the MITRE-ATT&CK framework.
    • Prioritize indicators of compromise and threat hunting with MITRE-ATT&CK information.
    • Understand the high-level security posture of your organization in the context of the MITRE-ATT&CK framework.