MITRE-ATT&CK framework overview

Release version: Zurich

Updated July 31, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of MITRE-ATT&CK framework overview

The MITRE-ATT&CK framework is a comprehensive knowledge base of adversarial tactics, techniques, and procedures (TTPs) used in cyberattacks. It helps organizations develop targeted threat models and methodologies to understand and counteract cyber threats. The framework tracks adversary behaviors throughout different attack stages, enabling rapid threat identification and coordinated response efforts within the cyberthreat intelligence community.

Show full answer Show less

Integration with Security Operations

Within Security Operations, the MITRE-ATT&CK framework integrates through a pre-loaded TAXII client that ingests threat data into the Threat Intelligence repository. Security Information and Event Manager (SIEM) systems feed alerts and events linked to relevant TTPs and security incidents. When Indicators of Compromise (IoCs) are linked to incidents, Threat Intelligence automatically searches external threat feeds and forwards information to third-party tools such as EDR, Sandbox, or Threat Intelligence Platforms (TIP) for further analysis. If these external sources contain MITRE-ATT&CK data, the framework enriches the threat information for enhanced correlation and investigation. Additionally, CVE context is provided to assist Vulnerability Response teams in assessing threats to critical assets.

Core Structure: Matrixes, Tactics, and Techniques

The framework’s foundation is a matrix displaying adversary tactics and techniques arranged sequentially to reflect attack stages. Understanding this sequence allows security teams to anticipate attacker moves and disrupt the kill chain.

Enterprise ATT&CK: Describes adversary behaviors in enterprise networks and cloud environments. (Note: The deprecated Pre ATT&CK matrix is now merged here.)
ICS ATT&CK: Focuses on adversary actions within Industrial Control Systems networks.
Mobile ATT&CK: Covers adversary behaviors related to mobile devices.

Tactics represent the adversary’s objectives (the "why"), while Techniques describe the methods used to achieve those objectives (the "how"). Techniques can relate to multiple tactics, enabling nuanced threat analysis.

Intent-Based Incident Response

Adopting an intent-based response leverages the MITRE-ATT&CK framework’s dynamic kill chain to correlate incidents and reveal broader attack scopes. This approach helps security teams understand ongoing attacks and predict adversary behavior, allowing for more strategic allocation of resources. Security Incident Response (SIR) manages incident lifecycles by focusing on IoCs such as IP addresses, file hashes, and domains. When integrated with MITRE-ATT&CK, incidents are viewed as interconnected elements of enterprise-wide attack campaigns.

Benefits for ServiceNow Customers

Enhances security analysts’ capabilities by providing detailed MITRE-ATT&CK TTPs for improved incident analysis and response.
Enables automation of incident workflows through playbooks aligned with MITRE-ATT&CK, facilitating faster threat detection and containment.
Prioritizes IoCs and supports proactive threat hunting using MITRE-ATT&CK intelligence.
Offers insights into the organization’s overall security posture within the MITRE-ATT&CK context.

Administration and Usage

ServiceNow customers can configure the MITRE-ATT&CK framework within the AI Platform by mapping data sources, assessing technique detection coverage, and maintaining the ATT&CK repository. The framework is utilized across Threat Intelligence and Security Incident Response modules to improve threat detection and analysis.

The MITRE-ATT&CK framework is a knowledge base of common tactics, techniques, and procedures (TTP) that your organization can access to develop specific threat models and methodologies against cyberattacks.

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework documents and tracks various adversarial techniques that are used during different stages of a cyberattack.

By using the MITRE-ATT&CK framework's knowledge base, the cyberthreat intelligence community can quickly identify threats and coordinate cyberattack responses.

MITRE-ATT&CK and Security Operations

Learn how the MITRE-ATT&CK information flows with Security Operations applications.

The pre-loaded TAXII client connects to the TAXII server to ingest the data collections to Threat Intelligence.
Existing Security Information and Event Manager (SIEM) integrations ingest their threat data (alerts and events), with relevant TTPs and are associated with security incidents.
When an IoC is associated to a security incident, Threat Intelligence automatically searches threat feeds for relevant information and sends IoCs to third-party sources such as EDR, Sandbox, or TIP for additional analysis.
If any third-party source contains the MITRE-ATT&CK information, then Threat Intelligence extracts the technique information and enriches the data in the Threat Intelligence repository for correlation and analysis.
MITRE-ATT&CK also shares CVE context information for each technique. Your security team can review the exploited techniques in Vulnerability Response to determine if your business-critical assets are threatened.

MITRE-ATT&CK matrixes, tactics, and techniques

The core of the MITRE-ATT&CK framework is a matrix of adversary tactics and techniques. The sequence of the tactics represents what an adversary is trying to accomplish at the stage of an incident. When your security team understands this sequence, you have an opportunity to anticipate an adversary's next move and break the kill chain. ATT&CK consists of the following matrixes:

Enterprise ATT&CK: Describes the behaviors and actions that an adversary takes to compromise and operate in an enterprise network and cloud.
Note:
The Pre ATT&CK matrix has been deprecated by MITRE and is merged with the Enterprise matrix.
ICS ATT&CK: Describes the actions that an adversary takes while operating within an Industrial Control Systems (ICS) network.
Mobile ATT&CK: Describes the adversary behaviors and actions that focus on mobile devices.

Tactics represent the why of an ATT&CK technique. It is the adversary’s tactical objective for performing an action.

Techniques represent how an adversary achieves a tactical objective by performing an action.

Techniques may be associated with more than one tactic. For example, Access Token Manipulation is used by an adversary to achieve either the tactic of Privilege Escalation or Defense Evasion.

Using an intent-based approach for incident responses

An intent-based response uses a dynamic and contextual kill chain framework that can help your organization to correlate security incidents and to identify a large scope of attacks. Your security team can use an intent-based response to understand how the organization is being attacked and what the attacker might do next. This type of response enables you to predict an attacker's behavior so that you can focus your resources effectively.

Using Security Incident Response, your security team can manage the life cycle of each security incident from analysis to containment by focusing on indicators of compromise (IOCs) like IP addresses, file hashes, and domains.

By integrating Security Incident Response with the MITRE-ATT&CK framework, security incidents are handled as links in a larger enterprise-wide attack.

How your organization can benefit from MITRE-ATT&CK in Security Operations

Using the MITRE-ATT&CK framework can help your organization do the following:

Equip security analysts with MITRE-ATT&CK tactics, techniques, and procedures (TTPs) to better analyze and respond to security incidents.
Automate the incident workflows using the playbook for detecting and containing threats in the context of the MITRE-ATT&CK framework.
Prioritize indicators of compromise and threat hunting with MITRE-ATT&CK information.
Understand the high-level security posture of your organization in the context of the MITRE-ATT&CK framework.