Debunking Myths of MITRE ATT&CK

Do you know every person assumes the definition of terms in their own way until they are given a reference? Let's debunk some common myths about the MITRE ATT&CK Framework.

Do you know every person assumes the definition of terms in their own way until they are given a reference? Ever heard of the game Chinese whisper? Yes, the game we all played as a child in which person “A” says something to person “B”, “B” to “C” and so on. Almost every time, when the information moves from one person to another, it is changed. This is the risk of interpretation.

Earlier, every organization had their own way of defining attack stages. There was no common language, which made it harder to work collaboratively. The world required a common dictionary, and that is how the MITRE ATT&CK Framework was born—to make our lives easier.

What is ATT&CK?

Consider ATT&CK a social mission that has saved organizations billions of dollars and gigabytes of data without charging a penny. ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques created by the non-profit, government-funded organization MITRE.

And unlike you might think, the MITRE ATT&CK framework isn’t built in a lab or as the outcome of a tabletop exercise; it is built based on observations of real-world adversary behaviors.

It is just like an attacker's playbook, containing actions based on scenarios, made by analyzing many adversaries.

The primary purpose of developing ATT&CK was for Red and Blue Teaming. Red teaming involves simulating adversarial behavior, and ATT&CK provides detailed knowledge about it. For the blue team, ATT&CK provided a common language to compare notes. Understanding ATT&CK is easy, as it is presented in a matrix format that is understandable with minimal research. So let’s jump into the components (WHAT, HOW, STEPS) of the ATT&CK Matrix.

We will take an example to understand the components. Imagine you want to buy a phone:

Tactics:

This is the “WHAT”—the goals that attackers want to achieve. In our example, your goal is to buy a phone; that's the tactic. In cybersecurity, tactics include Initial Access, Execution, Persistence, Privilege Escalation, etc. Each tactic is crucial and directly helps the attacker achieve their ulterior motive, which could be money, data, etc.

Techniques:

This is the “HOW”—the method an attacker will use to achieve a tactic. There can be multiple techniques for each tactic. In our example, the tactic is to buy a phone, but the techniques could be buying it from an offline store or an online website. In technical terms, Initial Access is a tactic, while Phishing is a technique used to achieve it.

Procedures:

These are the specific “STEPS” adversaries have used in the past to perform a particular technique. In our example, this could be you going to a store, asking for a phone, and paying with cash. ATT&CK shows real-world examples of procedures used by attackers, like the group APT-28 using Nmap for Active Scanning.

These components are commonly called TTPs (Tactics, Techniques, and Procedures). The combination helps security researchers deeply understand adversarial behavior and design their security posture. TTPs are the backbone of the MITRE ATT&CK Framework.

Myths of MITRE ATT&CK Framework

1. 100% coverage of MITRE ATT&CK is ideal for Security

Imagine you are given a task: every day you will be sent thousands of news articles, and only one of them is true. You have to figure out which one. It would become too hard to handle. The MITRE ATT&CK framework contains a vast range of techniques. If you cover all of them in your tool, even a system admin's routine actions could be flagged as an alert, and your system would be flooded with false positives.

#MYTH BUSTED: It is recommended to prefer quality over quantity.

For techniques that aren’t covered to generate alerts, it is not recommended to lose visibility. You should still capture those events for future threat hunting and investigation.

2. MITRE ATT&CK framework is One and Done

ATT&CK has grown significantly since its public launch in 2015. The original ATT&CK had only 50-60 techniques; now it has over 201. The MITRE ATT&CK community has helped it grow over the years. ATT&CK has one firm rule: a technique is only added if it has been performed by an adversary in the real world.

#MYTH BUSTED: The ATT&CK Framework is constantly evolving and updating.

3. MITRE ATT&CK is just one framework

ATT&CK initially had just one framework, but it is constantly improving as its great team works on consumer feedback and requirements.

ATT&CK currently has 15 different frameworks for different systems, as they all have different security teams. This includes frameworks for Enterprise, Cloud, Windows, Linux, Industrial Control Systems, Mobile, etc.

#MYTH BUSTED: No one size fits all with the MITRE ATT&CK Framework.

4. 100% Technique coverage means 100% security

A technique can be executed by attackers in multiple ways. So, a tick in the box for each technique will only provide a false sense of security. Security is not a checklist game. Simply marking techniques as 'covered' ignores the nuance of how attacks are executed.

You need to identify and monitor the specific procedures attackers might use to implement each technique, not just the technique itself.

#MYTH BUSTED: Focus on procedures, not just techniques.

5. ATT&CK is only for Threat Hunters and Red Teamers

ATT&CK can be used in many ways by multiple roles, including Blue Teams for detection engineering, SOC Analysts for alert triage, Executives, Penetration Testers, and tool developers. Although ATT&CK was originally built with red teaming in mind, it has since become invaluable for blue teams, SOC analysts, detection engineers, CISOs, and even security product developers, making ATT&CK important in every field of cybersecurity.

#MYTH BUSTED: ATT&CK is for everyone in cybersecurity.