Debunking Myths of MITRE ATT&CK

July 2, 2025·2 min read·
By
DTDevesh Taneja

Do you know every person assumes the definition of terms in their own way until they are given a reference? Ever heard of the game Chinese whisper? This is the risk of interpretation. Earlier, every organization had their own way of defining attack stages. The world required a common dictionary, and that is how the MITRE ATT&CK Framework was born.

What is ATT&CK?

ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques created by the non-profit, government-funded organization MITRE. Unlike you might think, it isn't built in a lab — it is built based on observations of real-world adversary behaviors.

The primary purpose of developing ATT&CK was for Red and Blue Teaming. Let's jump into the components (WHAT, HOW, STEPS) of the ATT&CK Matrix.

Tactics:

This is the "WHAT" — the goals that attackers want to achieve. In cybersecurity, tactics include Initial Access, Execution, Persistence, Privilege Escalation, etc.

Techniques:

This is the "HOW" — the method an attacker will use to achieve a tactic. Initial Access is a tactic, while Phishing is a technique used to achieve it.

Procedures:

These are the specific "STEPS" adversaries have used in the past to perform a particular technique. These components are commonly called TTPs (Tactics, Techniques, and Procedures).

Myths of MITRE ATT&CK Framework

1. 100% coverage of MITRE ATT&CK is ideal for Security

If you cover all techniques, even a system admin's routine actions could be flagged as an alert, flooding your system with false positives.

#MYTH BUSTED: It is recommended to prefer quality over quantity.

2. MITRE ATT&CK framework is One and Done

ATT&CK has grown from 50-60 techniques to over 201 since its public launch in 2015.

#MYTH BUSTED: The ATT&CK Framework is constantly evolving and updating.

3. MITRE ATT&CK is just one framework

ATT&CK currently has 15 different frameworks for different systems including Enterprise, Cloud, Windows, Linux, Industrial Control Systems, Mobile, etc.

#MYTH BUSTED: No one size fits all with the MITRE ATT&CK Framework.

4. 100% Technique coverage means 100% security

A technique can be executed by attackers in multiple ways. Simply marking techniques as 'covered' ignores the nuance of how attacks are executed. Focus on procedures, not just techniques.

#MYTH BUSTED: Focus on procedures, not just techniques.

5. ATT&CK is only for Threat Hunters and Red Teamers

ATT&CK can be used by Blue Teams, SOC Analysts, Executives, Penetration Testers, and tool developers. It has become invaluable for everyone in cybersecurity.

#MYTH BUSTED: ATT&CK is for everyone in cybersecurity.

Did you find this article helpful?

Let the authors know by leaving a like or comment.

0
Leave a Comment
Share your thoughts on this article. We'd love to hear from you!

No comments yet

Be the first to share your thoughts!

    Debunking Myths of MITRE ATT&CK