MITRE ATT&CK Explainers:
What is the MITRE Matrix?
The MITRE ATT&CK® Framework is a security framework that provides comprehensive, up-to-date cyberthreat intelligence that can help organizations protect themselves against cyber risks.
The MITRE organization has developed a matrix that maps out tactics, techniques, and procedures, which can help monitor and analyze security events detected by security teams.
There are three main MITRE Matrixes: Enterprise ATT&CK, which includes 14 tactics attackers can use to infiltrate organizations, Mobile ATT&CK, with 14 tactics attackers can use to compromise mobile applications, and ICS ATT&CK, with 12 tactics used to attack Industrial Control Systems.
MITRE Matrix Types
Enterprise ATT&CK Matrix
ATT&CK for Enterprise provides a model that details what cyber attackers can do to infiltrate corporate networks and achieve their goals once inside. It helps organizations prioritize their cyber defenses and focus on the defenses that pose the greatest risk to specific businesses.
The matrix has specific tactics and techniques attackers use to infiltrate different environments, including networks, operating systems like Windows, macOS, and Linux, SaaS applications like Office 365 or Google Workspace, public cloud systems, or identity services like Azure AD.
There are currently 14 tactics in this matrix, shown below.
| Reconnaissance | Resource development | Initial access | Execution |
| Persistence | Privilege escalation | Defense evasion | Credential access |
| Discovery | Lateral movement | Collection | Command and Control |
| Exfiltration | Impact |
Mobile ATT&CK Matrix
The Mobile ATT&CK Matrix describes tactics and techniques used to compromise iOS and Android mobile devices. To this end, ATT&CK for Mobile is based on NIST’s Mobile Threat Catalog, designed around the characteristics of current mobile devices and their vulnerabilities.
Mobile ATT&CK includes 12 tactics and 100+ skills attackers use against mobile devices. The matrix also lists network-based effects, tactics, and techniques that can be used without access to a physical device.
There are currently 14 tactics in this matrix, shown below.
| Initial Access | Execution | Persistence | Privilege Escalation |
| Defense Evasion | Credential Access | Discovery | Lateral Movement |
| Collection | Command and Control | Exfiltration | Impact |
| Network Effects | Remote Service Effects |
ICS ATT&CK Matrix
This matrix is similar to Enterprise ATT&CK, except that it targets industrial control systems (ICS) such as power grids, factories, manufacturing plants, and other organizations. These systems rely on interconnected machines, devices, sensors, and networks.
The matrix describes the lifecycle of an attack against ICS systems, a detailed technical description of each technique and tactic used in a potential attack, its goals, detection methods, and how to mitigate and respond to it.
There are currently 12 tactics in this matrix, as shown below.
| Initial Access | Execution | Persistence | Privilege Escalation |
| Evasion | Discovery | Lateral Movement | Collection |
| Command and Control | Inhibit Response Function | Impair Process Control | Impact |
The MITRE ATT&CK Matrix: Tactics and Techniques
The MITRE ATT&CK knowledge base is rapidly growing as one of the most established and frequently cited security resources for cybersecurity professionals. It is commonly used for SOC, CERT, CTI, and penetration testing, and is cited in many cyberthreat publications.
One of the key benefits of this framework is that networking professionals from different backgrounds can communicate using a common language built around a regularly updated and evolving repository of techniques, tactics, and procedures (TTPs).
Tactics are the most important component of the ATT&CK framework. They provide the reasoning or technical objectives behind a threat technique. These are the tactical objectives of the threat actor — they explain why the attacker initiates a specific offensive action. Tactics used by attackers can include actions like “discover,” “move laterally,” “execute files,” or “persist in the network.”
MITRE ATT&CK techniques, categorized by tactics, are a specific set of technical operations attackers can use to achieve their goals and achieve the goal described in the tactic.
Related content: Read our guide to MITRE ATT&CK framework.
MITRE Matrix Use Cases
MITRE Matrixes are a knowledge base for attacker behavior, and all uses of the Matrix revolve around the exploitation of that knowledge. Matrixes can be used for the following purposes:
- Penetration testing – cybersecurity researchers can use information in the Matrix to replicate and interpret attack techniques. Penetration testers can then use available tools to carry out specific techniques and identify if an organization is vulnerable to them.
- Red team – security teams can use the Matrix to find ways to attack the organization in a training exercise. This can be used to simulate attacks by criminal groups, test the defenses implemented by organizations, or train other teams in defensive techniques. The Matrix also provides a common language that ensures understanding between the organization and the red team when planning actions that may affect production systems.
- Anomaly detection and threat hunting – by understanding and codifying the behavior of other previous attacks, actors, or groups of cybercriminals, security tools and the experts who use them can associate specific indicators of compromise (IoCs) with known exploits or typical behavior of a particular attacker.
- Build defensive countermeasures – knowledge gained from attacks allows security teams to deploy more sophisticated defensive solutions to deter possible attack behavior. Security tools such as firewalls or intrusion detection systems (IDS) can directly consume data from the MITRE Matrix and use it to block specific malicious activities.
Exabeam’s Relationship with MITRE ATT&CK
Exabeam security researchers participate in MITRE ATT&CK discussions and events. They have also contributed several new techniques that are pending publishing and researchers have performed extensive research on how to perform machine learning-based anomaly detection to effectively apply MITRE ATT&CK into the security analyst’s detection arsenal. Exabeam will be adopting MITRE ATT&CK in the Exabeam Security Management Platform and Exabeam Cloud Security Services starting in 2019.