An Actionable Incident Response Plan Template

A quickstart guide to creating a robust incident response plan – designed specifically for companies with cloud-based deployments.

What is the MITRE ATTACK framework?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a cybersecurity framework that helps enterprises fortify themselves against cyber threats.

3 minutes read

Also known as MITRE ATT&CK®, it is a free, government-advocated knowledge base comprising attack tactics and techniques of threat actors, common knowledge about them, and how they conduct cyberattacks. The framework was the product of MITRE's Fort Meade Experiment (FMX), which involved researchers simulating the behaviors of threat actors and victims to analyze and optimize data breach responses. 

The nonprofit organization MITRE released MITRE ATT&CK in 2013, and the framework now covers PRE, Windows, MacOS, Linux, networks, containers, mobile, ICS, and the cloud. Among other matrices that MITRE offers, the MITRE ATT&CK cloud matrix is unique because, as its name implies, it specifically focuses on cloud-centric security threats. This includes threats across IaaS, SaaS, and PaaS services from cloud providers like GCP, Azure, and AWS. MITRE’s dedicated cloud matrices for Office 365, Azure AD, Google Workspace, SaaS, and IaaS can be particularly effective for businesses that use these cloud platforms.

With more than 290 million data leaks caused by hackers in 2023, threat modeling using MITRE ATTACK is an invaluable resource for any public or private organization in the crosshairs of cyber adversaries. Its data comes from diverse sources including public threat intelligence, cyber incident reports, and other research initiatives by leading cybersecurity professionals. 

According to ESG, almost half of organizations surveyed in 2022 were using MITRE ATT&CK to strengthen their defenses, while 41% claimed to use the framework occasionally. Furthermore, 19% said that MITRE ATT&CK was critical to future security strategies, and 62% reported that it was very important. In an era where businesses have to reckon with advanced cyber threats, frameworks like MITRE ATT&CK are essential to augment a cloud security stack.

What are the benefits of implementing MITRE ATTACK?

By leveraging the MITRE ATTACK framework, companies can: 

  • Benefit from cyber threat intelligence

  • Communicate about cyber threats using a common language

  • Understand weaknesses in their IT environments from a threat actor’s perspective

  • Assign certain tactics and techniques to specific threat actors

  • Identify ways to optimize and strengthen their cloud security controls and posture based on the volume, nature, and potency of cyberattacks

Understanding MITRE ATTACK TTPs 

MITRE ATTACK features three primary matrices, each of which has specific tactics, techniques, and procedures (TTPs) as well as multiple subtechniques:

  • Enterprise: Focuses on enterprise network security

  • Mobile: Emphasizes mobile-related cyber threats

  • ICS: Focuses on protecting industrial control systems and networks

Note: The Enterprise Matrix has seven platform- and operating system-specific submatrices that focus on SaaS, IaaS, networks, containers, Windows, macOS, Linux, PRE, Azure AD, Office 365, and Google Workspace. 

When speaking about TTPs, tactics describe overall objectives, techniques include the methods adversaries use to meet those objectives, and procedures are the apparatus and tools they use to conduct cyberattacks. 

What are the tactics listed in MITRE ATTACK? 

The following is a breakdown of the 18 attack tactics in the MITRE ATTACK framework, followed by a table showing each matrix and its respective tactics. (Many of the tactics are used by more than one matrix.) 

TacticDescription
ReconnaissanceCollecting data about a potential victim
Resource developmentGathering resources for a potential attack
Initial accessBreaching a network for the first time
ExecutionInjecting malicious code into the victim’s network
PersistenceGaining a foothold in the victim’s IT environment
Privilege escalationSecuring higher access privileges
Defense evasionSidestepping security mechanisms
Credential accessStealing credentials of legitimate accounts
DiscoveryExploring various components of a victim’s network
Lateral movementMoving across a victim’s IT environment
CollectionCollecting sensitive enterprise data
Command and controlCommunicating with hijacked enterprise systems
ExfiltrationStealing sensitive data from enterprises
ImpactDamaging enterprise IT environments
Inhibit Response FunctionPreventing remediation mechanisms from responding to incidents
Impair Process ControlInterfering or deactivating physical control processes

What are the techniques listed in MITRE ATTACK? 

There are too many MITRE ATTACK techniques and subtechniques to explore in a single post. To understand just how many there are in this comprehensive knowledge base, remember that the Enterprise Matrix itself features 185 techniques and 367 subtechniques. 

Below are a few examples of the techniques associated with 16 of the above MITRE ATTACK tactics (MITRE does not list any for Network Effects or Remote Service Effects):

TacticRelated Techniques
ReconnaissanceActive scanning, gathering victim host information, collecting victim network information, and phishing for information
Resource DevelopmentAcquiring access, acquiring infrastructure, compromising accounts, and developing capabilities
Initial Access Content injection, phishing, supply chain compromise, and abuse of valid accounts
Execution Command and script interpreter, interprocess communication, scheduled tasks/jobs, system services, and user execution
Persistence Account manipulation, browser extensions, creating accounts, event-triggered execution, and hijacking execution flow
Privilege EscalationAbusing elevation control mechanisms, accessing token manipulation, account manipulation, and escaping to host
Defense EvasionBuilding image on host, debugger evasion, hiding artifacts, impersonating, masquerading, and obfuscating files or information
Credential AccessUtilizing adversary-in-the-middle, brute force, credentials from password stores, input capture, and network sniffing
DiscoveryAccount discovery, container, and resource discovery, permission groups discovery, software discovery, and virtualization/sandbox evasion
Lateral Movement Exploitation of remote services, internal spearphishing, lateral tool transfer, remote services, and tainting shared content
CollectionAudio capture, automated collection, clipboard data, data from local systems, and data from removable media
Command and Control (C2)Application layer protocol, content injection, fallback channels, protocol tunneling, and traffic signaling
ExfiltrationAutomated exfiltration, data transfer size limits, exfiltration over C2 channel, and exfiltration over another network medium
ImpactData destruction, defacement, disk wipe, financial theft, and firmware corruption
Inhibit Response FunctionAlarm suppression, blocking command messages, blocking reporting messages, and denial of service
Impair Process ControlBrute force I/O, modifying parameters, spoof reporting messages, and unauthorized command messages

How is MITRE ATTACK different from Cyber Attack Chain?

Similar to MITRE ATTACK, Cyber Attack Chain (officially known as the Cyber Kill Chain®) is a cybersecurity framework that can help businesses and their security teams protect themselves from cyberattacks. Lockheed Martin published the Cyber Attack Chain in 2011.

The following table presents seven key differences between MITRE ATTACK and Cyber Attack Chain: 

Mitre AttackCyber Kill Chain
Features 18 tactics across three matricesFeatures 7 tactics: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives
Does not establish nor presuppose that cyberattacks follow a particular sequenceStates that all attacks feature the exact sequence of tactics listed above
Does not focus on linear sequences; emphasizes hierarchies of tactics, techniques, and proceduresLinearly anatomizes cyberattacks but doesn’t offer hierarchical breakdowns
Focuses on how cyber adversaries facilitate attacks, why they do so, and with what toolsLacks techniques, subtechniques, and procedures; focuses on a step-by-step breakdown of adversarial behavior
Used by enterprises for protection across a cyberattack lifecycleTypically used in the initial stages of a threat detection process
Regularly updated and improved by the MITRE Corporation and numerous cybersecurity experts (In 2023, MITRE released 25 new software bugs from which businesses must protect themselves.)Does not feature many iterative improvements or community-led contributions
Provides a toolkit for users to design remediation and mitigation playbooksDoes not have any in-depth mitigation strategies businesses can apply to ward off cyberattacks

How Wiz and MITRE ATT&CK can help defend your cloud environments

Choosing the right cloud security platform is a vital decision for businesses. While there are many options in the cloud security market, a crucial factor is whether a cloud security platform weaves in frameworks like MITRE ATT&CK. With Wiz, you get the best of both worlds: a robust platform and game-changing cloud security frameworks.

Wiz's CNAPP is an industry leader that covers detection and response, and Wiz CDR provides correlation across cloud and runtime layers that’s enriched with unmatched context, facilitating rapid triage and response. Another huge benefit? Wiz weaves MITRE ATT&CK into its capabilities by mapping every rule in its rule set to MITRE tactics and techniques, and the Wiz Cloud Threat Landscape maps security incidents to the MITRE ATT&CK framework. Ready to learn more?

Get a demo today to see how Wiz and MITRE ATT&CK can comprehensively protect your cloud platforms. 

See Your Cloud Activities Come to Life

Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.

Get a demo 

Continue reading

What is interactive application security testing (IAST)?

Wiz Experts Team

IAST (Interactive Application Security Testing) is a security testing method that monitors applications in real-time during runtime to detect vulnerabilities by analyzing code behavior and data flow in live environments.

Top OSS SCA tools

Wiz Experts Team

Open-source software (OSS) software composition analysis (SCA) tools are specialized solutions designed to analyze an application's open-source components and dependencies.

The Open-Source CNAPP Toolkit

Wiz Experts Team

With a CNAPP, your team is empowered to pick and choose solutions that best fit your security capability and cost requirements. This article reviews the best open-source CNAPP tools for 2024.