Definition and purpose

The ATT&CK Framework aims to describe and categorize the actions adversaries may take after they have compromised and gained access to systems. It provides a detailed understanding of attacker actions, organized into matrices of tactics (objectives) and techniques (how those objectives are achieved). By having this information, organizations can better understand the threat landscape, adjust their defenses accordingly, and carry out more effective incident response.

Governing Body

The MITRE Corporation, a not-for-profit organization that operates research and development centers sponsored by the U.S. government, is the governing body for the ATT&CK Framework.

Last updated

The most recent update was released in April 2023. 

Applies to

The MITRE ATT&CK Framework is industry-agnostic and is applicable to any organization or entity interested in understanding cyber adversary behavior and improving their cybersecurity posture. This includes government agencies, private sector companies, academic institutions, and cybersecurity professionals across all industries.

Controls and requirements

The ATT&CK Framework is not a control framework in the traditional sense. Instead, it organizes information into matrices of tactics (columns) and techniques (rows). Some of the tactics include:

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Exfiltration
• Impact

Under each tactic are multiple techniques that adversaries might employ to achieve that tactic. Each technique further includes detailed information, examples, and mitigations.

Please refer to the official MITRE ATT&CK documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

The MITRE ATT&CK Framework is primarily a descriptive model rather than a prescriptive set of requirements. As such, it's not used directly for audits. However, organizations can utilize it as a reference or basis for red team exercises, threat hunting, or other security assessments.

Since the framework itself isn't a standard for compliance, there's no set frequency for assessments or audits based on it. However, the frequency of related activities (like red teaming or threat hunting) will vary based on an organization's specific security program and risk tolerance.