Learn about the MITRE ATT&CK Framework for preventing cybersecurity threats, including techniques, procedures, and types of MITRE ATT&CK matrices, as well as careers where you can use this framework.
![[Featured Image] A cybersecurity professional sits at his office shared space with others, working on his computer using MITRE ATT&CK to help prevent security breaches.](https://d3njjcbhbojbot.cloudfront.net/api/utilities/v1/imageproxy/https://images.ctfassets.net/wp1lcwdav1p1/H7FYOkgWNRVufTGKTfTwe/b13726de8b6fe851ba30631b53f48dbc/GettyImages-1605481172.jpg?w=1500&h=680&q=60&fit=fill&f=faces&fm=jpg&fl=progressive&auto=format%2Ccompress&dpr=1&w=1000)
Cyberattacks pose a significant threat to businesses, government organizations, and even individuals as criminals attempt to access sensitive information such as finances or personal data. In 2024, the average cost of a data breach for organizations in the United States was $9.48 million [1].
MITRE ATT&CK was created in 2013 by MITRE, a non-profit organization that operates federally funded research and development centers. It helps cybersecurity teams test defensive methods, develop incident response plans, and determine the overall ability to detect attacks. Two years later, MITRE ATT&CK was introduced to the public at no cost, and it continues to help cybersecurity teams keep systems secure.
Short for MITRE Adversarial Tactics, Techniques, and Common Knowledge, MITRE ATT&CK is a knowledge base that details the different tactics and techniques that adversaries, or cyber attackers, use as well as the platforms they target, based on observations of real attacks that have occurred. Ultimately, MITRE ATT&CK improves communication throughout organizations, helping to better understand what the attacker is trying to accomplish and establishing defensive measures.
Having a free and widely available knowledge base, whether for individual or organizational use, is important since attackers' strategies and methods constantly evolve as new threats emerge. To keep up, new defensive techniques are also necessary to effectively safeguard infrastructure and data.
The MITRE ATT&CK framework contains several tactics, techniques, and procedures. Tactics describe the attacker's goal, while techniques describe how the attacker achieves that goal. Procedures illustrate how the attacker specifically implements the different techniques.
The attacker's goal varies depending on the stage of the attack, so you have access to several MITRE ATT&CK tactics. For example, reconnaissance covers the stage where the attacker gathers information that they will then use to plan the attack. Another tactic is initial access. During this stage, the attacker's goal is to enter the network or system.
The techniques described in MITRE ATT&CK provide insight into how attackers can reach their goals. The information provided here includes an overview of different techniques, corresponding sub-techniques, the software attackers use to perform the attack technique, and intrusion detection and prevention methods.
Procedures provide insight into how attackers implement techniques and sub-techniques and the tools they can use. With this information, you can learn how to detect techniques and replicate the attack to understand how attackers use techniques in real-life scenarios.
Anyone can utilize the MITRE ATT&CK framework, whether you belong to an organization or for your own use. However, MITRE ATT&CK is important in developing cybersecurity methods for government and public sector use cases. In specific careers where you can use the MITRE ATT&CK framework, it’s a valuable skill in any role that contributes to developing secure applications and systems. Some examples include penetration testers, security analysts, and security platform engineers and developers.
When classifying the different types of MITRE ATT&CK matrices, you can describe them as pre-ATT&CK enterprise, mobile, and ICS matrices. These classifications sort the various techniques used depending on the type of device or system they apply to.
Certain techniques help attackers prepare before an actual attack occurs, and many of these techniques are challenging to detect because they don’t happen within the victim organization's infrastructure. Attackers instead use outside information, but Pre-ATT&CK matrices help ensure your information isn’t easily accessible from the outside.
Enterprise matrices entail techniques used on cloud platforms and Mac, Windows, and Linux environments. Information provided within the enterprise matrix includes specific details relating to enterprise attacks, including how to identify and mitigate the threat of attacks during different stages, the tools and techniques used, and how attacks happen.
Mobile matrices cover information regarding mobile device attacks, including attacks on Android and iOS operating systems. These attacks can feature data exfiltration, privilege escalation, and network-based attacks, where the attacker can infiltrate a mobile device without physical access.
Concerning industrial control systems, ICS matrices highlight the different attacks that attackers can use to target industrial control systems, such as transportation systems or power grids. These critical services use ICS matrices to openly communicate defense strategies and gain knowledge about how these threats occur.
MITRE ATT&CK has four primary use cases: detections and analytics, threat intelligence, adversary emulation, red teaming, and assessment and engineering.
You can use ATT&CK analytics to build analytical detection tools to spot alarming behaviors and detect specific techniques.
Threat intelligence enables communication so you can share threat intelligence information.
Adversary emulation and red teaming allow for replicating threats and developing plans to defend against them.
Lastly, one common use of MITRE ATT&CK is to assess your organization's tools and overall capabilities so you can make better engineering decisions.
The attacker's objectives shift as an attack progresses, making it essential to utilize different MITRE ATT&CK tactics at various stages. Below are some pros and cons associated with this approach:
Pros:
Reducing the risk of cyber threats
Developing better security
Improving threat detection and attack resolution
Cons:
Requires thorough understanding and continuous learning of multiple tactics
Can be resource-intensive to implement and manage
The framework is sometimes biased toward new techniques due to the frequency, making it harder to detect certain methods.
When utilizing MITRE ATT&CK, remember that not all techniques will apply to your unique situation. Instead, focus on the most relevant ones rather than trying to understand each and every one. Also, remember that techniques may have several ways of working, so even though you’ve identified a threat and how the attackers implemented it, that doesn’t mean alternative strategies don’t exist, so be sure to explore all possibilities.
MITRE ATT&CK plays an important role in cybersecurity. With the knowledge it provides, you can help set your organization up for success by protecting valuable data and infrastructure, even against the latest emerging threats.
On Coursera, you can find highly rated courses on which to continue learning about MITRE ATT&CK and cybersecurity. Consider the Google Cybersecurity Professional Certificate, which is designed to help individuals with no previous experience find their first job in the field of cybersecurity, all at their own pace. The courses cover topics such as security models, tools that are used to access and address threats, networks, and more.
Statista. “Average cost of a data breach in the United States from 2006 to 2024, https://www.statista.com/statistics/273575/us-average-cost-incurred-by-a-data-breach/#:~:text=As%20of%202024%2C%20the%20average,million%20U.S.%20dollars%20in%202024.” Accessed March 3, 2025.
Editorial Team
Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...
This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.