What Is the MITRE ATT&CK Framework? Mapping to Today's Defensive Controls

Threat actors are constantly searching for new ways past your organization’s defenses. Learning these tactics, techniques, and procedures (TTPs) plays an enormous role in cybersecurity. If you understand how a threat actor plans to attack, you can align your defenses to stay one step ahead. The MITRE ATT&CK framework is designed to help you do exactly that.

The MITRE ATT&CK framework is an ever-evolving catalog of the TTPs cyber criminals use in each phase of an attack. With it, your cybersecurity team can pore through attacker strategies and craft controls that keep them out. Here’s how.

What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is a freely accessible catalog of cybersecurity threats and threat actor tactics. ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge, and that’s exactly what the framework provides. The non-profit MITRE Corporation collects real-world data on how threat actors work and compiles it in the ATT&CK knowledge base, which it then updates up to twice a year.

Using the MITRE ATT&CK framework is simple. Visiting the website, you’ll see a list of TTPs categorized by their place in the modern kill chain. Click on any one of them and you’ll see how the tactic works, read real-world examples, and learn which controls help address it.

What is the MITRE ATT&CK framework used for?

Better defense planning

Maybe the most obvious benefit of the MITRE ATT&CK framework is that it keeps cybersecurity experts informed. The sooner your security team learns about a possible threat, the sooner they can implement new solutions and policies to defend against it.

The framework also illustrates which controls are the most relevant in today’s environment as opposed to last year’s. By prioritizing those controls, your cybersecurity team can protect your organization more quickly and effectively.

Smarter threat hunting

Automatic threat detection works best on attacks that follow pre-existing patterns. It takes a proactive, human approach to spot cutting-edge breach tactics. By referring to the information in the MITRE ATT&CK framework, your IT team can infer how breach tactics will continue to develop. That positions them for more intelligent and successful threat hunting.

More accurate simulated attacks

Red team exercises — or simulated cyber attacks — are a valuable test of an organization's resilience. With MITRE ATT&CK data, you can design more accurate and effective breach simulations to gauge your policies and solutions. These simulations can help you spot vulnerabilities in your systems before a threat actor does.

Improved communications and forensics

Beyond its invaluable data, the MITRE ATT&CK framework also creates a shared vocabulary in cybersecurity. Although every cyber attack is unique, the broad strokes are often strikingly similar. By standardizing the definitions of key terms, MITRE ATT&CK gets experts on the same page right away. That lets them collaborate more effectively, whether that’s on industry analysis or breach forensics. Incident report software can also use MITRE ATT&CK terminology to provide a high-level understanding of an event in just a few words.

How MITRE D3FEND supplements MITRE ATT&CK

MITRE created the D3FEND matrix to bridge the gap between attacker TTPs and MITRE defensive controls. It works like the ATT&CK matrix in reverse. Where ATT&CK shows how attackers try to gain and exploit access, D3FEND shows which controls organizations can use to defend themselves. By clicking on a control in the matrix, you can see the TTPs it’s designed to address. The D3FEND matrix also explains how each control works to give you a deeper understanding of your system.

For example, clicking on File Encryption in the D3FEND matrix will tell you that this control protects against malicious code injections, internal spearphishing, and several other attack types. By looking at the D3FEND matrix, a cybersecurity expert can ensure that they have all the right protections in place.

MITRE vs. NIST cybersecurity framework: What’s the difference?

The National Institute of Standards and Technology (NIST) is a federal agency that aims to develop and recommend best practices for federal agencies and private firms. As cybersecurity has grown more important, NIST has focused more and more of its attention on the field.

In 2014, it created the NIST Cybersecurity Framework (CSF). The CSF combined principles from HIPAA, FISMA, and other cybersecurity standards to give organizations a path toward improved resilience. It included instructions, best practices, and desired outcomes for cybersecurity controls and policy. NIST updated the CSF in 2024 to address the evolving threat environment.

MITRE ATT&CK and NIST CSF both aim to help organizations maintain a secure environment, but they do so in different ways. 

NIST CSF is more holistic than MITRE ATT&CK. It provides a top-level overview for establishing cybersecurity, and organizations can use the CSF checklist to set a strong defensive foundation. However, CSF doesn’t provide an inventory of attacker tactics or link them to specific controls and it’s not updated too often. MITRE ATT&CK fills that gap with a focus on understanding and defending against specific TTPs, which can make it more helpful in finding controls that fit your organization. It’s updated at least twice a year, which makes it a valuable ongoing reference point for your defenses.

Recognizing MITRE ATT&CK’s value, NIST has created a tool that maps the controls in its NIST SP 800-53 standard to the ATT&CK framework.

MITRE vs. FedRAMP: How do they relate?

With data increasingly moving to the cloud, the federal government needed standards to ensure agencies and contractors kept that data secure. It established the Federal Risk and Authorization Management Program (FedRAMP) in 2011 to create a cost-effective, risk-based approach to cloud service adoption. Any cloud providers hoping to work with the federal government must have their systems inspected by a FedRAMP-approved third-party assessment organization (3PAO). If they meet the standards set out by NIST SP 800-53, they can begin the process of receiving a FedRAMP Authority to Operate (ATO) and be cleared to work with the government.

In 2021, FedRAMP began moving to a threat-based model. Rather than prescribe all organizations implement the same exact controls, this model examined how relevant each control was in the current threat environment and assigned it a score. Assessors could then use those scores to make more agile decisions about whether an organization would receive an ATO.

You may wonder, “What is the MITRE ATT&CK framework’s role in this?” Today, the FedRAMP assesses threats by using the MITRE ATT&CK framework. As a result, organizations that use MITRE ATT&CK to design their defenses are well-positioned to receive a FedRAMP ATO.

Put the MITRE ATT&CK framework to use

The MITRE ATT&CK framework is an essential resource for cybersecurity, but assembling a piecemeal system of controls can quickly become overly complicated. If you’re looking for a simple, all-encompassing cybersecurity suite built with MITRE ATT&CK in mind, Lookout is here to help.

The Lookout Mobile Endpoint Security (MES) is the first mobile endpoint security solution to receive a provisional ATO designation in the FedRAMP Marketplace. Click here to learn more.