Advanced Defense (Blue Team) Updated on Jun 25, 2025

MITRE ATT&CK — Tactics, Techniques, and Practical Use in Defense

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a framework that catalogs real attacker behaviors observed in real-world attacks. Unlike CVEs (which describe vulnerabilities), ATT&CK describes what the attacker does after gaining access to the system.

Framework structure

Tactic (Objective) ──► Technique (How) ──► Sub-technique (Detail)

Example:
  Tactic:        TA0002 — Execution
  Technique:     T1059 — Command and Scripting Interpreter
  Sub-technique: T1059.001 — PowerShell

The 14 tactics in the Enterprise matrix:

TA0001 Reconnaissance       TA0008 Lateral Movement
TA0002 Resource Development TA0009 Collection
TA0003 Initial Access       TA0010 Exfiltration
TA0004 Execution            TA0011 Command and Control (C2)
TA0005 Persistence          TA0040 Impact
TA0006 Privilege Escalation TA0042 Resource Development
TA0007 Defense Evasion      TA0043 Active Reconnaissance

Mapping a real attack

Example: ransomware attack mapped to ATT&CK:

1. T1566.001 — Phishing with malicious attachment
2. T1059.001 — PowerShell executes in-memory stager
3. T1055    — Process injection
4. T1078    — Use of stolen valid credentials
5. T1021.002 — Lateral movement via SMB/Admin$
6. T1082    — System information discovery
7. T1486    — Data encrypted for impact (ransomware)
8. T1490    — Backup removal (vssadmin delete shadows)

This mapping answers: “which controls would have stopped the attack at each stage?”

Detection coverage

Use ATT&CK Navigator to visualize which techniques your organization detects:

Legend (ATT&CK Navigator):
  Green  — we detect and respond
  Yellow — we detect but response is manual
  Red    — blind spot, no coverage
  White  — not applicable to our environment

Questions the Navigator answers:

Which APT28 TTPs do we have covered?
What are our biggest blind spots?
If we buy a new control, how much coverage do we gain?

Using ATT&CK to build detections

Each technique lists recommended data sources:

T1059.001 — PowerShell:
  Data sources:
    - Command: Command Execution
    - Module: Module Load
    - Process: Process Creation
    - Script: Script Execution

  Recommended detection:
    Monitor Event ID 4104 (ScriptBlock Logging)
    and Event ID 4103 (Module Logging) on Windows.

Sample query to cover T1059.001:

Elastic KQL:
event.code: "4104"
AND powershell.file.script_block_text: (*IEX* OR *DownloadString* OR *Invoke-*)
AND NOT powershell.file.script_block_text: *Microsoft*

ATT&CK and Threat Intelligence

APT groups are cataloged with their TTPs:

APT29 (Cozy Bear) — common techniques:
  T1566.001  Spearphishing with attachment
  T1218.011  Rundll32 for execution
  T1027      Payload obfuscation
  T1071.001  C2 over HTTP/S
  T1003.001  LSASS memory dump (credential access)

Comparing adversary TTPs against your coverage reveals where to invest in detection.

Adversary emulation (Purple Team)

ATT&CK is the foundation for emulation exercises:

1. Select APT group relevant to your sector
2. Map group TTPs in the Navigator
3. Red Team executes techniques in a test environment
4. Blue Team checks whether each step was detected
5. Gaps become new detection rules or controls

Emulation frameworks: CALDERA (MITRE), Atomic Red Team (Red Canary).

Resources

Online matrix: attack.mitre.org
ATT&CK Navigator: mitre-attack.github.io/attack-navigator
Atomic Red Team: atomic tests per technique in PowerShell/Bash
Sigma rules: detection rules mapped to ATT&CK techniques