July 6, 2026
Understanding the MITRE ATT&CK Framework: The Periodic Table of Cyber Adversaries
For decades, the cybersecurity industry focused primarily on Indicators of Compromise (IoCs) — static artifacts like file hashes, malicious…

By Tanvi Chauhan
2 min read
For decades, the cybersecurity industry focused primarily on Indicators of Compromise (IoCs) — static artifacts like file hashes, malicious IP addresses, or domain names left behind by an attacker. While tracking IoCs is useful, it represents a reactive approach to defense. Adversaries can easily change an IP address or modify a file's hash to bypass security controls.
To shift the balance of power back to defenders, the industry needed a way to track behaviors rather than just tools. In 2013, the MITRE Corporation released the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework.
Instead of cataloging what tools an attacker uses, ATT&CK catalogs how attackers behave throughout an entire intrusion lifecycle.
The Structural Anatomy: Tactics vs. Techniques
At its core, the MITRE ATT&CK framework acts like a periodic table of real-world adversarial behavior. It categorizes threat actor behavior into a clear hierarchy, primarily moving from high-level objectives down to the specific technical steps used to achieve them.
1. Tactics (The "Why")
Tactics represent the adversary's immediate tactical objective for performing an action. They answer the question: What is the attacker trying to achieve at this specific stage of the operation? The Enterprise ATT&CK matrix currently outlines 14 distinct tactics that mirror the chronological progression of a network intrusion, including:
- Reconnaissance: Gathering information to plan future adversary operations.
- Initial Access: Trying to get into your network (e.g., Phishing).
- Execution: Running malicious code on a compromised system.
- Persistence: Trying to maintain their foothold across reboots or credential rotations.
- Exfiltration: Stealing confidential data out of your environment.
2. Techniques (The "How")
Techniques represent the specific technical method the adversary uses to achieve a tactic. They answer the question: How does the attacker accomplish their goal? Under each Tactic column sits a deep list of underlying Techniques. For example, under the Persistence tactic, an attacker might use the technique Account Manipulation or Create or Modify System Process.
3. Sub-Techniques (The Granular Breakdown)
Because a single technique can often be executed in entirely different ways depending on the operating system or application architecture, MITRE introduced Sub-Techniques to provide further abstraction.
For instance, under the technique Create or Modify System Process, you will find sub-techniques specifying whether they are manipulating a Windows Service or a Linux Systemd Service.
The Power of Context: Procedures and Groups
The "Common Knowledge" aspect of ATT&CK is what transforms it from a static spreadsheet into a living database of threat intelligence. MITRE continuously maps real-world, observed cyberattacks to the matrix through two data fields:
- Procedures: The exact, documented implementations of a technique used by a threat actor in the wild. If a technique is "Phishing," the procedure details the exact malware variant, scripting language, or delivery mechanism used in a specific campaign.
- Groups: Profiles of known Advanced Persistent Threats (APTs) and cybercrime syndicates. The framework tracks exactly which tactics and techniques specific groups (like APT29 or FIN7) historically rely on, allowing defenders to perform targeted threat modeling.
Theoretical Applications in Defensive Architecture
The structural standardization provided by the MITRE ATT&CK framework allows defensive security teams to solve three critical theoretical challenges in cybersecurity:
1. Gap Analysis and Matrix Mapping
Security architecture teams use the framework to map out their defensive telemetry coverage. By overlaying their existing detection capabilities (EDR rules, SIEM alerts, firewall logs) on top of the ATT&CK matrix, organizations can visually identify blind spots. If a column like Credential Access has no coverage mapping, the team knows exactly where to allocate engineering resources next.
2. Emulation and Adversary Simulation
Instead of running generic vulnerability scans, penetration testers and red teams use the ATT&CK framework to design high-fidelity adversary emulations. By extracting the specific technique profile of a threat actor known to target their industry, the offensive team can replay those exact techniques sequentially to test if the organization's Blue Team can detect the precise behaviors in real time.
3. Normalizing Threat Intelligence
Before ATT&CK, threat intelligence reports from different vendors used varying terminology to describe identical attacks. By referencing explicit MITRE IDs (such as T1566 for Phishing), global security teams can instantly speak a unified language, integrating threat feeds directly into automated security orchestration platforms.