The cybersecurity industry has embraced MITRE ATT&CK for good reason: it provides security leaders and practitioners an objective, third-party standard with which to evaluate their own detection coverage and EDR solutions. But even while they recognize the value, many organizations are unsure about what specific steps they should take to fully benefit from MITRE ATT&CK.
First, we should cover a few basics about the MITRE ATT&CK framework. Introduced in 2015, MITRE ATT&CK provides a structure for understanding attacker behavior. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge—it standardizes descriptions of attacker behavior. MITRE maintains separate ATT&CK matrices for enterprise, cloud, and industrial control system (ICS) environments. According to a September 2020 study by UC Berkeley, 81% of surveyed organizations use at least one of the ATT&CK matrices.