MITRE ATT&CK Framework for Detection and Response

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of real-world adversary tactics and techniques based on observed threat intelligence. Maintained by the non-profit MITRE Corporation, it is organized as a matrix of tactics (the attacker's goals) along the top and techniques (the methods used to achieve those goals) as rows. ATT&CK is not a checklist or compliance framework — it is a descriptive model of how real attackers actually behave, derived from incident reports, threat intelligence, and red team exercises. It has become the lingua franca of the security industry for describing attacker behavior.

The ATT&CK Enterprise Matrix contains 14 tactics representing the attacker's high-level objectives: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains multiple techniques (specific methods), and many techniques have sub-techniques for more granular descriptions. For example, the Persistence tactic contains the technique T1053 (Scheduled Task/Job) with sub-techniques for Windows Task Scheduler, cron, and cloud schedulers.