Perhaps the most cited framework in the cybersecurity world:MITRE ATT&CK. But most SOC analysts fail to integrate it into their daily workflow. He either uses the frame superficially or sees it as a "matrix panel". In this article the frameworkhow to use it practicallyWe consider.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), derived from real-world attacks.public database of tactics and techniquesis. The project, which started in 2013, today includes 14 main tactics and more than 200 techniques.
The columns of the matrix are tactics (From wherebeing done), lines techniques (Howbeing done):
| Tactical ID | Tactics | Aim |
|---|---|---|
| TA0001 | Initial Access | first infiltration |
| TA0002 | Execution | code execution |
| TA0003 | Persistence | Permanence in the system |
| TA0004 | Privilege Escalation | Authority escalation |
| TA0005 | Defense Evasion | detection avoidance |
| TA0006 | Credential Access | Identity stealing |
| TA0007 | discovery | environment exploration |
| TA0008 | Lateral Movement | Yanal hareket |
| TA0009 | Collection | data collection |
| TA0010 | exfiltration | data leak |
| TA0011 | Command & Control | Komuta-kontrol |
| TA0040 | Impact | Making an impact |
Why is it important?
Three main reasons:
1. Common Language
Instead of "your friend stole the password" in the reportsT1110.001 (Password Guessing)means standardizes communication. Threat intelligence sharing, vendor reports, and regulation documents always reference ATT&CK.
2. Scope Measurement
You can measure how well your SIEM detects which tactic:
- "We can detect 5 out of 8 techniques of the Credential Access tactic"
- "There are no rules in Persistence — big gap"
This is an objective metric. Perfect for presentation to management.
3. Korelasyon
Your attacksmultiple tacticsyou know it contains. "Failed login" alone might be normal, but after the same IPdiscovery → Execution → Persistencechain =decisive attack.
Practical Example: A Ransomware Attack
Let's map a ransomware attack with ATT&CK:
09:14 Malicious .doc opened in e-mail
→ T1566.001 (Spearphishing Attachment)
09:15 Macro ran, PowerShell downloaded
→ T1059.005 (Visual Basic) + T1059.001 (PowerShell)
09:17 credential dump from LSASS memory
→ T1003.001 (LSASS Memory)
09:22 SMB share access with admin credentials
→ T1021.002 (SMB/Windows admin Shares)
09:25 Pass-the-hash to Domain Controller
→ T1550.002 (Pass the Hash)
09:30 New service established (persistence)
→ T1543.003 (Windows Service)
09:35 Shadow copies deleted
→ T1490 (Inhibit System Recovery)
09:40 Ransomware worked, files were encrypted
→ T1486 (Data Encrypted for Impact)8 different techniques were used in 26 minutes. If it weren't for the ATT&CK map, he would see each one separately, butyou wouldn't recognize the chain.
How to Integrate into SIEM?
Step 1: Add ATT&CK Tags to Your Rules
For each alarm ruletechnique_idadd the field:
ALTER TABLE alarm_kurallari ADD COLUMN miter_techniques TEXT[];
UPDATE alarm_rules
SET miter_techniques = ARRAY['T1110.001', 'T1078.002']
WHERE rule_name = 'brute_force_admin';Step 2: Create Detection Map
How many rules do you use to determine which technique?
SELECT
unnest(mitre_techniques) AS technique,
COUNT(*) AS detection_count,
ARRAY_AGG(rule_name) AS rules
FROM alarm_rules
WHERE is_active = TRUE
GROUP BY technique
ORDER BY technique;Conclusion:
| T1110 (Brute Force) | 4 kural |
| T1078 (Valid Accounts) | 2 kural |
| T1003.001 (LSASS) | 0 kural ⚠️ |
| T1486 (Ransomware Encryption) | 1 kural |
LSASS detectionnone— major security gap. It should be given priority.
Step 3: Heatmap Visualization
Color the ATT&CK matrix according to your detection scope:
- 🟢 Green: 3+ rules
- 🟡 Yellow: 1-2 rules
- 🔴 Red: No rules
This is perfect as a management dashboard.
Step 4: Threat Hunting
Detection rules are reactive — they raise an alarm after an attack occurs. Threat hunting is proactive — it searches without.
Hunting queries with ATT&CK:
-- T1059.001 PowerShell: Encoded command research
SELECT ts, device_hostname, username, extra->>'command_line'
FROM logs
WHERE category = 'powershell'
AND extra->>'command_line' ~* '-enc|-EncodedCommand|FromBase64String'
AND ts > NOW() - INTERVAL '7 days';
-- T1547.001 Registry Run Keys: Persistence check
SELECT ts, device_hostname, extra->>'registry_path'
FROM logs
WHERE event_id = 13 -- Sysmon registry set
AND extra->>'registry_path' ~ 'Run|RunOnce'
AND ts > NOW() - INTERVAL '24 hours';MITER Navigator
MITER ownATT&CK Navigatoroffers — free, web-based, interactive:
mitre-attack.github.io/attack-navigator
In this vehicle:
- Make the techniques you identify green
- Apply threat groups (APT) filter
- JSON export → raporlama
- Multi-layer comparison
Threat Actors (Groups)
ATT&CK alsothreat groups(threat actor profile). For example:
- G0007 APT28 (Fancy Bear) — Russian GRU uses 30+ techniques
- G0016 APT29 (Cozy Bear) — SVR, sophisticated persistence
- G0034 Sandworm — NotPetya, Ukrainian infrastructure attacks
If you know of a group that targets an industry (e.g. "Banks in Türkiye are targeted by APT41"), find out the techniques that group uses.priority detection — you will.
D3FEND — Defensive Counter
MITER, as counterpart to ATT&CKD3FENDHe also published the framework. Here is the defensive equivalent of each ATT&CK technique:
- T1110 (Brute Force) → D3-AL (Account Locking), D3-MFA
- T1486 (Encryption) → D3-FHRA (File Hashing), D3-BSE (Backup)
Show off your defensive controls on the D3FEND map.
Summary
- ATT&CK is a lingua franca — 14 tactics, 200+ techniques
- To every SIEM alarmtechnique_idassign
- Objectively measure vulnerabilities with coverage map
- Prioritize detection for threat groups targeting your industry
- Organize your threat hunting queries with ATT&CK
- Map your defensive controls with D3FEND