MITRE ATT&CK in Threat Hunting and Incident Response

The ATT&CK matrix organises adversary behaviour into a two-dimensional grid. The columns are the 14 tactics of Enterprise ATT&CK: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. These represent the stages of a typical intrusion, though attackers rarely follow them in strict order. An attacker may return to earlier tactics repeatedly, for example establishing new persistence after each lateral movement step.

Each cell in the matrix is a technique. Some techniques are broad categories with multiple sub-techniques beneath them. T1059 (Command and Scripting Interpreter) covers the general category of script-based execution, while T1059.001 covers PowerShell specifically and T1059.003 covers Windows Command Shell. Working at the sub-technique level gives IR analysts precise language that maps directly to specific log sources and detection signatures. Reporting at the technique level is sometimes sufficient for executive communications or regulatory notifications; sub-techniques are the working currency of detection engineers and threat hunters.

Each technique entry on the ATT&CK website includes: a description of what the technique involves, observed real-world procedure examples attributed to specific groups, suggested mitigations, and detection guidance specifying which data sources (process monitoring, network traffic, authentication logs, and so on) are relevant. The detection section does not provide ready-to-use SIEM queries, but it tells analysts where to look and what patterns indicate the technique is in use. Platforms covered per technique tell analysts whether the technique applies to Windows, Linux, macOS, or cloud environments.

ATT&CK Navigator renders the full matrix as a colour-coded heat map that a team can annotate. The typical workflow for a coverage assessment starts by loading a blank Enterprise layer and then marking each technique with one of three states: currently alerting (a detection rule fires and generates an alert), currently visible (log data exists but no automated alert), or blind (no data source covers this technique). Colour coding by category makes gaps immediately visible without reading through hundreds of technique descriptions.

Navigator also supports threat group overlay. MITRE publishes group profiles as JSON layer files. Loading a group layer marks all techniques attributed to that group, and overlaying it on your coverage map immediately highlights which of that group's techniques you can detect and which you cannot. A financial services firm concerned about a group known for targeting banking infrastructure can load that group's layer and see, in seconds, whether the techniques they favour are covered by existing rules.

Coverage assessments are most useful when repeated over time. Many teams run a quarterly Navigator review, comparing the current layer to the previous one to confirm that new detection work has moved techniques from red to yellow or green. The layer file format is JSON and can be stored in version control, which gives a historical record of how detection capability has changed. This record is useful both for internal governance and for demonstrating improvement to regulators or insurers following a security audit.

Threat hunting is the proactive search for attacker activity that has not yet triggered automated alerts. An unstructured hunt, one that searches logs with no prior hypothesis, is usually unproductive because the search space is too large. ATT&CK provides the structure: each technique entry specifies data sources, which tells the hunter where to look, and the description of the technique tells the hunter what pattern to look for.

A well-formed hunting hypothesis follows this structure: given that adversaries use technique T[number] ([technique name]) to achieve tactic [tactic name], and given that this technique should produce [specific artefact] in [specific data source], we will search for [observable pattern] in [log or telemetry source] to determine whether this technique has been used in our environment. This format is borrowed from scientific hypothesis design and is more useful than a general suspicion because it produces a testable query and a clear result: either the pattern appears or it does not.

Hypotheses should be prioritised by threat relevance, not alphabetical order through the matrix. A useful prioritisation approach compares Navigator coverage gaps against the technique frequency reported in annual threat intelligence reports from CISA, ENISA, or commercial vendors. Techniques that appear repeatedly in the current year's intrusion reports and are currently in your blind or visible zone are the most urgent hunting targets. Techniques that are theoretically possible but have no recent attribution against your sector can be deprioritised.

During an active incident, ATT&CK mapping serves two functions. First, it tells the analyst which tactic stage the attacker has reached and which techniques in adjacent tactics they should look for next. If the attacker has been observed using T1078 (Valid Accounts) for initial access and T1021.002 (Remote Services: SMB/Windows Admin Shares) for lateral movement, the analyst knows the attacker is in the Lateral Movement tactic and should look for Credential Access and Collection techniques that commonly follow. ATT&CK group profiles for the suspected threat actor show which techniques they typically chain together, giving the analyst a search roadmap.

Second, mapping produces documentation that travels well. An IR report that describes events as a sequence of ATT&CK technique IDs can be read by any security team in any country without relying on proprietary terminology. Under the EU's NIS2 Directive, significant incident reports to national Computer Security Incident Response Teams must describe the nature of the attack. An ATT&CK-structured technical annex satisfies this requirement and is also understood by the US Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC), and equivalents in Australia, Canada, and India. India's CERT-In requires incident reports within six hours of detection for a defined class of incidents; structured ATT&CK notation in the technical description reduces analyst time to draft those reports.

Mapping should happen as the investigation proceeds, not only at the end. Real-time mapping lets the IR team communicate attacker progress to stakeholders using consistent terminology and also feeds the containment decision. An attacker who has reached the Collection tactic has likely already accessed target data; containment at that point focuses on blocking exfiltration (the next tactic) rather than stopping collection that may already be complete.

A playbook is a documented, step-by-step response procedure for a specific type of incident. Generic runbooks (investigate the alert, isolate the host, collect evidence) are useful starting points but leave too much to analyst judgment in high-pressure situations. ATT&CK-aligned playbooks are specific to a technique or technique cluster: the playbook for a suspected T1486 (Data Encrypted for Impact) event specifies exactly which systems to check first, which log sources to query, which indicators to collect, when to invoke legal counsel, and which regulatory notifications are triggered. The technique ID in the playbook title also connects the response procedure directly to the detection rule or hunting query that triggered it.

The companion MITRE D3FEND framework maps defensive techniques against ATT&CK offensive techniques. Where ATT&CK describes what attackers do, D3FEND describes the corresponding defensive countermeasure: for T1055 (Process Injection), D3FEND lists process lineage analysis and shadow stack comparisons as relevant defensive techniques. Using both frameworks together when building playbooks ensures that each response step has a grounding in both the attack behaviour and the defensive action that counters it.

Playbook testing matters as much as playbook writing. Many organisations conduct tabletop exercises using ATT&CK scenarios: a facilitator presents a sequence of attacker actions described as ATT&CK techniques, and the response team works through the playbook steps. These exercises reveal gaps in playbook logic, missing tool access, and ambiguous escalation criteria before an actual incident exposes them. CISA, ENISA, and the UK's NCSC all publish ATT&CK-structured scenario packs that teams can use directly or adapt.

The enterprise matrix originally focused on on-premises Windows environments but has expanded significantly. Cloud-specific techniques now cover AWS, Azure, GCP, Microsoft 365, and Google Workspace. Techniques such as T1537 (Transfer Data to Cloud Account) and T1530 (Data from Cloud Storage) are specific to cloud-hosted environments and require cloud-native log sources, such as AWS CloudTrail or Azure Monitor, rather than traditional endpoint telemetry. IR teams working in hybrid environments must maintain Navigator coverage layers separately for on-premises and cloud assets, as the data sources and detection approaches differ.

The ICS (Industrial Control Systems) matrix extends ATT&CK to operational technology environments such as power grids, water treatment facilities, and manufacturing systems. Techniques in this matrix, such as T0816 (Device Restart/Shutdown) and T0882 (Theft of Operational Information), reflect attacker behaviour specific to ICS protocols and hardware. IR teams supporting critical infrastructure clients need both the Enterprise and ICS matrices to cover the IT/OT boundary, which is where many sophisticated attacks transition from corporate networks into operational systems. The Triton/TRISIS malware incident, which targeted safety instrumented systems in the Middle East, is documented in the ICS matrix and illustrates the kind of physical consequence that ICS-specific techniques can enable.

The Mobile matrix covers Android and iOS, focusing on techniques relevant to mobile device management, application abuse, and network interception. It is less widely used in enterprise IR than the Enterprise matrix but becomes relevant in investigations involving corporate mobile device fleets, BYOD environments, or targeted surveillance of individuals. Law enforcement agencies in multiple countries, including the UK's National Crime Agency and India's Central Forensic Science Laboratory, have developed mobile forensics capabilities that complement the Mobile ATT&CK matrix for investigative attribution.