MITRE ATT&CK - how to use the framework to protect your organization
A practical guide to MITRE ATT&CK - tactics, techniques, the ICS model, APT groups. How to implement the framework in your organization with a coverage matrix and prioritization.
In December 2025, a coordinated attack on Polish renewable energy infrastructure - over 30 wind farms, a combined heat and power plant, and a manufacturing company - damaged RTU controller firmware and severed operator communications (CERT Polska report, January 2026). Analyzing the incident using MITRE ATT&CK for ICS made it possible to identify 8 techniques used by the attackers - from Exploit Public-Facing Application (T0819) to Damage to Property (T0879). Without a structured framework, this kind of analysis would have been chaotic and incomplete.
MITRE ATT&CK for ICS enables incident analysis with a precision unavailable from generic threat models. Analyzing any campaign targeting operational technology (OT) infrastructure can reveal dozens of specific techniques - from the method of gaining initial access to the mechanism of destruction. Below we explain how the framework works, what models it covers, and then propose ways to use ATT&CK for security management in your organization. At SEQRED, we help clients move from framework awareness to practical decisions based on ATT&CK data.
What is MITRE ATT&CK and why it matters
From theory to practice - the origins of the framework
To effectively protect an organization, you need to understand how attackers operate. This premise underpins MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) - an open knowledge base of adversary tactics and techniques based exclusively on observations from real-world attacks.
MITRE ATT&CK was created in 2013 as an internal project at the MITRE Corporation, which supports US government agencies. The first public version was released in 2015. Since then, the framework has evolved from a small technique matrix into a comprehensive ecosystem covering three domains, hundreds of techniques, and tools for analyzing them.
Unlike earlier models - Cyber Kill Chain (Lockheed Martin, 2011) or the Diamond Model - MITRE ATT&CK does not merely describe general attack phases. Instead, it catalogs specific techniques: how attackers steal credentials, how they move through networks, what software they use. This is the leap from “what happens” to “how exactly they do it.”
Framework structure - tactics, techniques, procedures
The framework is built on three levels of detail, each answering a different question:
| Level | What it describes | Question | Example |
|---|---|---|---|
| Tactic | The attacker’s objective in a given phase | ”What do they want to achieve?” | Initial Access - gaining first access |
| Technique | The method of executing a tactic | ”How do they do it?” | Spearphishing Attachment (T1566.001) |
| Procedure | A specific implementation of a technique | ”With what tool?” | APT28 sends a Word document with a VBA macro |
Each technique in the MITRE database includes: a description of the mechanism, associated APT groups, known malicious software, recommended detection methods, and mitigations. Since version v18 (October 2025), techniques also include structured Detection Strategies with specific analytical queries.
Three ATT&CK domains
MITRE maintains three separate matrices, each covering a different attack domain. Current data comes from version v18 (October 2025):
| Model | Tactics | Techniques | Sub-techniques | Groups | Software | Application |
|---|---|---|---|---|---|---|
| Enterprise | 14 | 203 | 453 | 150+ | 600+ | Corporate networks (Windows, Linux, macOS, cloud, SaaS) |
| Mobile | 14 | 89 | - | 15+ | 100+ | Mobile devices (Android, iOS) |
| ICS | 12 | 83 | - | 15 | 22 | Industrial control systems (SCADA, PLC, DCS) |
14 Enterprise tactics - anatomy of an attack
The Enterprise model describes the full attack cycle across 14 tactics. The order follows a typical sequence of actions, but attackers do not have to use all tactics or maintain the order.
| No. | Tactic | Description | Example techniques |
|---|---|---|---|
| 1 | Reconnaissance | Gathering information about the target | OSINT, infrastructure scanning |
| 2 | Resource Development | Preparing attack tools and infrastructure | Domain registration, malware compilation |
| 3 | Initial Access | Gaining first access to the network | Spearphishing, exploit of a public-facing service |
| 4 | Execution | Running malicious code | PowerShell, scripts, system APIs |
| 5 | Persistence | Maintaining access after reboot | Scheduled tasks, registry modification |
| 6 | Privilege Escalation | Gaining higher privileges | Kernel exploits, token manipulation |
| 7 | Defense Evasion | Avoiding detection | Obfuscation, timestomping, rootkits |
| 8 | Credential Access | Stealing authentication data | Mimikatz, brute force, keylogging |
| 9 | Discovery | Reconnaissance of the victim environment | Network, service, and user enumeration |
| 10 | Lateral Movement | Moving through the network | RDP, SMB, pass-the-hash |
| 11 | Collection | Gathering data for exfiltration | Screenshots, email capture |
| 12 | Command and Control | Remote communication with infected systems | DNS tunnels, HTTPS C2, Cobalt Strike |
| 13 | Exfiltration | Extracting data from the organization | Encrypted channels, exfiltration via C2 |
| 14 | Impact | Destruction or disruption of operations | Ransomware, wiper, data manipulation |
ATT&CK for ICS - why industrial control systems need a separate model
OT networks differ fundamentally from IT: the priority is availability and physical safety, not data confidentiality. Attackers in an ICS environment have different objectives - manipulating the physical process, damaging equipment, disrupting production. That is why the ICS model includes tactics absent from Enterprise, such as Impair Process Control or Inhibit Response Function.
The ICS model (version v17/v18) covers 12 tactics, 83 techniques, 15 identified threat groups, and 22 types of malicious software. The most active groups and malware in the ICS domain are:
ICS threat groups - top 5 by number of techniques:
| Group | Attribution | ICS techniques | Key campaigns |
|---|---|---|---|
| Sandworm Team | GRU (Russia) | 29 | Industroyer (Ukraine 2016), Industroyer2 (Ukraine 2022), CaddyWiper |
| Dragonfly | FSB (Russia) | 7 | Campaigns against US and European energy sector, Backdoor.Oldrea |
| TEMP.Veles | CNIIHM (Russia) | 6 | TRITON/TRISIS - attack on SIS systems at a petrochemical plant |
| OilRig | Iran | 5 | Campaigns against Middle East energy sector |
| HEXANE | Iran | 5 | Telecommunications and energy sector in the Middle East |
Source: MITRE ATT&CK for ICS v17 (April 2025), data from attack.mitre.org.
ICS malware - top 5 by number of techniques:
Each of the programs below is a specialized tool designed to interact with industrial control systems. Unlike typical IT malware, they operate at the OT protocol level and can directly affect physical processes.
| Malware | ICS techniques | Year | Attack target | Impact |
|---|---|---|---|---|
| Industroyer | 31 | 2016 | Ukrainian power grid (IEC 61850, IEC 60870-5-104, OPC DA) | Blackout in Kyiv - 225,000 consumers without power |
| Stuxnet | 29 | 2010 | Iranian nuclear program (S7-300 PLC, WinCC) | Destruction of ~1,000 uranium centrifuges |
| TRITON | 26 | 2017 | Triconex SIS systems at a petrochemical plant (Saudi Arabia) | Attempted shutdown of safety systems - could have led to a catastrophe |
| INCONTROLLER | 17 | 2022 | Schneider and OMRON controllers (Modbus, OPC UA, CODESYS) | Discovered before deployment - capable of disabling SIS |
| Backdoor.Oldrea | 12 | 2014 | Reconnaissance in energy companies (OPC, process lists, network configuration) | OT infrastructure data collection - preparation for further operations |
Source: MITRE ATT&CK for ICS v17, Mandiant Threat Research, CISA advisories.
ATT&CK Navigator - visualization tool
ATT&CK Navigator is a free web-based tool enabling interactive work with the matrix. It allows you to:
- Color techniques used by specific APT groups
- Overlay layers (e.g., detection coverage vs. threat techniques)
- Export visualizations for reports and presentations
- Compare profiles of different groups
In practice, this lets you see within minutes which techniques of a specific APT group are not covered by your organization’s defenses. The tool is available at attack.mitre.org/matrices/ and as a standalone application on GitHub (mitre-attack/attack-navigator).
How to use ATT&CK in security management
5 steps from framework to decision
Knowing the framework alone is not enough. The value of ATT&CK emerges when it becomes a decision-making tool - helping to prioritize security investments, assess detection coverage, and plan attack simulations. Here is how to approach this systematically.
Step 1: Identify threats relevant to your industry
Instead of analyzing all 200+ Enterprise techniques, start with APT groups active in your industry and region. For the energy sector in Europe, the key groups will be Sandworm Team and Dragonfly; for manufacturing - groups using ransomware with an OT component; for finance - APT38 and FIN7.
Key questions:
- Which APT groups target our industry and region?
- What techniques do they use most frequently?
- What malicious software is associated with them?
- What entry vectors do they prefer?
Step 2: Map existing defenses
Assess which techniques from the threat profile are covered by the organization’s existing defenses (firewalls, EDR, SIEM, network segmentation, access control). Result: a coverage map showing what the organization is protected against and where the gaps are.
Step 3: Analyze gaps and set priorities
Based on comparing threats with defenses, identify critical gaps. Prioritize them according to three criteria: frequency of technique use by threat groups, potential impact on the organization, and cost of mitigation.
Step 4: Build a detection and response plan
For priority techniques, develop detection rules (SIEM, EDR, NDR), response scenarios, and incident playbooks. Since ATT&CK v18, the framework provides ready-made Detection Strategies with specific analytical queries - these are worth using as a starting point.
Step 5: Validate through simulations
The best way to verify is testing under conditions close to real-world scenarios. Penetration testing and Red Team operations simulate real threats mapped to ATT&CK, testing the effectiveness of defenses under controlled conditions. The result of such a test is not just a vulnerability report, but a mapping onto the ATT&CK matrix - you can see exactly which techniques were detected and which went unnoticed.
Example: detection coverage matrix
One of the most practical applications of ATT&CK is the detection coverage matrix - a document mapping techniques to existing and planned detection mechanisms. Below is an example excerpt for the energy sector:
| ATT&CK technique | ID | Existing detection | Planned detection | Priority |
|---|---|---|---|---|
| Spearphishing Attachment | T1566.001 | Email sandbox, anti-spam | Behavioral analysis of attachments | Medium |
| Valid Accounts | T1078 | AD logs, SIEM | MFA enforcement, UEBA | High |
| Lateral Movement via RDP | T1021.001 | Windows Event logs | NDR, RDP segmentation | High |
| Command and Scripting Interpreter | T1059 | EDR on workstations | AMSI logging, script block logging | Medium |
| Data Encrypted for Impact | T1486 | Canary files | EDR behavioral, immutable backups | Critical |
| Exploit Public-Facing Application | T0819 (ICS) | Firewall IDS | OT patch management, anomaly monitoring | Critical |
| Manipulation of Control | T0831 (ICS) | None | DPI of OT protocols, process monitoring | Critical |
| Remote Services | T0886 (ICS) | VPN logs | 2FA, session recording, JIT access | High |
APT group comparison for the energy sector
ATT&CK Navigator allows you to visually compare the profiles of two groups and identify shared and unique techniques. Below is a comparison of the two most active groups in the energy sector - Sandworm Team and Dragonfly.
| Aspect | Sandworm Team (GRU) | Dragonfly (FSB) |
|---|---|---|
| Active since | 2009 | 2011 |
| Target region | Ukraine, Europe, USA | USA, Europe (including Poland) |
| Strategic objective | Destruction - blackouts, wipers | Reconnaissance - preparation for future operations |
| Initial Access | Spearphishing, supply chain, exploits | Watering hole, supply chain (trojanized updaters) |
| ICS malware | Industroyer, Industroyer2, CaddyWiper | Backdoor.Oldrea (Havex) |
| OT protocols | IEC 61850, IEC 60870-5-104, OPC DA | OPC DA (OPC server scanning) |
| Impact | Direct process manipulation (blackout) | OT topology data collection |
| ICS techniques | 29 | 7 |
Example: technique prioritization matrix
Not all techniques require equal attention. The matrix below helps establish priorities based on three criteria. Scale: 1 (low) - 5 (critical).
| Technique | Frequency | Impact | Ease of mitigation | Final priority |
|---|---|---|---|---|
| Spearphishing (T1566) | 5 | 3 | 3 | High |
| Valid Accounts (T1078) | 5 | 5 | 2 | Critical |
| Exploit Public-Facing App (T1190) | 4 | 5 | 3 | Critical |
| Supply Chain Compromise (T1195) | 3 | 5 | 1 | High |
| Data Encrypted for Impact (T1486) | 4 | 5 | 3 | Critical |
| Manipulation of Control (T0831) | 2 | 5 | 2 | High |
| Remote Services (T0886) | 4 | 4 | 4 | High |
| Scripting/PowerShell (T1059) | 5 | 3 | 4 | Medium |
Frequency: how often the technique appears in threat intelligence reports for the given sector. Impact: potential consequences (5 = impact on physical safety/business continuity). Ease of mitigation: 1 = difficult/costly, 5 = easy to implement.
Framework limitations
MITRE ATT&CK has real limitations worth keeping in mind:
- Technique overlap - complex malware can implement multiple techniques simultaneously (e.g., a PowerShell script executed via CMD, containing exfiltration code). Classification is not always clear-cut
- Lag time - new techniques appear in the database after they have been documented by researchers, which means a delay relative to the latest threats
- Does not replace risk analysis - the framework catalogs “how,” but does not answer “does this apply to my organization.” It requires industry context and risk assessment
- The ICS model is younger - 83 ICS techniques compared to 200+ Enterprise means that certain scenarios may not yet be cataloged
NIST SP 800-53 control mapping
Once you know which techniques are priorities, the natural question is: which NIST SP 800-53 controls address them? Below are key mappings for the most common techniques - useful when preparing compliance documentation (NIS2, DORA, IEC 62443):
| ATT&CK technique | NIST SP 800-53 controls | Control description |
|---|---|---|
| Spearphishing (T1566) | SI-3, SI-4, SI-8 | Malware protection, system monitoring, spam protection |
| Valid Accounts (T1078) | IA-2, IA-5, AC-2 | Multi-factor authentication, credential management, account management |
| Lateral Movement (T1021) | AC-3, AC-4, SC-7 | Access enforcement, information flow control, boundary protection |
| Data Encrypted for Impact (T1486) | CP-9, CP-10, SI-4 | Backups, system recovery, monitoring |
| Exploit Public-Facing App (T1190) | SI-2, RA-5, CM-7 | Patching, vulnerability scanning, function minimization |
| Remote Services OT (T0886) | AC-17, IA-2, AU-2 | Remote access, authentication, event auditing |
| Manipulation of Control (T0831) | SI-4, SC-7, PE-3 | Monitoring, boundary protection, physical access control |
Source: NIST SP 800-53 Rev. 5, MITRE ATT&CK Mitigations mapping.
ATT&CK implementation readiness checklist
The checklist below helps assess what stage the organization is at and what needs to be addressed before full framework implementation.
| Stage | Element | Description |
|---|---|---|
| 1. Threat identification | Industry profile | Identified APT groups active in the industry and region |
| Priority techniques | List of 15-20 most relevant techniques for the organization | |
| Threat intelligence sources | CTI feed subscriptions (MITRE, CISA, sector ISACs) | |
| 2. Coverage assessment | Tool inventory | List of security tools mapped to ATT&CK techniques |
| Coverage matrix | Visualization in ATT&CK Navigator - covered vs. uncovered techniques | |
| Gap analysis | Report with critical gaps and recommendations | |
| 3. Detection building | SIEM/EDR rules | Detection rules for priority techniques |
| Incident playbooks | Response procedures mapped to ATT&CK tactics | |
| Detection strategies (v18) | Leveraging Detection Strategies from the ATT&CK database | |
| 4. Validation | Penetration testing | Simulation of selected techniques under controlled conditions |
| Red Team / Purple Team | Comprehensive APT campaign simulation | |
| Detection metrics | Time to detect (TTD), technique coverage percentage, false positive rate | |
| 5. Continuous improvement | Database updates | Tracking new ATT&CK versions (releases approximately every 6 months) |
| Incident retrospectives | Mapping every incident to ATT&CK techniques | |
| Reporting | Periodic coverage reports for management and technical teams |
Sources
- MITRE ATT&CK v18 (October 2025)
- MITRE ATT&CK for ICS v17 (April 2025)
- ATT&CK Navigator - matrix visualization tool
- NIST SP 800-53 Rev. 5
- CERT Polska - annual reports
- CISA Alert “Poland Energy Sector Cyber Incident” (February 2026)
- CrowdStrike 2025 MITRE ATT&CK Enterprise Evaluation