MITRE ATT&CK as a Working Tool
Purpose
Use ATT&CK to organize observed behavior and detection ideas without turning it into attribution evidence.
Practitioner-Level Explanation
ATT&CK is a behavior taxonomy. It helps analysts describe what happened, compare procedures, identify telemetry requirements, and communicate with detection engineers. It does not prove who performed the activity.
A useful mapping includes technique ID, technique name, tactic, procedure, evidence, source, confidence, mapping quality, detection idea, and limitations. Use the Israel CTI TTP To Detection Matrix for concrete examples. Actor-level mappings are weaker than procedure-level mappings tied to telemetry.
CTI Relevance
ATT&CK turns CTI into operational language for hunts, detections, and coverage discussions. It also reveals where reporting is too vague to support engineering.
Common Mistakes
- Mapping every sentence to a technique.
- Using ATT&CK overlap as attribution evidence.
- Ignoring sub-techniques and tactics.
- Claiming detection coverage because a technique appears in a profile.
Practical Workflow
- Extract a behavior, not an actor label.
- Identify the tactic and technique.
- Record the source and evidence label.
- Write the specific procedure.
- Define required telemetry.
- Add detection or hunt idea.
- Assign mapping quality and limitations.
Example / Mini Case
Weak: "Actor uses PowerShell: T1059.001."
Better: "Reported: actor used PowerShell launched from a shortcut to download a payload. Mapping: T1059.001, medium confidence. Detection idea: shortcut execution spawning powershell.exe with network activity. Limitation: source did not provide command-line examples."
Analyst Checklist
- Is the mapping behavior-based?
- Is the source and evidence label recorded?
- Does the mapping include a detection idea?
- Is mapping quality honest?
- Is attribution kept separate?
Output Artifact
Technique ID:
Technique Name:
Tactic:
Procedure:
Evidence Label:
Source:
Confidence:
Required Telemetry:
Detection Idea:
Limitations: