Skip to content

Using MITRE ATT&CK to defend against Advanced Persistent Threats

Nowadays, new techniques are invented on a daily basis to bypass security layers and avoid detection. Thus it is time to figure out new techniques too and defend against cyber threats.

Image Courtesy

Before diving into how to use MITRE ATT&CK framework to defend against advanced persistent threats and protect critical assets, let's explore some important terminologies


By definition, a threat is a potential danger for the enterprise assets that could harm these systems. In many cases, there is confusion between the three terms Threat, Vulnerability and Risk; the first term, as I explained before, is a potential danger while a Vulnerability is a known weakness or a gap in an asset. A risk is a result of a threat exploiting a vulnerability. In other words, you can see it as an intersection between the two previous terms. The method used to attack an asset is called a Threat Vector.

Advanced Persistent Threats

Wikipedia defines an "Advanced Persistence Threat" as follows:

"An advanced persistent threat is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period"

To discover some of the well-known APT groups you can check this great resource from FireEye: Advanced Persistent Threat Groups

The Cyber Kill Chain

The Cyber Kill Chain is a military inspired model to describe the required steps and stages to perform attacks. The Cyber Kill Chain framework is created by Lockheed Martin as part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. While a kill chain in military refers to: Find, Fix, Track, Target, Engage and Assess, cyber kill chain refers to: reconnaissance, Initial attack, Command and control, Discover and spread and finally Extraction and exfiltration. Knowing this framework is essential to have a clearer understanding about how major attacks occur.

Image Courtesy

Threat intelligence is an important operation in cyber-security and especially in security operations and incident response. Because as Sun Tzu said:

Image Courtesy

Security operation analysts should be proactive when it comes to gathering information and intelligence about the external threats and adversaries to achieve faster detection.

MITRE ATT&CK Framework

MITRE ATT&CK is a framework developed by the Mitre Corporation. The comprehensive document classifies adversary attacks, in other words, their techniques and tactics after observing millions of real-world attacks against many different organizations. This is why ATT&CK refers to "Adversarial Tactics, Techniques & Common Knowledge".

Nowadays the frameworks provide different matrices: Enterprise, Mobile, and PRE-ATT&CK. Each matrix contains different tactics and each tactic has many techniques.

But wait, what is a tactic and what is a technique?

To understand tactics and techniques we need to understand the pyramid of pain first. The pyramid of pain shows the relationship between the types of indicators found when dealing with adversaries. By indicators, I mean Hash values, IP addresses, Domain names, Network/host artefacts, tools and Tactics, techniques and procedures (TTPs).

Image Courtesy

Tactics, Techniques and procedures (TTPs) are how the attackers are going to achieve their mission. A tactic is the highest level of attack behaviour. MITRE framework present the tactics as the following:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

Techniques are used to execute an attack successfully. For example, this is information about the "AppCertDLLs" technique

Let's suppose that security analysts receive a report about a new APT group that threats middle east and Africa. We can take "Muddy Water APT" as an example.

Go to

And highlight all the techniques used by Muddy Water APT Group

Export the techniques as SVG

If you are dealing with many APT groups at the same time highlight the techniques using colorful shades depends on how often the technique is used by the APT groups (brightest color = The technique is used by many groups)

Image Courtesy_ _

Now you know your adversaries. It is time to prepare the mitigations (tools and techniques) and discover the gaps in our defenses.

Create a roadmap to improve the defense gaps and update the map accordingly

Mitigations for every technique can be found on


In this module, we learned many important terminologies and how to use MITRE ATT&CK framework to detect advanced persistent threats.