MITRE ATT&CK v14 released – Help Net Security

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers.


ATT&CK’s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks. The framework is constantly being adapted to include new and modified behaviors related to attackers’ interaction with devices, systems, and networks.

MITRE ATT&CK includes matrices for:

  • Enterprise, which covers tactics and techniques used to target Windows, macOS, Linux, PRE, cloud platforms (Azure AD, Office 365, Google Workspace, SaaS, IaaS), networking devices, and containers
  • Mobile (Android, iOS)
  • ICS (industrial control systems)

“As adversaries continually evolve their exploitation of human vulnerabilities, ATT&CK has expanded its scope with this release, encompassing more activities that are adjacent to, yet lead to direct network interactions or impacts,” Amy L. Robertson, a Senior Cybersecurity Engineer for the MITRE corporation, explained.

“The increased range incorporates deceptive practices and social engineering techniques that may not have a direct technical component, including Financial Theft, Impersonation, and Spearphishing Voice.”

Other changes in MITRE ATT&CK v14:

  • Enhanced detection notes to help defenders detect signs of adversary behavors when analyzing network traffic
  • Enhanced relationships between detections, data sources, and mitigations
  • New Assets (devices and systems) included in the ICS matrix
  • Wider scope of the Mobile matrix (added new phishing vectors, including quishing) and structured detections
  • New software, attack groups, and documented campaigns

Implementing MITRE ATT&CK

A new version of ATT&CK is released every six months.

“What started out as an Excel spreadsheet identifying one adversary and one tactic has transformed into a framework referenced and contributed to by users across the world,” MITRE ATT&CK project leader Adam Pennington recently told Help Net Security.

The framework can be used by organizations to hone their threat model, evaluate vendor capabilities, map detections to make analysts’ jobs easier, employee education, and more.

Organizations should start implementing it slowly, with bite size pieces.

“The framework is divided into techniques, so an organization may begin with a single tactic relevant to their system. For example, if you’re concerned with identity management, you can dig into how adversaries are stealing passwords and identify overlap between their behaviors. Once you reach those prioritization points, it’s easier work backwards and add protections against them,” Pennington advised.

MITRE also works on D3FEND, a technical knowledge base of defensive countermeasures for common offensive techniques that complements the ATT&CK framework.