MITRE ATT&CK for Incident Responders: A Practical Guide

MITRE ATT&CK has become the de facto standard for describing adversary behavior. You see technique IDs cited in threat intelligence reports, vendor marketing materials, and conference talks. But for most incident response teams, ATT&CK remains something they read about rather than something they use. That's a missed opportunity. The framework's real value is not as a reference poster on the SOC wall — it's as an operational tool that makes your incident response faster, more structured, and more likely to produce lasting defensive improvements.

This guide covers how to use ATT&CK at every phase of the incident response lifecycle: during active incidents, in post-incident analysis, for gap identification, and for building a detection coverage map that tells you exactly where your blind spots are.

What Is MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary behaviors based on real-world observations. It was created by MITRE Corporation in 2013 and has been publicly available since 2015. The framework organizes adversary behavior into two layers: Tactics (the why — the adversary's objective) and Techniques (the how — the specific method used to achieve that objective). Many techniques include Sub-techniques that describe more specific implementations.

The framework is organized as a matrix, with tactics as columns and techniques listed beneath each tactic. The Enterprise ATT&CK matrix covers Windows, macOS, Linux, cloud, network, and container environments. Separate matrices exist for Mobile and Industrial Control Systems (ICS).

The 14 Enterprise tactics, in order, represent the typical progression of an attack:

1. Reconnaissance — Gathering information to plan the operation
2. Resource Development — Establishing infrastructure and capabilities
3. Initial Access — Getting into the target environment
4. Execution — Running malicious code
5. Persistence — Maintaining a foothold
6. Privilege Escalation — Gaining higher-level permissions
7. Defense Evasion — Avoiding detection
8. Credential Access — Stealing credentials
9. Discovery — Understanding the environment
10. Lateral Movement — Moving through the network
11. Collection — Gathering target data
12. Command and Control — Communicating with compromised systems
13. Exfiltration — Stealing data out of the environment
14. Impact — Disrupting availability or integrity

Each technique is assigned a unique ID (e.g., T1566 for Phishing) and documented with descriptions, procedure examples from real threat groups, detection guidance, and mitigations. This structured format is what makes ATT&CK so powerful for operational use — it transforms vague descriptions like "the attacker moved laterally" into precise, actionable statements like "the attacker used Remote Services: SMB/Windows Admin Shares (T1021.002) to access the file server."

ATT&CK Beyond Threat Intelligence

Most security teams encounter ATT&CK through threat intelligence reports that map threat group activity to specific techniques. That's a valuable use case, but it barely scratches the surface. ATT&CK becomes transformative when you apply it operationally across four areas:

• Active incident response — Using the matrix to predict attacker behavior and prioritize investigation steps
• Detection engineering — Building and organizing detections around techniques rather than individual IOCs
• Gap analysis — Identifying which techniques you can detect, which you can investigate manually, and which you're completely blind to
• Post-incident review — Structuring your incident reports around ATT&CK to produce reusable, comparable findings

The key mindset shift: stop treating ATT&CK as a reference document and start treating it as an operational framework that informs decisions during and after every incident.

Using ATT&CK During an Active Incident

When you're in the middle of an incident, ATT&CK serves as a predictive model. Once you've identified one or two techniques the attacker has used, the matrix helps you anticipate what comes next and focus your investigation accordingly.

Here's how this works in practice. Suppose your SOC receives an alert indicating a user opened a malicious attachment — Phishing: Spearphishing Attachment (T1566.001). The attachment launched a macro that executed a PowerShell command — Command and Scripting Interpreter: PowerShell (T1059.001). You've now identified two techniques in two tactics (Initial Access and Execution).

With ATT&CK as your guide, you know the attacker's likely next moves:

• Persistence — Look for Registry Run Keys (T1547.001), Scheduled Tasks (T1053.005), or WMI Event Subscriptions (T1546.003)
• Defense Evasion — Check for Process Injection (T1055), Masquerading (T1036), or Indicator Removal (T1070)
• Credential Access — Hunt for OS Credential Dumping (T1003), particularly LSASS Memory (T1003.001)
• Discovery — Expect System Information Discovery (T1082), Account Discovery (T1087), and Domain Trust Discovery (T1482)
• Lateral Movement — Watch for Remote Services (T1021), particularly SMB/Windows Admin Shares (T1021.002) or Remote Desktop Protocol (T1021.001)

This is not guesswork. These are statistically common technique progressions documented across hundreds of real incidents. By consulting ATT&CK during the investigation, you're directing your analysts toward the most likely evidence locations instead of searching blindly.

Practically, this means your Technical Lead should have ATT&CK open during triage. As each new finding is confirmed, map it to a technique and use the adjacent tactics to generate investigation hypotheses. This approach reduces the chance of missing attacker activity that falls outside your initial detection scope.

Mapping Incidents to ATT&CK

Mapping an incident to ATT&CK is a skill that improves with practice. The process is straightforward but requires discipline to avoid common pitfalls.

Step-by-Step Mapping Process

1. Identify the action — Start with a specific, observable adversary action from your investigation findings. Example: "The attacker used mimikatz to extract credentials from LSASS memory."
2. Determine the tactic — Ask: what was the adversary trying to accomplish? In this case, the goal was obtaining credentials — that's the Credential Access tactic.
3. Match the technique — Find the technique that describes the specific method. mimikatz dumping LSASS maps to OS Credential Dumping: LSASS Memory (T1003.001).
4. Note the sub-technique — Be as specific as possible. T1003 (OS Credential Dumping) is less useful than T1003.001 (LSASS Memory) because the sub-technique tells you exactly what detection and mitigation to apply.
5. Record the evidence — Document what artifacts or logs support this mapping. This creates a defensible, evidence-based mapping rather than an assumption.

Common Mapping Pitfalls

• Over-mapping — Not every observed action maps cleanly to a technique. Resist the temptation to force-fit findings into ATT&CK. If you're uncertain, note it as "possible" rather than "confirmed."
• Under-mapping — This is more dangerous. It happens when you stop mapping after finding the techniques that triggered your initial detection. The attacker almost certainly performed additional techniques that you didn't detect — use the matrix to identify what those might be and investigate further.
• Mapping tools instead of behaviors — ATT&CK describes behaviors, not tools. mimikatz can perform multiple techniques (credential dumping, pass-the-hash, Kerberos ticket manipulation). Map the behavior, not the tool name.
• Ignoring sub-techniques — Mapping only to the parent technique loses specificity. "OS Credential Dumping" tells you much less than "OS Credential Dumping: DCSync." Sub-techniques drive actionable detection and mitigation.

ATT&CK-Based Gap Analysis

After every incident, you have the raw material for a powerful gap analysis. The incident showed you which techniques you detected and which you missed. ATT&CK provides the structure to turn that into a prioritized detection roadmap.

The process works like this:

1. Map the incident — Document every confirmed ATT&CK technique from the investigation.
2. Categorize your detection performance — For each technique, classify how you discovered it:
   • Detected automatically — Your SIEM, EDR, or other tools generated an alert
   • Found during investigation — You discovered the technique through manual log review or forensic analysis
   • Missed entirely — You only identified the technique through external intelligence or post-incident forensic analysis
3. Identify investigation gaps — Review the ATT&CK tactics between Initial Access and the attacker's final objective. Are there tactics where you found no techniques at all? That likely means the attacker used techniques you didn't detect rather than skipping entire tactics.
4. Prioritize new detections — Focus on techniques that were missed entirely and are commonly used by threat actors relevant to your industry.

The gap analysis is only valuable if you act on it. Each missed technique should generate a detection engineering task with a clear owner, target data source, and implementation timeline. Track these tasks against a quarterly review cycle to ensure continuous improvement.

Building a Detection Coverage Map

A detection coverage map is a visual representation of your organization's ability to detect ATT&CK techniques. ATT&CK Navigator, an open-source web application maintained by MITRE, is the standard tool for building these maps.

To create an effective coverage map, use a three-tier color scheme:

• Green — Automated detection — You have a detection rule that fires automatically when this technique is used. The rule has been tested, tuned, and is monitored by your SOC.
• Yellow — Manual investigation capability — You collect the data needed to identify this technique, but you don't have an automated alert. An analyst could find it during a threat hunt or investigation.
• Red — No coverage — You don't collect the relevant data sources and have no way to detect this technique, even during a dedicated investigation.

Building the initial map is a substantial effort, but the result is one of the most powerful artifacts your security program can produce. It tells you, at a glance, where your blind spots are. Update it quarterly and after every significant incident or detection engineering sprint.

Some practical tips for maintaining the map:

• Start with high-priority techniques — You don't need to map all 200+ techniques on day one. Start with the top 40–50 techniques most commonly seen in your industry.
• Validate, don't assume — A detection rule that exists is not the same as a detection rule that works. Test each "green" technique against a simulated attack (tools like Atomic Red Team can help).
• Layer multiple maps — Create separate layers in ATT&CK Navigator for different sources (EDR detections, SIEM rules, network detections) and overlay them to see your composite coverage.
• Share across teams — The coverage map should be visible to detection engineers, threat hunters, IR analysts, and security leadership. It drives priorities across all these functions.

Post-Incident Reporting with ATT&CK

Structuring your incident reports around ATT&CK produces reports that are clearer, more consistent, and more useful for long-term defensive improvement.

Instead of writing a narrative that weaves together findings chronologically, organize the technical findings section around ATT&CK tactics. Walk through the attack chain tactic by tactic, documenting each technique the attacker used, the evidence supporting the mapping, and the detection or gap status for each.

This approach provides three concrete benefits:

• Standardized language — Everyone reading the report — from junior analysts to the CISO — works from a shared vocabulary. "The attacker used T1021.002 (Remote Services: SMB/Windows Admin Shares)" is unambiguous in a way that "the attacker moved to other systems" is not.
• Comparability across incidents — When all your incidents are mapped to ATT&CK, you can compare them. You might discover that three unrelated incidents all exploited the same Credential Access technique — a clear signal that detection improvement there should be a priority.
• Direct input to gap analysis — The ATT&CK-structured report feeds directly into your detection coverage map. Each incident automatically updates your understanding of what you can and cannot detect.

Common ATT&CK Mappings by Attack Type

While every incident is unique, certain attack types share common technique patterns. Use these as starting points when investigating specific incident types.

Ransomware

• Initial Access: Phishing (T1566), External Remote Services (T1133), Exploit Public-Facing Application (T1190)
• Execution: PowerShell (T1059.001), Windows Command Shell (T1059.003)
• Persistence: Valid Accounts (T1078), Scheduled Task (T1053.005)
• Credential Access: LSASS Memory (T1003.001), DCSync (T1003.006)
• Lateral Movement: SMB/Windows Admin Shares (T1021.002), RDP (T1021.001)
• Impact: Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)

Business Email Compromise

• Initial Access: Phishing (T1566), Valid Accounts (T1078)
• Persistence: Email Forwarding Rule (T1114.003), Additional Cloud Credentials (T1098.001)
• Collection: Email Collection (T1114)
• Defense Evasion: Modify Authentication Process (T1556)

APT / Espionage

• Initial Access: Supply Chain Compromise (T1195), Spearphishing Attachment (T1566.001)
• Defense Evasion: Process Injection (T1055), Rootkit (T1014), Obfuscated Files (T1027)
• Credential Access: Kerberoasting (T1558.003), DCSync (T1003.006)
• Collection: Data Staged (T1074), Archive Collected Data (T1560)
• Exfiltration: Exfiltration Over C2 Channel (T1041), Exfiltration Over Web Service (T1567)

These mappings are starting points, not exhaustive lists. Real incidents will include techniques not listed here, and some incidents will skip techniques you expect. Use ATT&CK as a guide, not a checklist.