Implementing MITRE ATT&CK: How To Successfully Deploy The Leading Cybersecurity Framework In 5 Steps

Understanding your enemy is often the best way to defeat it, especially in cybersecurity.


Cybercriminals aren’t just sending basic phishing emails anymore. Scan and exploit has become the top attack vector, and hackers are using even more sophisticated techniques, such as network sniffing and creating fake authentication mechanisms to gain access to sensitive information.

In this evolving threat landscape, where 35% of attacks exploit a company’s security vulnerabilities, security leaders need to harness every tool at their disposal to protect their companies. That’s where the MITRE ATT&CK® framework comes in. The comprehensive matrix of tactics and techniques that help adopters improve threat prevention, detection and response is considered an essential toolkit by cybersecurity experts—yet many organizations have struggled in adoption and practice. Some are enlisting the help of security service providers like IBM Security Services.

Here, Matt Shriner, global threat management partner and segment leader at IBM Security, and John Velisaris, IBM’s director of threat management services, share how MITRE ATT&CK strengthens enterprise security—and how companies can implement the framework across their organization by following five steps.


Aggregating a body of knowledge from more than 100 security experts and researchers, MITRE ATT&CK provides insight into 11 common tactics and more than 200 techniques hackers use to exploit a company’s security weaknesses—including initial access, privilege escalation, defense evasion and lateral movement. MITRE ATT&CK is similar to the leading federal cybersecurity frameworks, but provides a more operational and tactical roadmap organizations can follow to make decisions about how and where to apply their information security capabilities.

“With MITRE [ATT&CK], you can leverage all of this community knowledge and what your peers are doing. It’s a starting point that says ‘here are the bad guys, here are their techniques and here are their tactics,’ so you can start asking the right questions as opposed to just guessing in the dark,” Shriner says.

Though MITRE ATT&CK is a well-known tool among security leaders, maximizing the value of adopting the framework across the enterprise comes with challenges and requires a high degree of collaboration and buy-in. Many security professionals say they aren’t confident their systems can keep up with the framework. Additionally, competing business priorities often prevent larger companies from making the time and financial commitment to implement MITRE ATT&CK, while a lack of resources often hinders smaller organizations.

But by following five key steps, companies can overcome these obstacles to implement a robust security strategy leveraging MITRE ATT&CK.

Implementing MITRE ATT&CK: A 5-Step Plan

1. Understand Your Business Objectives

Before security leaders develop an implementation strategy, they should start by having a conversation with C-suite executives to understand their most critical business objectives. This understanding ensures that security resources are not only allocated to top business objectives but also position the security team to work alongside business and IT stakeholders.

“Ask: What are your top five or 10 business objectives? If it’s protecting the brand, if it’s protecting critical [intellectual property], if it’s protecting sensitive data around credit cards or patient records, or whatever the case may be—let’s understand what’s important from a security perspective,” Shriner says.

2. Do A Risk Assessment, And Map Use Cases To The MITRE ATT&CK Framework

Next, security leaders should perform an enterprise risk assessment to identify potential security gaps in key business objectives they outline in step one. This should include developing monitoring, detection and response use cases—like monitoring remote access of home-based employees who previously worked in an office or third-party software installed inside the enterprise, for example. This step is where organizational goals—and their associated gaps—become more fully defined and provides a priority list to which the MITRE ATT&CK framework can be applied.

Velisaris says this step is particularly important for blue teams—defensive security professionals—because “with all the new remote access vulnerabilities and potential insider threat use cases, these operators may be working in a space for which they aren’t traditionally familiar or as experienced. MITRE ATT&CK gives them a source of knowledge to help fill their experience gap.”

Velisaris said MITRE ATT&CK gives companies a better understanding of how they may be attacked for specific use cases, which also helps them identify the data and tools necessary for better threat detection.

When aligned to an enterprise risk assessment, these steps can also help security leaders better quantify business and financial risks and effectively communicate these risks to the C-suite to build their buy-in, laying the foundation for a successful implementation strategy.

3. Prioritize High-Risk Systems & Engage Your Red Team

After blue teams have developed the ability to detect relevant threats, they can operationalize the MITRE ATT&CK framework to protect mission-critical systems identified in the enterprise risk assessment.

This step might involve layering artificial intelligence (AI) and machine learning (ML) capabilities on top of a security information and event management (SIEM) platform for greater security automation, such as ML-based identification of anomalous user behavior. Organizations also should have managed detection and response (MDR) capabilities to monitor malicious endpoint and network activity in real time, along with a battle-tested incident response plan informed by their red, or offensive, team.

Velisaris said red teams should be involved as early as possible in MITRE ATT&CK implementation.

“Whoever is doing your red team work, needs to be enabled with MITRE ATT&CK along with your blue team members,” Velisaris says, adding that this ensures red and blue teams operate from the same playbook, use the same nomenclature to assess security threats and work in tandem to improve their ability to protect, detect and respond to adversaries.

4. Conduct A Post-Mortem

Even with robust cybersecurity, some threats will evade an organization’s security controls. When this happens, security teams need to understand why.

“The number one thing security operators fail to do is a post-mortem or root cause analysis,” Velisaris says. “That post-mortem, or lessons-learned exercise, is the most important thing the vast majority of companies don’t do that would have an immediate impact on improving their ability to enhance their security posture. Using MITRE ATT&CK as an analysis lens during a post-mortem can help you improve in detecting and responding to threats earlier and faster, saving time and expense in the future.”

5. Work With A Security Services Provider

While security operators can tackle MITRE ATT&CK implementation internally, their organizations may benefit from collaborating with a managed security service provider (MSSP) or a security consulting provider.

“While a consulting provider can provide a point in time accelerator to maturiing your capability with MITRE [ATT&CK]”, says Velisaris, “managed security services providers have a long term incentive to optimize your ability to detect and respond to threats.”

An MSSP typically works with a wide range of clients across industries and can help organizations understand “which components of MITRE ATT&CK give you the most yield for your investment and which elements are most commonly used by your peers to address their risks,” Velisaris says.

Certain providers also may offer security tools that use MITRE ATT&CK to optimize threat detection. These tools can track a company’s performance against this framework and provide data and insights that not only analyze its risk coverage in MITRE ATT&CK terms but also inform future security investments to shore up areas of weakness.

Though organizations can adopt several approaches, MITRE ATT&CK offers a proven pathway for organizations to strengthen enterprise security. The community aspect of MITRE ATT&CK upends the notion that the best way for companies to improve their security posture is to go it alone.

“We believe security needs to be a team sport,” Shriner says. “We want to change this idea of, ‘You’re left on your own to figure this out and don’t share anything with anybody.’ That’s the old security world. The new security world is, ‘Let’s open source and let’s crowdsource, because there’s a lot out there.’ And it turns out, if you get sharp security folks in a room, really good things happen.”

Learn more about implementing MITRE ATT&CK from IBM Security.

Let’s drive security into the fabric of business, together.