PRACTITIONER GUIDE | DETECTION ENGINEERING
Practitioner GuideUpdated 13 min read

How to Use MITRE ATT&CK When You Read a Threat Report: Technique IDs to Defensive Actions

200+
ATT&CK techniques across 14 tactics in Enterprise ATT&CK v16
73%
Security practitioners who see ATT&CK IDs in reports without a defined workflow for acting on them (SANS 2025)
5
Initial access techniques covering 80% of confirmed intrusion paths in 2025-2026 campaigns
43
Average ATT&CK technique coverage for enterprises with mature SIEM and EDR telemetry

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Threat reports list MITRE ATT&CK technique IDs. Knowing T1566.001 appears in a CISA advisory tells you nothing operationally useful unless you know what detection opportunity that technique ID represents and which specific control or rule it implies you should deploy.

ATT&CK is the most widely cited threat intelligence framework in the industry and among the most poorly operationalized. According to the SANS 2025 Threat Intelligence Survey, 73% of security practitioners report seeing ATT&CK technique IDs in threat reports and advisories without a defined workflow for translating those IDs into defensive action.

This guide provides a three-step workflow for closing that gap: identify the technique and its context in the report, find the detection opportunity ATT&CK documents for it, and implement the specific control or rule your environment needs. A real CISA advisory walkthrough demonstrates the workflow in practice. The final section maps the 10 most frequently cited ATT&CK techniques from 2025 to 2026 threat reports to their immediate defensive actions.

How ATT&CK Is Structured: Tactics, Techniques, and Sub-Techniques

ATT&CK organizes adversary behavior into three levels that each serve a different defensive purpose:

Tactics represent the attacker's goal at each stage of an intrusion. There are 14 tactics in Enterprise ATT&CK: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. The tactic tells you what phase of the kill chain the attacker was operating in.

Techniques represent how the attacker achieved a tactic goal. T1566 (Phishing) is a technique under the Initial Access tactic. The technique number, T followed by four digits, is what threat reports and CISA advisories cite. There are over 200 techniques in Enterprise ATT&CK.

Sub-techniques represent specific implementations of a technique. T1566.001 is Spearphishing Attachment, a specific variant of T1566 Phishing. T1566.002 is Spearphishing Link. Sub-techniques use a four-digit dot-decimal notation. When a report cites a sub-technique, it is telling you the specific delivery mechanism or implementation used.

Why this structure matters for defenders: the tactic tells you what phase the attacker was in, the technique tells you what category of activity to detect, and the sub-technique tells you which specific detection logic to write or control to enable.

A threat report that lists T1078.002 (Valid Accounts: Domain Accounts) is not just telling you the attacker used a stolen credential. It is specifying the account type (domain accounts), which implies specific detection logic: alert on domain account authentication events occurring outside of normal business hours or from unexpected source geolocations or IP ranges.

The 3-Step Workflow: Technique ID to Deployed Control

Step 1: Go to attack.mitre.org and look up the technique

Search the technique ID directly at attack.mitre.org. The technique page shows three sections that drive your defensive response:

  • Procedure examples: Real-world threat actors and malware families confirmed using this technique. This tells you which groups are actively weaponizing it and whether those groups target your sector.
  • Mitigations: Specific security controls MITRE recommends to prevent or reduce the technique's effectiveness, labeled with M-codes (for example, M1032 Multi-factor Authentication, M1040 Behavior Prevention on Endpoint).
  • Detections: Specific data sources and behavioral patterns for identifying the technique in your environment, labeled with DS-codes (for example, DS0022 File, DS0009 Process).

Step 2: Map the detection to your data sources

The Detections section on each technique page lists the data sources required to detect it. If you do not have those data sources ingested into your SIEM or EDR, you cannot detect the technique regardless of how many rules you have deployed.

For example, T1003.001 (OS Credential Dumping: LSASS Memory) requires Process Access telemetry from your EDR and command-line argument logging from Sysmon or equivalent. If your SIEM does not receive process access events from your EDR, you have a detection gap for this technique.

For each data source gap you identify, decide: enable the data source (preferred, costs ingest volume), create a compensating detective control using a different data source that partially covers the technique, or accept the gap and document it explicitly.

Step 3: Deploy or validate the specific rule or control

Sigma rules, Elastic detection rules, and Splunk Enterprise Security content are organized by ATT&CK technique IDs. Search your detection platform's rule library for the technique ID to find pre-built detection logic ready to deploy.

For techniques where no pre-built rule exists in your platform, use ATT&CK's detection guidance to write your own. The Detection field on each technique page describes the behavioral pattern to detect in plain language, translate that into your SIEM's query language.

For mitigation-first approaches where detection is insufficient, implement the ATT&CK-recommended mitigations in the order listed. Controls labeled as Technique type directly reduce exploitation risk. Those labeled Response type are reactive.

Step 1: Look up the technique at attack.mitre.org

The technique page shows procedure examples (who is using it now), mitigations (what prevents it), and detections (what data sources and logic catches it).

Step 2: Map detections to your data sources

No data source means no detection. Identify gaps before writing or deploying rules so you know what you are and are not able to catch.

Step 3: Deploy or validate the rule or control

Search your platform's rule library by technique ID. Sigma and Elastic detection rules are tagged by ATT&CK ID and deployable in minutes.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Worked Example: Walking Through a Real CISA Advisory

CISA Advisory AA23-319A on Scattered Spider (also known as UNC3944) lists T1621 (Multi-Factor Authentication Request Generation) among its documented techniques. This is the MFA fatigue technique where the attacker sends repeated push notification challenges hoping the target approves one under the assumption it is a system glitch.

Step 1, Look up T1621 at attack.mitre.org. Procedure examples show Scattered Spider, LAPSUS$, and multiple financially motivated threat actors confirmed using this technique against large enterprise targets. Mitigations list M1032 (Multi-factor Authentication) with a specific note: use phishing-resistant MFA (FIDO2 hardware keys or passkeys) rather than push-based MFA, as push-based MFA is the attack surface this technique exploits. Detections reference DS0002 User Account monitoring for anomalous MFA request volume per user per time window.

Step 2, Map to your data sources. Do your MFA logs flow into your SIEM? Azure AD / Entra ID and Okta both generate MFA challenge logs but many organizations do not ingest them. Check whether your SIEM receives authentication events with MFA challenge results and failure reasons. If not, this is a data source gap. Enabling Entra ID sign-in log ingestion into Microsoft Sentinel or your SIEM closes this gap and unlocks detection for multiple additional techniques.

Step 3, Deploy the detection and mitigation. The detection rule logic: alert when a single user account generates more than 3 failed MFA push challenges within a 10-minute window originating from a single external IP. This is a simple rule in any SIEM query language and catches MFA fatigue attacks with high precision and low false positive rate. The mitigation: enroll all privileged accounts in FIDO2 hardware security keys or enable number matching in your MFA provider, making push-fatigue attacks non-functional against those accounts.

Two concrete deliverables from one technique ID in one advisory: a deployed SIEM detection rule and a privileged account MFA hardening task. For the full ATT&CK-mapped breakdown of a China-nexus nation-state intrusion using a similar technique chain, see the UNC5221 BRICKSTORM analysis which applies this workflow across 12 techniques from a confirmed 393-day intrusion.

Using ATT&CK Navigator to Map Your Coverage

ATT&CK Navigator (mitre-attack.github.io/attack-navigator) is a free browser-based tool for mapping your detection coverage against the full ATT&CK matrix. It lets you color-code techniques by coverage status and export the result for reporting or detection engineering prioritization.

Building your coverage map in four steps:

  1. Open ATT&CK Navigator and create a new layer for Enterprise ATT&CK
  2. Color-code techniques where you have confirmed detection rules deployed in green
  3. Color-code techniques where you have the required data sources but no rule yet in yellow
  4. Leave uncovered techniques blank (no data source, no rule)

The resulting heatmap shows your detection gaps across the full kill chain at a glance. Tactics with large blank areas represent phases where an attacker could operate undetected in your environment for an extended period.

Overlay a threat actor layer to find your highest-priority gaps. ATT&CK Navigator includes pre-built technique layers for every documented threat actor and software group. Load the layer for any threat actor group confirmed targeting your sector. Overlay it with your coverage layer. Techniques used by that group that fall in your blank areas are your highest-priority detection engineering targets.

For example: to assess coverage against Scattered Spider, load their layer from the ATT&CK Navigator threat actor library, overlay your coverage layer, and immediately see which Scattered Spider techniques you currently cannot detect. Those intersections are your sprint priorities.

The 10 Most Commonly Cited Techniques and Their Immediate Actions

These 10 techniques appear in over 70% of CISA advisories published in 2025 to 2026. If you have not specifically validated detection coverage for these, start here before processing any other threat report.

T1566 / T1566.001 Phishing: Spearphishing Attachment. Deploy click-time URL sandboxing and enable attachment sandboxing in your email security platform. Alert on macro-enabled Office documents and executable attachment types from external senders.

T1078 / T1078.002 Valid Accounts: Domain Accounts. Alert on domain account authentication outside business hours and from unexpected source IPs or geolocations. Baseline normal authentication patterns per account using your SIEM's behavioral analytics.

T1190 Exploit Public-Facing Application. Ensure all internet-facing applications are patched to current versions and scanned weekly against CISA KEV. Monitor application error logs for anomalous request pattern spikes.

T1059 / T1059.001 Command and Scripting Interpreter: PowerShell. Enable PowerShell Script Block Logging and Module Logging via Group Policy. Alert on Base64-encoded PowerShell execution and PowerShell processes spawned by Office applications.

T1003 / T1003.001 OS Credential Dumping: LSASS Memory. Enable Windows Credential Guard on all endpoints. Configure EDR to block and alert on unsigned process access to lsass.exe.

T1021 / T1021.001 Remote Services: Remote Desktop Protocol. Restrict RDP access to jump hosts or VPN-only access. Enable Network Level Authentication. Alert on RDP logons from unexpected external source IPs.

T1486 Data Encrypted for Impact. Deploy behavior-based ransomware detection on EDR targeting mass file rename events to non-standard extensions. Verify offline backup integrity weekly.

T1041 Exfiltration Over C2 Channel. Enable DNS logging and alert on high-volume outbound data transfers during non-business hours. Deploy DNS filtering to block newly registered domains.

T1505.003 Server Software Component: Web Shell. Deploy file integrity monitoring on all web server document roots. Run weekly scans for web shell signatures using your EDR or a dedicated tool like LOKI.

T1071 / T1071.004 Application Layer Protocol: DNS. Enable full DNS query logging and alert on high-entropy subdomain strings and unusually high DNS query frequency per host, which are the primary signals of DNS tunneling for C2 or exfiltration.

The bottom line

ATT&CK technique IDs in threat reports are not vocabulary, they are detection engineering specifications. Each ID points to required data sources, pre-built detection logic, and specific mitigations documented at attack.mitre.org. The 3-step workflow turns a 20-technique CISA advisory into 20 concrete detection and mitigation tasks. Start with ATT&CK Navigator to visualize your gaps, overlay threat actor layers for groups targeting your sector, and prioritize the 10 high-frequency techniques in this guide before processing any other report.

Frequently asked questions

What is the MITRE ATT&CK framework?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available knowledge base of adversary behaviors documented from real-world intrusions. It organizes attacker behavior into 14 tactics (objectives like Initial Access, Persistence, Exfiltration) and over 200 techniques (specific methods for achieving those objectives), each with documented procedure examples from real threat actors, recommended mitigations, and detection guidance. It is maintained by MITRE Corporation and updated quarterly at attack.mitre.org.

What is the difference between a tactic, technique, and sub-technique in ATT&CK?

A tactic represents the attacker's objective at a phase of an intrusion, for example, Initial Access (how they got in) or Credential Access (how they stole credentials). A technique represents a specific method for achieving a tactic, for example, T1566 Phishing under Initial Access. A sub-technique is a specific implementation of a technique, T1566.001 Spearphishing Attachment vs. T1566.002 Spearphishing Link. Sub-techniques provide more precise detection and control guidance and are what most modern threat reports cite.

How do I translate an ATT&CK technique ID into a defensive action?

Go to attack.mitre.org and search the technique ID. The technique page shows three sections that drive your response: Procedure Examples (which real threat actors use this technique, confirming active weaponization), Mitigations (specific security controls labeled with M-codes that reduce exploitation risk), and Detections (specific data sources and behavioral patterns labeled with DS-codes for identifying the technique). Map the data sources to what you have ingested, find matching rules in your platform's rule library by technique ID, and deploy or validate them.

What is ATT&CK Navigator and how do I use it?

ATT&CK Navigator (mitre-attack.github.io/attack-navigator) is a free browser-based tool for visualizing ATT&CK detection coverage. Create a layer for Enterprise ATT&CK and color-code techniques by status: green for confirmed rules deployed, yellow for data sources available but no rule, blank for no coverage. Overlay pre-built threat actor layers from the ATT&CK library to identify which techniques used by groups targeting your sector fall in your coverage gaps. Export the map for executive reporting or sprint planning.

Which ATT&CK techniques should I prioritize first?

Prioritize the 10 techniques appearing in over 70% of CISA advisories: T1566 Phishing, T1078 Valid Accounts, T1190 Exploit Public-Facing Application, T1059 Command and Scripting Interpreter, T1003 OS Credential Dumping, T1021 Remote Services, T1486 Data Encrypted for Impact, T1041 Exfiltration Over C2 Channel, T1505.003 Web Shell, and T1071 Application Layer Protocol. Within these, prioritize techniques where you have confirmed data source gaps, a technique you are not logging cannot be detected regardless of how many rules you deploy.

How do I find pre-built detection rules for ATT&CK techniques?

Four rule libraries are tagged by ATT&CK technique ID: Sigma rules (github.com/SigmaHQ/sigma) are vendor-neutral and convert to any SIEM query language, Elastic Detection Rules are pre-built for Elastic SIEM and tagged by technique ID, Splunk Enterprise Security Content Update (ESCU) contains Splunk searches organized by ATT&CK technique, and Microsoft Sentinel Analytic Rules include ATT&CK mappings in rule templates. Search any of these by the technique ID (for example, T1003.001) to find matching detection logic for your platform.

Does ATT&CK apply to cloud environments and OT/ICS?

Yes. MITRE maintains separate matrices for different environments: Enterprise ATT&CK covers on-premises Windows, macOS, and Linux plus cloud-specific technique variants for IaaS, SaaS, Google Workspace, Microsoft 365, and Azure AD. ICS ATT&CK at attack.mitre.org/matrices/ics/ covers industrial control systems and OT environments with techniques specific to PLCs, engineering workstations, and SCADA systems. Mobile ATT&CK covers Android and iOS. Threat reports targeting specific environments cite techniques from the relevant matrix.

Sources & references

  1. MITRE ATT&CK Enterprise Framework
  2. ATT&CK Navigator
  3. CISA Advisory AA23-319A: Scattered Spider
  4. SANS 2025 Threat Intelligence Survey
  5. D3FEND Knowledge Graph

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.