MITRE ATT&CK Tactics

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognized framework for understanding adversary behavior. It provides a common language for describing what attackers do and why.

Why MITRE ATT&CK Matters

Benefit	Description
Common Language	Security teams speak the same vocabulary
Threat Intelligence	Map detections to known attack patterns
Gap Analysis	Identify what you can and can’t detect
Reporting	Executive-friendly threat categorization
Compliance	Many frameworks reference ATT&CK

ATT&CK Structure

Tactics (WHY)    → Techniques (HOW)    → Procedures (SPECIFIC)
│                  │                     │
├── Reconnaissance │                     │
│   ├── Active Scanning ────────────────▶ Port scan with nmap
│   └── Gather Victim Info ─────────────▶ WHOIS lookup
│
├── Initial Access
│   ├── Exploit Public App ─────────────▶ SQL injection
│   └── Phishing ───────────────────────▶ Credential harvest
│
└── ... 12 more tactics

WebDecoy and MITRE

WebDecoy automatically maps detections to relevant MITRE ATT&CK tactics, helping you understand the intent behind detected activities.

---

MITRE Tactics in Detections

How Tactics Are Assigned

When WebDecoy records a detection, it analyzes:

1. What resource was accessed (decoy type)
2. What attack signatures were found
3. What behavior was observed

This is mapped to the most relevant MITRE tactic.

Tactic Assignment Example

Detection: Admin backup decoy accessed
           with SQL injection in form field

Analysis:
├── Decoy Type: backup file → Reconnaissance
├── Attack Signature: SQL injection → Initial Access
└── Combined Assessment: Initial Access (higher severity)

Result:
├── Tactic: TA0001 - Initial Access
├── Technique: T1190 - Exploit Public-Facing Application
└── Confidence: High

Viewing MITRE Data in Detections

In the detections table and detail panel:

Field	Description
Tactic ID	MITRE identifier (e.g., TA0043)
Tactic Name	Human-readable name
Confidence	High, Medium, or Low
MITRE Link	Click to view on MITRE website

Confidence Levels

Level	Meaning
High	Strong correlation with tactic behavior
Medium	Probable match based on signals
Low	Possible match, needs context

---

Understanding Tactic Categories

WebDecoy detections primarily map to these MITRE tactics:

TA0043: Reconnaissance

Purpose: Gathering information about the target

Color: 🟣 Purple

Typical Detections:

• Accessing admin pages
• Scanning for backup files
• Probing directory structures
• Version fingerprinting

Example Detection:

Decoy: /backup/database.sql accessed
User Agent: Mozilla/5.0 (compatible; nmap)
Tactic: Reconnaissance
Confidence: High

TA0042: Resource Development

Purpose: Establishing resources to support operations

Color: 🔵 Blue

Typical Detections:

• Registering look-alike domains
• Staging infrastructure
• Acquiring tools

Note: Less commonly detected via honeypots.

TA0001: Initial Access

Purpose: Trying to get into your network/system

Color: 🔴 Red

Typical Detections:

• Exploit attempts (SQL injection, XSS)
• Authentication attacks
• Vulnerable endpoint probing
• Credential stuffing

Example Detection:

Endpoint: POST /api/login
Body: {"password": "' OR '1'='1"}
Attack: SQL Injection
Tactic: Initial Access
Technique: T1190 - Exploit Public-Facing Application
Confidence: High

TA0006: Credential Access

Purpose: Stealing account credentials

Color: 💗 Pink

Typical Detections:

• Brute force login attempts
• Credential stuffing
• Password spraying
• Accessing credential honeypots

Example Detection:

Endpoint: POST /api/auth/login
Pattern: 50 failed logins from same IP
Tactic: Credential Access
Technique: T1110 - Brute Force
Confidence: High

TA0007: Discovery

Purpose: Figuring out your environment

Color: 🟣 Violet

Typical Detections:

• Directory enumeration
• API discovery
• Configuration file access
• Admin panel scanning

Example Detection:

Multiple decoys triggered:
- /api/config
- /api/debug
- /api/admin
- /api/internal
Tactic: Discovery
Confidence: High

TA0009: Collection

Purpose: Gathering data of interest

Color: 🟢 Lime

Typical Detections:

• Data export endpoint access
• Bulk data retrieval
• Screenshot/clipboard honeypots

TA0010: Exfiltration

Purpose: Stealing data

Color: 🔴 Red

Typical Detections:

• Large data transfers
• Export function abuse
• Unusual outbound connections

TA0040: Impact

Purpose: Manipulate, interrupt, or destroy systems

Color: 🟤 Indigo

Typical Detections:

• DELETE requests to honeypots
• Destructive payload attempts
• Defacement attempts

---

Using MITRE Data for Analysis

Dashboard MITRE Summary

The dashboard includes a MITRE Tactic Summary chart showing:

• Detection count by tactic
• Percentage breakdown
• Trend over time

Analyzing Attack Patterns

Use MITRE data to understand what attackers are doing:

Question: “What are attackers trying to accomplish?”

Analysis:

1. Go to Detections
2. Filter by MITRE Tactic
3. Review the pattern

Example Findings:

Tactic	Count	Interpretation
Reconnaissance	450	Heavy scanning activity
Initial Access	120	Active exploit attempts
Credential Access	80	Login attacks
Discovery	200	Environment mapping

Conclusion: Attackers are actively scanning (Reconnaissance) and attempting to exploit (Initial Access). Focus defenses on authentication and input validation.

Creating MITRE-Based Reports

For security reports and compliance:

1. Export detections filtered by time period
2. Group by MITRE tactic
3. Create summary:

Monthly Threat Report - January 2025

MITRE ATT&CK Tactic Distribution:
├── Reconnaissance: 45% (450 detections)
├── Initial Access: 12% (120 detections)
├── Discovery: 20% (200 detections)
├── Credential Access: 8% (80 detections)
└── Other: 15% (150 detections)

Key Findings:
- High reconnaissance activity indicates ongoing scanning
- SQL injection attempts increased 30% from December
- New credential stuffing campaign detected from IP range X.X.X.0/24

Recommendations:
- Enable stricter rate limiting on login endpoints
- Review WAF rules for SQL injection patterns
- Block identified malicious IP ranges

Correlating with Threat Intelligence

MITRE tactics help you:

1. Research threats - Look up techniques on attack.mitre.org
2. Find mitigations - MITRE lists defenses for each technique
3. Share intelligence - Use standard tactic IDs in communications

Integration with SIEM

Forward MITRE-enriched detections to your SIEM:

{
  "detection_id": "det_abc123",
  "timestamp": "2025-01-15T10:30:00Z",
  "ip_address": "192.168.1.100",
  "threat_score": 85,
  "mitre": {
    "tactic_id": "TA0001",
    "tactic_name": "Initial Access",
    "technique_id": "T1190",
    "technique_name": "Exploit Public-Facing Application",
    "confidence": "high"
  }
}

---

MITRE Tactics Reference Table

All 14 ATT&CK Enterprise tactics:

ID	Name	Description	Commonly Detected
TA0043	Reconnaissance	Gathering victim information	High
TA0042	Resource Development	Setting up attack infrastructure	Rare
TA0001	Initial Access	Getting in	High
TA0002	Execution	Running malicious code	Medium
TA0003	Persistence	Maintaining access	Medium
TA0004	Privilege Escalation	Getting higher permissions	Medium
TA0005	Defense Evasion	Avoiding detection	Medium
TA0006	Credential Access	Stealing credentials	High
TA0007	Discovery	Learning the environment	High
TA0008	Lateral Movement	Moving through environment	Rare
TA0009	Collection	Gathering target data	Medium
TA0011	Command and Control	Communicating with implants	Rare
TA0010	Exfiltration	Stealing data	Medium
TA0040	Impact	Disruption and destruction	Medium