MITRE ATT&CK®
This section details the MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK®). [1]
Summary
The MITRE ATT&CK® framework is arguably the industry standard for modeling traditional enterprise cyber threats. It provides a comprehensive matrix that classifies offensive actions taken by threat actors across various domains, such as Enterprise IT, Mobile, and Industrial Control Systems (ICS).
Tactics
A Tactic represents the “why” or the tactical objective of an adversary. It represents the reason for performing an action. Examples include Initial Access, Execution, and Privilege Escalation.
Techniques
A Technique represents “how” an adversary achieves a tactical goal. For instance, achieving the tactic of Initial Access might involve the technique of Phishing or Exploiting Public-Facing Applications. Techniques are often further divided into Sub-techniques for more granular descriptions of attacker behavior.
Mitigations
Mitigations are defensive concepts or mechanisms used to prevent or detect the execution of a technique.
Mapping to SCF C|P-RMM
To map the concepts of MITRE ATT&CK® to the SCF C|P-RMM framework, one must align how each framework views the attacker versus the defense.
1. Tactics and Techniques Map Vs Threats
In SCF C|P-RMM, a Threat defines the “person or thing likely to cause damage.” MITRE ATT&CK® is essentially a detailed catalog of those sources of damage.
Tactics (the adversarial goal) and Techniques (the specific execution) represent the granular aspects of the Threat. When a malicious actor executes a Technique against a system, that is the literal materialization of the Threat in the SCF framework.
2. Mitigations Vs Controls
Mitigations describe the precise security Controls needed to stop an attack.
3. The Realization of Risk
In SCF C|P-RMM, Risk is created when a Threat exploits a Vulnerability.
When an adversary successfully executes a specific Technique because the system lacks the corresponding Controls (Mitigations were not implemented), the resulting damage is the Risk.
The MITRE ATT&CK® Tactic named Impact (TA0040) directly represents the realization of the Risk in SCF C|P-RMM.
Critique
MITRE ATT&CK® is heavily tailored toward generic endpoints, networks, and cloud infrastructure. When developing Large Language Model (LLM) applications or Agentic workflows, conventional tactics like lateral movement through active directory or exploiting OS-level vulnerabilities often do not capture the unique cognitive and application-level manipulations used against GenAI systems. Therefore, MITRE ATT&CK® must be used in conjunction with GenAI focused frameworks such as MITRE ATLAS™ and OWASP Top 10 for Large Language Model Applications to provide a comprehensive view of the GenAI threat landscape.