MITRE Explained

A Closer Look at MITRE’s Tools and Initiatives

11 min readFeb 23, 2024

Hey there! So have you ever heard of MITRE? If not, don’t worry, you’re not alone. But it’s actually a pretty big deal, especially in the cybersecurity world. You know those lists of vulnerabilities that people often refer to when they’re trying to protect their systems? Well, one of them, called CVEs (Common Vulnerabilities and Exposures), is managed by MITRE.

But here’s the thing: MITRE does a whole lot more than just managing lists. They’re into all sorts of research areas, not just cybersecurity. They’re all about making things safer, more stable, and better for the country. So, they’re digging into stuff like artificial intelligence, health informatics, and even space security. Pretty cool, right?

Now, let’s zoom in a bit on what MITRE has cooked up specifically for the cybersecurity community. They’ve got this lineup of projects and research that’s pretty handy:

1. ATT&CK® Framework: It’s like a big database of tactics and techniques that bad actors use in the real world to mess with computer systems. MITRE’s been collecting all this info since 2013.

2. CAR (Cyber Analytics Repository) Knowledge Base: Think of it as a treasure trove of data on cyber threats and attacks. Super useful for analysts trying to stay one step ahead of the bad guys.

3. ENGAGE: No fancy acronym here, just a project aimed at getting folks involved in cybersecurity research and development. Pretty neat stuff.

4. D3FEND: This one’s all about helping networks defend themselves better by disrupting the techniques attackers use.

5. AEP (ATT&CK Emulation Plans): These are like battle plans for mimicking the tactics of cyber attackers so defenders can test their systems against them.

Now, let’s break down a couple of terms you’re likely to hear a lot when diving into cybersecurity stuff:

- APT: It stands for Advanced Persistent Threat. Basically, it’s a fancy term for those sneaky bad actors who launch long-term attacks on organizations or even whole countries. They don’t always have super-secret weapons, but they’re persistent and can cause a lot of trouble if they get in.

- TTP: This one’s about how attackers operate. It stands for Tactics, Techniques, and Procedures. Tactics are their goals, techniques are how they achieve them, and procedures are the nitty-gritty details of how they carry out those techniques.

ATT&CK® Framework:-

Let’s talk about the ATT&CK® framework a bit more. It’s like a big roadmap of how cyber attackers operate. You can think of it as a guidebook that helps both defenders and attackers understand each other better. It started off focusing on Windows systems but has since grown to cover other platforms like macOS and Linux.

If you hop onto the ATT&CK® website, you’ll find this cool thing called the ATT&CK® Matrix for Enterprise.

It’s like a big chart that breaks down all the different tactics and techniques attackers use at different stages of an attack.

Click around, and you’ll find all sorts of juicy details about how they operate and how to defend against them. For example in initial access list expanding it to more details.

Now, if you want to dig deeper into this whole phishing thing and its related sub-techniques, just click on “Phishing.”

Boom! You’ll land on a page solely focused on phishing. It’s like a one-stop-shop for all things phishing-related. You’ll find a quick overview of what phishing is all about, examples of how attackers carry out phishing attacks, and ways to stop them in their tracks. It’s like your go-to guide for understanding and tackling phishing head-on.

You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group.

Oh, and there’s one more handy tool you should know about: the MITRE ATT&CK® Navigator. It’s like a simple and user-friendly way to navigate through all the ATT&CK® matrices. You can use it to visualize your defense strategies, plan your team exercises, or track which techniques are popping up in your network. Just look for the ATT&CK® Navigator Layers button on group or tool pages.

In the sub-menu select view.

Just click here to check out the ATT&CK® Navigator for Carbanak.

Once you’re in, you’ll notice 3 sets of controls at the top left: selection controls, layer controls, and technique controls. Take a moment to explore each option under these controls to get the hang of how they work. And if you need some extra help, just click on the question mark at the far right for more information about the navigator.

Note: For who dont know what is Carbanak where the hell are you living.Carbanak refers to a notorious cybercriminal group known for their sophisticated attacks targeting financial institutions. And other info you can refer to a documenty this was intresting one …link…

Cyber Analytics Repository:-

Now let’s talk about Cyber Analytics Repository (CAR) and check out one of its analytics called CAR-2020–09–001: Scheduled Task — File Access.

When you land on the page for this analytics, you’ll see a quick description of what it’s all about. Essentially, it’s a way to keep tabs on any scheduled tasks that might be trying to access files on your system. Pretty handy, right?

Plus, you’ll notice references to the MITRE ATT&CK framework, including the specific technique, sub-technique, and tactic that this analytics is related to. It’s like connecting the dots between different parts of the cybersecurity world to help you understand how everything fits together.

So, without further ado, let’s dive in and see what else we can learn from CAR-2020–09–001.

We’ve also got this thing called pseudocode, which is like simple instructions for a computer. And in Splunk, a data analysis tool, we’re trying to find something specific using those instructions. It’s kind of like looking for a specific item in a big store using a simple map.

To take full advantage of CAR, we can view the Full Analytic List or the CAR ATT&CK® Navigator layer to view all the analytics.

Full Analytic List-

In the Full Analytic List view, you can quickly check what versions of an analytic are available and which operating systems they work on. It’s like having a menu where you can see all the options available at once, along with which ones work on your specific device.

Navigator layer-

(The techniques highlighted in purple are the analytics currently in CAR)

let’s check out another analytic called CAR-2014–11–004, which is about Remote PowerShell Sessions.

In the Implementations section, they provide pseudocode, which is like a simple set of instructions for computers, and an EQL version of that pseudocode. EQL stands for Event Query Language, and it’s a tool for asking questions, organizing, and understanding Sysmon event data. It’s sort of like a special language just for digging through and making sense of this particular kind of data.

CAR is a valuable resource for finding analytics that go beyond the summaries of mitigation and detection techniques provided in the ATT&CK® framework. It offers additional insights and details.


MITRE Engage serves as a framework designed to help organizations plan and execute adversary engagement operations effectively, enabling them to achieve their cybersecurity objectives.

This approach involves two main strategies: Cyber Denial and Cyber Deception.

1. Cyber Denial: This strategy aims to hinder or block adversaries from carrying out their operations within your network or systems. It involves implementing measures to prevent or disrupt their activities.

2. Cyber Deception: With this strategy, deliberate artifacts are strategically placed within your network to deceive or mislead adversaries. These artifacts are intended to trick adversaries into making mistakes or revealing their intentions, thereby strengthening your defensive capabilities.

The Engage website offers a starter kit to help organizations get acquainted with the Adversary Engagement Approach. This kit includes a range of resources such as whitepapers, PDFs, checklists, methodologies, and processes to assist organizations in implementing the framework effectively.

Similar to MITRE ATT&CK, Engage also features its own matrix. This matrix visually represents various tactics, techniques, and procedures (TTPs) that adversaries may employ, along with corresponding defensive strategies and countermeasures.

Let’s quickly explain each of these categories based on the information on the Engage website.

  • Prepare the set of operational actions that will lead to your desired outcome (input)
  • Expose adversaries when they trigger your deployed deception activities
  • Affect adversaries by performing actions that will have a negative impact on their operations
  • Elicit information by observing the adversary and learn more about their modus operandi (TTPs)
  • Understand the outcomes of the operational actions (output)

Refer to the Engage Handbook to learn more.

You can interact with the Engage Matrix Explorer. We can filter by information from MITRE ATT&CK.

Note that by default the matrix focuses on Operate, which entails Expose, Affect, and Elicit.

You can click on Prepare or Understand if you wish to focus solely on that part of the matrix.

If you have any further understanding check and try to explore the resources.


The MITRE resource referenced here is called D3FEND, which stands for Detection, Denial, and Disruption Framework Empowering Network Defense. It’s essentially a knowledge graph that catalogs cybersecurity countermeasures. In simpler terms, it’s like a big database of tactics and strategies that organizations can use to defend against cyber threats.

D3FEND is currently in beta, meaning it’s still being developed and improved. It’s funded by the Cybersecurity Directorate of the NSA (National Security Agency), indicating its importance in the field of cybersecurity.

As of the time of writing, the D3FEND matrix contains 620 artifacts. These artifacts represent different methods and techniques for detecting, denying, and disrupting cyber attacks. You can think of them as building blocks for creating effective defense strategies against various threats.

Let’s take a quick look at one of the D3FENDs artifacts, such as Decoy File.

As you can see, you’re provided with information on what is the technique (definition), how the technique works (how it works), things to think about when implementing the technique (considerations), and how to utilize the technique (example).

Note, as with other MITRE resources, you can filter based on the ATT&CK matrix.

Since this resource is in beta and will change significantly in future releases, we won’t spend that much time on D3FEND.

The objective for taking this topic to make you aware of this MITRE resource and hopefully you’ll keep an eye on it as it matures in the future.

Note:-If the tools we get from MITRE aren’t sufficient, there’s another resource called MITRE ENGENUITY. This includes CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans. So, if we need more assistance beyond what MITRE offers, we have these additional resources available to us.

CTID (Center of Threat-Informed Defense):-

CTID is a group set up by MITRE which includes various companies worldwide. Their main goal is to research cyber threats and tactics, techniques, and procedures (TTPs). They then share this research to help improve cyber defense strategies for everyone.

Some key participants in CTID are:

- AttackIQ
- Verizon
- Microsoft
- Red Canary
- Splunk

Their aim, as stated on their website, is to collaborate with participant organizations to develop solutions for a safer cyber world. They do this by expanding on MITRE ATT&CK’s knowledge base, releasing data sets, and providing open-source software, methodologies, and frameworks.

Adversary Emulation Library & ATT&CK® Emulation Plans

The Adversary Emulation Library, provided by CTID, is a public resource that offers emulation plans for both blue (defense) and red (offense) teams. These plans are freely available. Within this library, there are several ATT&CK® Emulation Plans, including APT3, APT29, and FIN6.

These plans are essentially step-by-step guides on how to replicate the tactics of specific threat groups. For instance, if someone from the executive team asks how well the company would handle an attack from APT29, the team can refer to the results of executing the emulation plan to provide an informed answer.

Threat Intelligence

Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) refers to the information or tactics, techniques, and procedures (TTPs) linked to potential adversaries. By leveraging threat intelligence, defenders can make informed decisions about their defensive strategies.

  • How is Threat Intelligence Used?

In many large corporations, there are dedicated teams responsible for gathering threat intelligence. These teams collect information from various sources, including open-source data and subscriptions to vendors like CrowdStrike. This intelligence is then used to enhance the defensive posture of the organization.

However, in some organizations, defenders often have multiple responsibilities and need to allocate time from their other tasks to focus on threat intelligence.

Using ATT&CK® Matrix for Threat Intelligence

Let’s consider a scenario: You work as a security analyst in the aviation sector, and your organization is transitioning its infrastructure to the cloud. Your objective is to utilize the ATT&CK® Matrix to gather threat intelligence on Advanced Persistent Threat (APT) groups that might target the aviation sector, specifically focusing on techniques that could affect your cloud infrastructure.

Scenario Breakdown:

1. Objective: Utilize the ATT&CK® Matrix for Threat Intelligence.

2. Focus: Identify APT groups targeting the aviation sector, particularly focusing on tactics relevant to cloud infrastructure.

3. Process:
— Choose an APT group from the ATT&CK® Matrix.
— Review the selected group’s information, including their tactics, techniques, and procedures (TTPs).
— Identify any gaps in your organization’s coverage in terms of defending against these tactics.

4. Goal: Make the gathered threat intelligence actionable, meaning use it to enhance the organization’s defensive capabilities, especially in the context of the cloud infrastructure migration.


MITRE is a major player in cybersecurity. They manage CVEs and conduct research across various areas like AI and space security. Their tools, like the ATT&CK® Framework and CAR, help us understand and tackle cyber threats. Plus, initiatives like ENGAGE and D3FEND further strengthen our defenses. In a nutshell, MITRE’s at the forefront of keeping us safe online.

keep the bytes bye bye…




"Tech enthusiast exploring cybersecurity and networking. Sharing insights through the power of words. Join me in the world of tech and discovery. 📚✍️