MITRE ATT&CK Overview

Introduction

The MITRE ATT&CK Framework is a comprehensive knowledge base that captures the behaviours attackers use during real-world intrusions. Rather than focusing on isolated malware examples or individual incidents. MITRE ATT&CK highlights the consistent and repeatable patterns that define modern attacker operations.

By structuring these patterns into a unified model, the framework establishes a clear and consistent view of the attacker’s lifecycle.

At the core of the framework are three layers:

• Tactics – the adversary’s high-level objectives.
• Techniques – the general methods used to achieve each objective.
• Sub-techniques – the more specific variations of those methods.

Together, these provide a detailed, structured map of attacker activity from the earliest planning stages to final disruptive outcomes. There is a total of 14 tactics, 250 techniques and 700 sub-Techniques in the MITRE framework.

This article focuses on understanding the MITRE ATT&CK tactics, techniques and sub-techniques and gives a high-level overview of all the tactics how F5 offers defense against them. 

 

Understanding Tactics, Techniques and Sub-Techniques 

 

In the MITRE ATT&CK framework, Execution is defined as a tactic (TA0002). Under this tactic, Command and Scripting Interpreter (T1059) represents a technique, with Windows Command Shell (T1059.003) as its sub-technique.

 

Tactics – The High-Level Objective 

Tactics sit at the top of the hierarchy and represent the purpose or goal behind an attacker’s actions at a particular stage of an intrusion. Each tactic answers the question: “What is the adversary trying to achieve?”

Examples of tactics include Initial Access, Execution, Persistence etc …

 

Techniques – The General Method Used to Achieve the Objective 

Techniques exist under each tactic and describe the general approach an adversary uses to accomplish that objective. A technique answers the question: “How is the adversary attempting to achieve this goal?”

For example, under the Credential Access tactic, attackers might use techniques such as dumping credentials from memory or brute-forcing accounts.

 

Sub-Techniques – The Detailed Variation of a Technique

Sub-techniques provide a deeper level of detail for techniques that can be performed in multiple ways. A sub-technique answers the question: “What exact method or variation is being used?”

For example, T1059.003 - Windows Command Shell where attackers exploit the windows command, is a sub-technique under technique T1059 - Command and Scripting Interpreter, which is part of TA0002 - Execution tactic

 

Overview of MITRE ATT&CK Tactics 

The current MITRE ATT&CK Enterprise Matrix consists of 14 tactics, with each tactic containing multiple techniques and sub-techniques. The tactics represent the high-level goals an adversary attempts to achieve during different stages of an intrusion. They include: 

 

• TA0001 Initial Access: Entering the target environment. 

• TA0002 Execution: Running malicious code or commands on a victim system. 

• TA0003 Persistence: Maintaining ongoing access to a compromised system. 

• TA0004 Privilege Escalation: Increasing access levels to reach more sensitive resources. 

• TA0005 Defense Evasion: Avoiding detection or bypassing security controls. 

• TA0006 Credential Access: Obtaining passwords, tokens, or other authentication material. 

• TA0007 Discovery: Understanding the environment, assets, and configuration of the compromised system. 

• TA0008 Lateral Movement: Moving from one system to another within the network. 

• TA0009 Collection: Gathering data of interest from the environment. 

• TA0011 Command and Control: Establishing communication channels to remotely manage compromised systems. 

• TA0010 Exfiltration: Transferring stolen data out of the environment. 

• TA0040 Impact: Disrupting, damaging, or manipulating systems or data. 

• TA0042 Resource Development: Building or acquiring the tools, infrastructure, or capabilities needed for operations. 

• TA0043 Reconnaissance: Collecting information about the target before attempting intrusion. 

 

1. TA0043 Reconnaissance - Collecting information about the target before attempting intrusion. 

This tactic focuses on the adversary’s efforts to gather information before directly interacting with the environment. Activities may include researching publicly available data, identifying exposed services, scanning for vulnerabilities, collecting employee information, and understanding technologies in use. The objective is to reduce uncertainty, identify opportunities, and shape the initial access strategy.  

Examples include techniques such as T1595 Active Scanning, T1589 Gather Victim Identity Information, T1590 Gather Victim Network Information, T1591 Gather Victim Org Information, and T1593 Search Open Websites or Domains. 

For further information, please refer to this article. 

 

2. TA0042 Resource Development - Building or acquiring the tools, infrastructure, or capabilities needed for operations. 

At this stage, attackers prepare the tools, infrastructure, and capabilities required for the operation. This includes registering domains, creating malicious applications, acquiring cloud resources, compromising external accounts, or developing custom malware.  

Adversaries may prepare for operations through techniques such as T1583 Acquire Infrastructure, T1587 Develop Capabilities, and T1584 Compromise Infrastructure. 

For further information, please refer to this article. 

 

3. TA0001 Initial Access - Entering the target environment. 

Initial Access represents the moment an attacker first enters the environment. Successful initial access provides the foothold needed to begin executing commands, gathering information, and moving deeper into the environment. 

Common entry methods include T1659 Content Injection, T1189 Drive-by compromise, T1190 Exploit Public-Facing Application etc.... 

For further information, please refer to this article .

 

4. TA0002 Execution - Running malicious code or commands on a victim system. 

Execution covers techniques that result in the running of malicious code or commands. This can involve scripts, binaries, macros, command interpreters, or remote execution utilities.  

Typical execution behaviours involve techniques like T1059 Command and Scripting Interpreter, T1203 Exploitation for Client Execution, etc.... 

For further information, please refer to this article . 

 

5. TA0003 Persistence - Maintaining ongoing access to a compromised system. 

Persistence techniques ensure that the adversary maintains access over time, even if systems are restarted or credentials are changed.  

Long-term footholds are often maintained through techniques like T1197 BITS Jobs, T1505 Server Software Component, and T1078 Valid Accounts, etc..... 

For further information, please refer to this article . 

 

6. TA0004 Privilege Escalation - Increasing access levels to reach more sensitive resources. 

Privilege Escalation focuses on obtaining higher-level permissions within the environment. Attackers may exploit vulnerabilities, leverage administrative credentials, or manipulate access controls. Elevated privileges allow them to access sensitive systems, modify settings, evade restrictions, and expand their operational reach. 

Attackers may elevate their access through techniques like T1078 Valid Accounts, etc.... 

For further information, please refer to this article. 

 

7. TA0005 Defense Evasion - Avoiding detection or bypassing security controls. 

Defense Evasion includes techniques designed to avoid detection and bypass security controls. This may involve concealing malicious files, obfuscating scripts, disabling logging, terminating security tools, or blending in with legitimate activity. Successful evasion enables attackers to operate for longer periods without raising suspicion. 

Defense Evasion involves techniques like T1197 BITS Jobs, T1202 Indirect Command Execution, and T1027 Obfuscated Files or Information, etc... 

For further information, please refer to this github guide

 

8. TA0006 Credential Access - Obtaining passwords, tokens, or other authentication material. 

Credential Access focuses on stealing authentication material such as passwords, tokens, certificates, and keys. Attackers may extract credentials from memory, intercept them over networks, access browser stores, or capture keystrokes. Gaining credentials allows adversaries to move quietly and impersonate valid users. 

Credential theft may occur using techniques like T1110 OS Credential Dumping, T1110 Brute Force, and T1539 Steal Web Session Cookie, etc.... 

For further information, please refer to this article. 

 

9. TA0007 Discovery - Understanding the environment 

Discovery involves mapping the internal environment after access is gained. 
Adversaries enumerate hosts, networks, permissions, cloud assets, applications, and services to understand the operational landscape. This knowledge guides decisions on targeting, lateral movement, and privilege escalation. 

Attackers may learn more about the environment through techniques like T1652 Device Driver Discovery, T1482 Domain Trust Discovery, T1083 File and Directory Discovery etc.... 

For further information, please refer to this article. 

 

10. TA0008 Lateral Movement - Moving from one system to another within the network. 

Lateral Movement includes techniques that allow attackers to move across systems and accounts. This often involves remote services, credential reuse, the exploitation of trust relationships, or the use of administrative tools. Lateral Movement enables attackers to reach key assets and positions of higher value. 

Later movement occurs through techniques like T1021 Remote Services, T1570 Lateral Tool Transfer, and T1080 Taint Shared Content, etc... 

For further information, please refer to this article. 

 

11. TA0009 Collection - Gathering data of interest from the environment. 

Collection refers to gathering information the adversary intends to use or exfiltrate. This may include documents, emails, credentials, screenshots, database records, and other sensitive material. Collected data is often staged in preparation for transfer outside the environment. 

Data gathering involves techniques such as T1560 Archive Collected Data, T1119 Automated Collection, T1185 Browser Session Hijacking etc... 

For further information, please refer to this article. 

 

12. TA0011 Command and Control - Establishing communication channels to remotely manage compromised systems. 

Command and Control (C2) involves establishing communication channels between compromised systems and the attacker. These channels support remote execution, data staging, coordination of activity, and persistence.C2 traffic is often disguised to resemble normal network behaviour. 

Command channels may be established using techniques like T1071 Application Layer Protocol, T1659 Content Injection, and T1132 Data Encoding, etc... 

For further information, please refer to this article. 

 

13. TA0010 Exfiltration - Transferring stolen data out of the environment. 

Exfiltration covers techniques used to transfer collected data outside the environment. Attackers may use encrypted channels, cloud storage, covert protocols, or staged file transfers to avoid detection. The goal is to remove valuable information without drawing attention. 

Data extraction can occur through T1048 Exfiltration Over Alternative Protocol, T1041 Exfiltration Over C2 Channel etc... 

For further information, please refer to this article. 

 

14. TA0040 Impact - Disrupting, damaging, or manipulating systems or data. 

Impact represents actions that directly disrupt operations, damage data, or affect system integrity and availability. Examples include encrypting data, modifying records, destroying files, terminating services, or causing operational downtime. These actions reflect the final stage of many attack campaigns. 

Disruptive actions often include T1486 Data Encryption, T1499 Endpoint Denial of Service, and T1490 Inhibit System Recovery. 

For further information, please refer to this article. 

 

How F5 can help? 

F5’s Application Delivery and Security Platform (ADSP) helps strengthen defenses across many stages of the MITRE ATT&CK framework by providing visibility, access control, and strong application-layer security in one platform. By inspecting traffic, identifying unusual behaviour, and protecting applications and APIs, ADSP reduces the chances of attackers gaining a foothold or moving deeper into the environment. This unified approach makes it easier for organizations to align their defenses with MITRE guidance and maintain secure, reliable application delivery. 

 

Conclusion 

Understanding the MITRE ATT&CK is essential for strengthening modern security programs. By mapping real-world adversary behaviours into a clear structure of tactics, techniques, and sub-techniques, the framework helps organizations interpret how attacks progress, identify gaps in visibility and build controls that align with actual threat activity rather than theoretical models. F5 products contribute to this approach by enhancing protection across multiple stages of the attack lifecycle. 

 

Reference links 

• MITRE ATT&CK: What It Is, how it Works, Who Uses It and Why | F5 Labs  
• MITRE ATT&CK®