What MITRE ATT&CK does
MITRE ATT&CK provides a structured framework for understanding adversary behaviours. It categorises these behaviours into Tactics (the ‘what’ an adversary is trying to achieve, like initial access or privilege escalation), Techniques (the ‘how’ they achieve it, such as phishing or exploiting vulnerabilities), and Sub-techniques (more granular steps within a technique). ATT&CK exists in different matrices, including Enterprise (for typical IT environments), Mobile (for mobile device security), and ICS (for industrial control systems). Each technique is assigned a unique ID, like T1078 for Obfuscated Files or Scripts, allowing for consistent referencing and communication.
MITRE ATT&CK in Australian tenants today
Australian organisations, particularly AU mid-market, are increasingly using MITRE ATT&CK to enhance their security posture. Microsoft Sentinel and Defender XDR allow for mapping analytics rules and threat detections to specific ATT&CK techniques, providing visibility into coverage gaps. Many Australian Security Operations Centres (SOCs) leverage the Mitre coverage view to prioritise defensive efforts, often aligning with the ACSC Essential Eight maturity levels and the ACSC top 10 prioritised mitigation strategies. The Notifiable Data Breaches scheme and APRA CPS 234 also implicitly encourage a proactive, threat-informed defence approach, which ATT&CK supports.