The MITRE ATT&CK framework, created in 2013, is a detailed catalog of how attackers operate and common attack patterns. It maps real-world TTPs (Tactics (the “why”), Techniques (the “how”), and Procedures) instead of focusing on compliance or strategy. This helps teams detect threats, test defenses, and align their tools with actual attacker behavior.
The framework includes three main matrices:
- Enterprise: Covers Windows, Linux, cloud, and SaaS. It tracks tactics like data theft, lateral movement, and privilege escalation.
- ICS (Industrial Control Systems): Focuses on attacks against physical systems in OT environments such as factories or power plants. Techniques aim to disrupt operations or manipulate industrial controls.
- Mobile: Details threats specific to Android and iOS, including mobile-specific attack methods.
The key difference between Enterprise and ICS lies in the targets and impact. Enterprise attacks often steal data or gain control of IT systems. ICS attacks aim to disrupt physical processes and can threaten safety or cause large economic losses. MITRE ATT&CK highlights this gap by modeling threats for each environment, helping organizations secure both IT and OT systems.
