MITRE ATT&CK

Structure: tactics, techniques and procedures

ATT&CK organizes adversary knowledge along two complementary axes. Tactics represent the "why": the objective an attacker pursues at a given stage, such as discovering the environment or obtaining credentials. Techniques describe the "how": the concrete means used to achieve that objective. Each technique can break down into more granular sub-techniques, and is documented with procedures that capture real-world usage by identified threat groups.

The Enterprise matrix spans many tactics covering the full attack lifecycle, among them:

• Reconnaissance and initial access: how the adversary enters the environment.
• Discovery: mapping the environment, accounts, shares and services.
• Credential Access: stealing or harvesting passwords, tickets or secrets.
• Lateral Movement (TA0008): moving from one system to another across the network.
• Collection: gathering targeted data before exfiltration.

This taxonomy lets defenders reason in terms of behaviors rather than tools or signatures. Behaviors are more stable and far harder for an attacker to change, which makes them a more durable basis for detection and for measuring defensive coverage.

ATT&CK and deceptive security

Deceptive security seeds the environment with fake assets — decoys, breadcrumbs, honeytokens — designed to attract and reveal an attacker. ATT&CK offers a lens for understanding which tactics these assets detect and where to place them. A legitimate user has no reason to interact with a fake asset, so any interaction is a high-fidelity signal that can be tied to a specific tactic with very few false positives.

Deceptive assets are particularly effective against a handful of key tactics:

• Discovery: a decoy server or a planted share fires an alert as soon as the attacker enumerates the network.
• Credential Access: honeytokens (fake credentials) flag any attempt at reuse.
• Lateral Movement: breadcrumbs steer the attacker toward a decoy as they try to pivot between hosts.
• Collection: bait files reveal attempts to aggregate sensitive data.

By mapping its detections onto ATT&CK, a security team exposes its blind spots: if no lateral movement technique is covered by a decoy, that is exactly where new breadcrumbs belong. This approach also reduces an attacker's dwell time, multiplying the opportunities to detect them before they reach their objective.

MITRE Engage, the deception-focused companion

While ATT&CK describes adversary behavior, MITRE Engage is a separate, complementary framework dedicated to adversary engagement and active defense. Engage helps defenders plan deception operations: exposing decoys, eliciting specific behaviors, collecting intelligence and steering the attacker. Where ATT&CK answers "what is the attacker doing?", Engage answers "how do we make them reveal themselves and disrupt them?".

Used together, the two frameworks form a coherent defensive program: ATT&CK to characterize the threat and measure detection coverage, Engage to design the deception that exploits that knowledge. It is in this pairing that deception solutions deliver their full operational value, turning passive monitoring into a deliberate, intelligence-driven defense.