Hacking Humans | “MITRE ATT&CK (noun) [Word Notes]”
Date: September 9, 2025
Podcast: Hacking Humans, N2K Networks
Episode Overview
This episode of Hacking Humans focuses on the MITRE ATT&CK framework, a widely respected knowledge base central to understanding and defending against cyber adversaries. The episode details the origin, purpose, and impact of the framework on cybersecurity operations, threat intelligence sharing, and the evolution from older models. It concludes with a practical perspective on using ATT&CK, including a teaching moment from Professor Messer.
Key Discussion Points & Insights
1. What is MITRE ATT&CK?
- Definition:
A knowledge base of adversary tactics, techniques, and procedures (TTPs) established and maintained by the MITRE Corporation—a U.S.-based nonprofit that manages federal research centers.- "MITRE, ATT&CK spelled MITRE as in an American quasi governmental nonprofit that manages several U.S. government federally funded research and development centers." (B, 01:45)
- ATT&CK = Adversaries, Tactics, Techniques & Common Knowledge
- Example Usage:
- "The Security Operations Team used the MITRE, ATT&CK framework to determine the attack sequence for the adversary group, Fancy Bear." (B, 02:38)
2. Evolution of Threat Models
- Past Approaches:
- Previous models, like Lockheed Martin’s Kill Chain and DoD’s Diamond Model, mostly followed conceptual or intelligence-first approaches.
- Intelligence teams gathered “indicators of compromise” (IoCs), such as IP addresses, DNS requests, and suspicious port usage.
- These IoCs were ephemeral and could be quickly changed by threat actors—making reactive defense less effective.
- Key Innovation:
- MITRE ATT&CK moved the field forward by grouping tactics and techniques, tying these closely to the behaviors of actual adversary groups.
- "That intelligence is not ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures." (B, 04:06)
- Shifted from a purely conceptual to an operational standard.
- MITRE ATT&CK moved the field forward by grouping tactics and techniques, tying these closely to the behaviors of actual adversary groups.
3. Standardizing Cybersecurity Language
- Old Problem:
- "Before the framework, each vendor and government organization had their own language...Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense." (B, 05:06)
- MITRE’s Contribution:
- Released in 2013, ATT&CK standardized defense and offense taxonomy, making collaboration and intelligence sharing practical and scalable.
- Continually updated, with major improvements approximately every two years.
- "The MITRE, ATT&CK framework has become the industry's de facto standard for representing adversary Playbook Intelligence." (B, 05:48)
4. The ATT&CK Framework Wiki
- Accessibility & Openness:
- "It's a globally accessible knowledge base of known adversary behavior. It's derived from real world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large." (B, 04:43)
- Most complete open-source standardized database of adversary behaviors.
- Primary Focus:
- Focused mainly on advanced persistent threat (APT) groups and nation-state actors, mapping their sequences through the cyber intrusion kill chain.
5. Practical Application – Professor Messer’s Perspective
- Cyber educator Professor Messer describes ATT&CK as the starting point for gathering intelligence on adversary playbooks and applying countermeasures.
- “One place to begin gathering this type of information is through the MITRE, ATT&CK framework. … Using this framework, you can identify broad categories of attacks. You can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.” (C, 06:19–07:07)
Notable Quotes & Memorable Moments
- On the shortcomings of old methods:
- “Indicators of compromise… are not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat, and did. By the time infosec teams deployed countermeasures, the bad guys had already changed their behavior.” (B, 03:21)
- On standardization:
- “We were all looking at the same activity and couldn’t talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013…” (B, 05:17)
- On ATT&CK’s open access:
- “Their entire framework is available for you to view online. You can go to attck.mitre.org and view the entire framework from that website.” (C, 06:28)
Timestamps for Important Segments
- Definition and Background | 01:45–03:10
- Comparison with Kill Chain and Diamond Model | 03:10–04:10
- Standardization and Industry Impact | 05:00–06:00
- Professor Messer’s Explanation | 06:19–07:07
Summary
This episode clarifies how MITRE ATT&CK evolved from earlier, less effective threat models by combining operational rigor with a standardized approach to documenting adversary tactics. Highlighting the move from fleeting indicators of compromise to more durable behavioral intelligence, the episode establishes why ATT&CK has become a bedrock of both cyber defense and threat intelligence communication. Thanks to open access and continual development, ATT&CK thrives as the industry’s collaborative foundation for understanding and countering adversary playbooks. Professor Messer’s endorsement cements its value as both a practical and educational resource.
![MITRE ATT&CK (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F8d325978-8cd1-11f0-af86-e31f137e0f3d%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)