MITRE ATT&CK (noun) [Word Notes] - Hacking Humans

Hacking Humans | “MITRE ATT&CK (noun) [Word Notes]”

Date: September 9, 2025
Podcast: Hacking Humans, N2K Networks

Episode Overview

This episode of Hacking Humans focuses on the MITRE ATT&CK framework, a widely respected knowledge base central to understanding and defending against cyber adversaries. The episode details the origin, purpose, and impact of the framework on cybersecurity operations, threat intelligence sharing, and the evolution from older models. It concludes with a practical perspective on using ATT&CK, including a teaching moment from Professor Messer.

Key Discussion Points & Insights

1. What is MITRE ATT&CK?

Definition:
A knowledge base of adversary tactics, techniques, and procedures (TTPs) established and maintained by the MITRE Corporation—a U.S.-based nonprofit that manages federal research centers.
- "MITRE, ATT&CK spelled MITRE as in an American quasi governmental nonprofit that manages several U.S. government federally funded research and development centers." (B, 01:45)
- ATT&CK = Adversaries, Tactics, Techniques & Common Knowledge
Example Usage:
- "The Security Operations Team used the MITRE, ATT&CK framework to determine the attack sequence for the adversary group, Fancy Bear." (B, 02:38)

2. Evolution of Threat Models

Past Approaches:
- Previous models, like Lockheed Martin’s Kill Chain and DoD’s Diamond Model, mostly followed conceptual or intelligence-first approaches.
- Intelligence teams gathered “indicators of compromise” (IoCs), such as IP addresses, DNS requests, and suspicious port usage.
  - These IoCs were ephemeral and could be quickly changed by threat actors—making reactive defense less effective.
Key Innovation:
- MITRE ATT&CK moved the field forward by grouping tactics and techniques, tying these closely to the behaviors of actual adversary groups.
  - "That intelligence is not ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures." (B, 04:06)
- Shifted from a purely conceptual to an operational standard.

3. Standardizing Cybersecurity Language

Old Problem:
- "Before the framework, each vendor and government organization had their own language...Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense." (B, 05:06)
MITRE’s Contribution:
- Released in 2013, ATT&CK standardized defense and offense taxonomy, making collaboration and intelligence sharing practical and scalable.
- Continually updated, with major improvements approximately every two years.
- "The MITRE, ATT&CK framework has become the industry's de facto standard for representing adversary Playbook Intelligence." (B, 05:48)

4. The ATT&CK Framework Wiki

Accessibility & Openness:
- "It's a globally accessible knowledge base of known adversary behavior. It's derived from real world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large." (B, 04:43)
- Most complete open-source standardized database of adversary behaviors.
Primary Focus:
- Focused mainly on advanced persistent threat (APT) groups and nation-state actors, mapping their sequences through the cyber intrusion kill chain.

5. Practical Application – Professor Messer’s Perspective

Cyber educator Professor Messer describes ATT&CK as the starting point for gathering intelligence on adversary playbooks and applying countermeasures.
“One place to begin gathering this type of information is through the MITRE, ATT&CK framework. … Using this framework, you can identify broad categories of attacks. You can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.” (C, 06:19–07:07)

Notable Quotes & Memorable Moments

On the shortcomings of old methods:
- “Indicators of compromise… are not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat, and did. By the time infosec teams deployed countermeasures, the bad guys had already changed their behavior.” (B, 03:21)
On standardization:
- “We were all looking at the same activity and couldn’t talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013…” (B, 05:17)
On ATT&CK’s open access:
- “Their entire framework is available for you to view online. You can go to attck.mitre.org and view the entire framework from that website.” (C, 06:28)

Timestamps for Important Segments

Definition and Background | 01:45–03:10
Comparison with Kill Chain and Diamond Model | 03:10–04:10
Standardization and Industry Impact | 05:00–06:00
Professor Messer’s Explanation | 06:19–07:07

Summary

This episode clarifies how MITRE ATT&CK evolved from earlier, less effective threat models by combining operational rigor with a standardized approach to documenting adversary tactics. Highlighting the move from fleeting indicators of compromise to more durable behavioral intelligence, the episode establishes why ATT&CK has become a bedrock of both cyber defense and threat intelligence communication. Thanks to open access and continual development, ATT&CK thrives as the industry’s collaborative foundation for understanding and countering adversary playbooks. Professor Messer’s endorsement cements its value as both a practical and educational resource.

Transcript

A (0:02)

You're listening to the Cyberwire network. Powered by N2K, the DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at.

B (1:45)

The word is mitre, ATT and CK spelled Mitre as in an American quasi governmental nonprofit that manages several U.S. government federally funded research and development centers, or FFRDCs and for attack A for adversaries, T for tactics, T for techniques, the ampersand, C for common and K for knowledge. Definition A knowledge base of adversary tactics, techniques and procedures established and maintained by the Mitre Corporation. Example Sentence the Security Operations Team used the mitre, ATT and CK framework to determine the attack sequence for the adversary group. Fancy bear origin and context Some say that the mitre, ATT and CK framework is just another threat model, in the same vein as the Lockheed Martin intrusion kill chain model or the Department of Defense's diamond model. The framework does extend the original Lockheed Martin model and corrects for some of the limitations. It eliminates the recon phase and clarifies and extends the actions on the objective stage. But the framework's significant innovation is an extension of the list of things intelligence analysts collect on adversary group attack sequences, in other words, their adversary playbooks. Before the framework, cyber intelligence teams would collect indicators of compromise without any relation to known adversary behavior, like IP addresses to known bad guy locations, strange DNS requests, and network traffic on unusual ports. These are not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat, and did. By the time infosec teams deployed countermeasures, the bad guys had already changed their behavior. Mitre's extension to the kill chain model includes the grouping of tactics, the techniques used the how and the specific implementation the adversary groups use to deploy the tactic that intelligence is not ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. Where the Lockheed Martin Killchain model is conceptual, the MITRE Attack framework is operational, and the diamond model is specifically designed for intelligence analysts as a way to think about both. But the real power of the mitre, ATT and CK framework is an intelligence product that I call the ATTCK Framework Wiki. It's a globally accessible knowledge base of known adversary behavior. It's derived from the real world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large. In other words, it's the most complete, free, open source, standardized database of adversary offensive playbook intelligence. Although the wiki tracks several crime groups, that's not the focus. It primarily covers how apt groups, nation state groups traverse their version of the intrusion kill chain. Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn't be shared with anybody else without a lot of manual conversion grunt work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. MITRE fixed that by releasing the first version of the framework in 2013 and has made significant improvements to the model almost every two years since. The bottom line is that the mitre, ATT and CK framework has become the industry's de facto standard for representing adversary Playbook Intelligence Nerd Reference Professor Messer is a small cybersecurity training company that produces excellent YouTube educational content to prepare IT and security professionals for CompTIA, a CompTIA network, and CompTIA Security plus certifications. In this clip, he describes the MITRE, ATT and CK Framework.