A Practical Guide to MITRE ATT&CK for Blue Teams

MITRE ATT&CK is the most important framework in defensive security. It's also one of the most misunderstood. Teams buy tools that claim "ATT&CK coverage" without understanding what that means operationally. This guide cuts through the marketing to show you how to actually use ATT&CK to improve your detection program.

What ATT&CK Actually Is

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary behavior. It organizes real-world attack patterns into a matrix of Tactics (the "why" - the adversary's goal) and Techniques (the "how" - the specific method used to achieve that goal).

There are 14 tactics in ATT&CK for Enterprise, representing the phases of an attack from initial reconnaissance through impact:

• Reconnaissance - Gathering information about the target
• Resource Development - Setting up infrastructure for the attack
• Initial Access - Getting into the network (phishing, exploits, valid accounts)
• Execution - Running malicious code
• Persistence - Maintaining access across reboots
• Privilege Escalation - Getting higher-level permissions
• Defense Evasion - Avoiding detection
• Credential Access - Stealing credentials
• Discovery - Learning about the environment
• Lateral Movement - Moving through the network
• Collection - Gathering target data
• Command and Control - Communicating with compromised systems
• Exfiltration - Stealing data out
• Impact - Disrupting operations (ransomware, destruction)

How to Map Your Detections

The practical value of ATT&CK is detection mapping. For every detection rule in your SIEM, you should be able to answer: "What ATT&CK technique does this detect?"

Here's how BTA SIEM's 15 detection rules map to the framework:

• T1110 Brute Force - Credential Access - "Brute Force Login Attempt" rule
• T1068 Exploitation for Privilege Escalation - "Privilege Escalation" rule
• T1046 Network Service Discovery - Reconnaissance - "Port Scan Detected" rule
• T1048 Exfiltration Over Alternative Protocol - "Data Exfiltration via DNS" and "DNS Tunneling" rules
• T1021.002 SMB/Windows Admin Shares - Lateral Movement - "Lateral Movement via SMB" rule
• T1071 Application Layer Protocol - C2 - "Known C2 Domain" rule
• T1059.001 PowerShell - Execution - "Suspicious PowerShell" rule
• T1003 OS Credential Dumping - "Credential Dumping Detected" rule
• T1486 Data Encrypted for Impact - "Ransomware File Activity" rule

Coverage Gaps Most Teams Miss

When you map your detections, you'll immediately see gaps. The most common blind spots for small teams:

• Defense Evasion - The hardest tactic to detect because it's specifically designed to avoid your tools. Log clearing, timestomping, and process injection all live here.
• Discovery - Internal reconnaissance (whoami, net group, BloodHound) often blends in with normal admin activity.
• Collection - Data staging before exfiltration is rarely monitored. Watch for archive creation and clipboard access.
• Resource Development - Almost impossible to detect from inside your network because it happens on attacker infrastructure.

You won't cover everything. The goal is to have at least one detection in each tactic where detection is feasible, then deepen coverage in the tactics most relevant to your threat model.

How BTA Products Map Across the Kill Chain

The BTA product suite provides detection and response capabilities across multiple ATT&CK tactics:

• BTA SIEM - Detection rules covering Initial Access, Execution, Privilege Escalation, Credential Access, Lateral Movement, C2, Exfiltration, and Impact
• BTA SOAR - Automated response playbooks for Credential Access (brute force response), Execution (malware containment), Initial Access (phishing investigation), and Exfiltration (data loss response)
• BTA ThreatFeed - IOC enrichment for C2 domain detection, IP reputation for Initial Access identification, and hash checking for Execution artifacts
• BTA Identity - Detection and prevention of Credential Access through PAM controls, MFA enforcement, and privileged account monitoring
• BTA CodeGuard - Pre-deployment detection of vulnerabilities that enable Initial Access and Execution techniques