Mitre Logo

What is MITRE ATT&CK, what are the evaluation criteria, who uses it, and what does it mean for experts and vendors of cybersecurity solutions?
Let’s take a look at the framework, the techniques and tactics evaluated, and HarfangLab’s EDR assessment.


MITRE ATT&CK is a reference framework for evaluating detection capabilities, threat hunting, risk management, Threat Intelligence… Born in 2013, it is an alternative to the CyberKill Chain developed by Lockheed Martin. This framework evolves regularly to adapt to the cyber context. MITRE ATT&CK has 3 components to assess detection on:

  • workstations and servers in Windows, Mac, Linux and Cloud environments (Enterprise ATT&CK);
  • mobile for iOS and Android operating systems (Mobile ATT&CK);
  • industrial networks (ICS ATT&CK).

Tactics and techniques assessed by MITRE

MITRE ATT&CK has 14 tactics, each with its own technical objectives. The tactics are as follows:

  • Reconnaissance
  • Resource development
  • Initial access
  • Execution
  • Persistance
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Command and control
  • Exfiltration

Within these tactics, techniques are the methods used by attackers. They will depend on their objectives, their skills, the configuration of the intended target… MITRE ATT&CK includes almost 200, and nearly 400 sub-techniques.

Who uses MITRE ATT&CK?

The MITRE ATT&CK framework is useful for a wide range of cybersecurity players.

CISOs and CIOs, as well as MSSPs and SOC Managers, can use it as a decision-making tool to assess the performance and relevance of solutions on the market.

Cyber Threat Intelligence (CTI) researchers can use it to categorize threats, and correlate the Techniques, Tactics and Procedures (TTPs) of different attacker groups.

It is also useful for Red Teams to facilitate the classification of vulnerabilities identified in an Information System.

Finally, cybersecurity solution suppliers can use it to assess their detection capabilities with a view to improving them, to meet market needs and to monitor the evolution of the threat.

In addition to its framework, MITRE ATT&CK also offers the MITRE Engenuity ATT&CK evaluation grid. It is also a framework for presenting the techniques and tactics their solutions cover.

HarfangLab EDR MITRE ATT&CK evaluation

In 2023, HarfangLab participated for the first time in the MITRE ATT&CK Engenuity evaluations.

The evaluations involved emulating Turla, an attacker group known for its targeted intrusions and stealth.

Turla executes targeted campaigns aimed at exfiltrating sensitive information from Linux and Windows infrastructures. In practice, once it has established itself, Turla persists with a minimal footprint, thanks to memory or kernel implants.

MITRE - EDR - Evaluation - Détection

HarfangLab detected:

  • 100% attacks steps (19/19)
  • 100% tactics (11/11)
  • 98% real time (3 delays)

The evaluation was carried out in two stages.

MITRE ATT&CK initial scenario

The solution was tested on an initial scenario involving various stages:

  • Initial Compromise
  • Establish Initial Access
  • Discovery and Privilege Escalation
  • Persistence
  • Lateral Movement to Domain Controller
  • Preparation for Lateral Movement onto Second Host
  • Lateral Movement to Second Workstation
  • Credential Access on Admin Host
  • Lateral Movement to Linux Server
  • Installation of a Watering Hole (compromise of an entity identified as trustworthy, to lure users and spread malware)

MITRE ATT&CK second scenario

The solution has been tested in a second scenario with the following stages:

  • Initial compromise and Establish Foothold
  • Rootkit Installation
  • First Workstation Discovery
  • Lateral Movement to File Server
  • Domain Discovery
  • Preparation for Lateral Movement to Admin Workstation
  • Lateral Movement to Admin Workstation and Persistence
  • Lateral Movement to Exchange Server
  • Discovery and Email Collection

A team made up of a project manager, the CTI team and DevOps support, back-end and front-end, mobilized over 3 days to deal with the attacks launched by the MITRE Red Team, and answer questions on EDR detection proofs (you can take a look in backstage).

Within each stage, there are sub-stages for which MITRE ATT&CK assigns a detection classification from the most precise to the least specific: technical, tactical, general detection, telemetry. This classification is used to assess how well the tool detected the event.

The results are then consolidated by MITRE ATT&CK for all participants, for public release.

This demanding test is also internationally recognized, providing a benchmark for experts and decision-makers in the cybersecurity sector, and, through its high standards, helping to raise the bar for all players.

Want to know more about our EDR?
Find out how HarfangLab protects your endpoints: