Mitre ATT&CK framework

The MITRE ATT&CK Framework is a globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs) mapped across the intrusion lifecycle—from initial access to exfiltration. Maintained by MITRE, it helps security teams understand how attackers compromise and move within systems, enabling them to map defenses to specific techniques.

How does it affect identity security?

Many ATT&CK techniques revolve around stealing or abusing credentials (T1078), escalating privileges (T1068), or exploiting single-factor logins. By referencing ATT&CK, organizations identify potential identity-based weaknesses (e.g., pass-the-hash, Kerberoasting). They can then implement targeted controls—like preventing credential dumping or enforcing multi-factor authentication. 

MITRE ATT&CK includes a Cloud Matrix describing methods adversaries use to compromise cloud infrastructures (e.g., misconfigured S3 buckets, stolen API keys). Mapping cloud IAM policies to ATT&CK tactics clarifies if controls are robust enough. ATT&CK also guides incident responders: if an attacker is using technique X, they likely aim for Y next.

For instance, if a technique mentions forging SAML tokens (like in the SolarWinds breach), an organization can strengthen identity federation security. Threat intelligence plus ATT&CK let defenders quickly see which IAM misconfigurations attackers commonly exploit.

Case study

Russian threat actors used credential dumping, lateral movement, and phishing for initial access. Post-incident analysis aligned the intruders’ methods with ATT&CK techniques. This correlation helps defenders refine identity protections—like limiting domain admin tokens and enforcing advanced auditing.

‍