.svg)
.svg)
MITRE ATT&CK has become a go-to framework for security teams. Yet, due to its comprehensive nature, it can be difficult to know where to begin when trying to operationalize it effectively.
In this blog, we share practical guidance to help you get started with ATT&CK and explain how Breach and Attack Simulation (BAS) can accelerate your efforts to incorporate it into daily security operations.
Getting Started with the ATT&CK Enterprise Framework
Getting started with MITRE ATT&CK can feel overwhelming, especially for those new to the framework. As of version 16.1, released on October 31, 2024, the Enterprise matrix includes 14 tactics, 203 techniques, and 453 sub-techniques. With this level of depth and detail, it can be difficult to know where to begin or how to decide which areas to focus on first.
Key piece of advice: let go of the idea of achieving complete threat coverage.
Very few organizations have the time or resources to monitor every possible adversary behavior. Instead, prioritize by identifying the threat actors most relevant to your organization and the tactics and techniques they commonly use.
How to Use the ATT&CK Framework for Threat Intelligence
MITRE maintains a public list of adversary groups and malware, complete with mappings to the techniques they employ. Start by identifying which groups are likely to target your organization based on your industry and threat landscape.
Use this intelligence to build a prioritized list of detections and mitigation strategies.
|
Important Note: Adversaries are constantly evolving, so the latest TTPs may not always be reflected on the MITRE ATT&CK “Groups” site, which relies on volunteer contributions and review cycles. To stay current, supplement ATT&CK with external threat intelligence from sources like Cisco Talos, CISA Alerts, Trend Micro, Picus Security, and other vendors or non-profits offering publicly available threat data. |
To understand how ATT&CK techniques appear in real-world attacks, let’s explore a case involving SALT TYPHOON, a threat group recently observed targeting U.S. infrastructure.
Manual Threat Mapping: A Real-World Case Study
Imagine you're part of the cybersecurity team at a U.S. government agency. While your organization isn’t in the telecommunications sector, you actively monitor emerging threats that could pivot to the public sector.
In 2024, SALT TYPHOON (also known as TAG-71, a state-sponsored group) was observed targeting U.S. critical infrastructure—specifically telecommunications. In our latest analysis done by me, Salt Typhoon employed “living-off-the-land” techniques to evade detection and maintain persistence.
Salt Typhoon: Translating Cyber Threat Intelligence into the MITRE ATT&CK Framework
Some of Salt Typhoon’s observed techniques, mapped to MITRE ATT&CK, are listed below. For simplicity, we’ve highlighted just three to provide a clear example.
All of the mapping and analysis presented in this section has been performed manually.
Technique 1: Exploit Public-Facing Application (ATT&CK T1190)
Salt Typhoon leverages publicly available exploits—often found in GitHub repositories—to exploit public-facing applications and gain an initial foothold.
Notable exploited CVEs:
|
CVE-2023-46805, CVE-2024-21887 - Ivanti Connect Secure VPN |
Technique 2: Command and Scripting Interpreter: Windows Command Shell (ATT&CK T1059.003)
Salt Typhoon relies on low-profile, native OS commands to advance its attack flow.
Example commands:
|
C:\Windows\system32\cmd.exe /C net group "domain admins" /domain |
Retrieves information about the members of the Domain Admins group in the current domain.
|
C:\Windows\system32\cmd.exe /C copy C:\users\public\music\go4.cab \\{HostName}\c$\programdata\microsoft\drm |
Copies a malicious payload (go4.cab) from the local machine to a shared administrative folder on a remote host.
Technique 3: Modify Registry (T1112)
The malware used by Salt Typhoon leverages the Windows registry Run key to add a new entry that ensures the malware executable runs automatically at user login.
Example command:
|
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v malicious-registry-name /t REG_SZ /d "C:\path\to\malicious-crowdoor[.]exe" /f |
As part of your defense strategy, you use MITRE ATT&CK Navigator to overlay these techniques and compare them to your agency’s detection coverage. While SALT TYPHOON hasn’t directly targeted your organization, their tactics suggest broader capabilities that could be applied to other sectors, including government networks.
Mission Impossible? Keeping Up with Evolving Adversarial Behaviors
As you can see, expanding your coverage of the MITRE ATT&CK framework can be resource-intensive.
With dozens of threat intelligence reports and hundreds of TTPs to consider—and assuming a scenario where your organization is under continuous attack—there are likely to be numerous threat actors and customized tools specifically designed to impair your defenses. In such a landscape, achieving a higher level of security assurance is critical.
But it raises a valid question: Is this truly achievable with limited—or even sufficient—manpower?
To shed light on the scale of this challenge, we published our Red Report 2025, based on extensive research conducted by Picus Labs. Between January and December 2024, we analyzed 1,094,744 unique files, and 93.86% (1,027,511) of them were identified as malicious.
Our analysis revealed a sharp increase in attacker sophistication: the average malware sample now performs 14 malicious actions and uses 12 MITRE ATT&CK techniques. This trend highlights not only the growing complexity of modern threats but also the increasing burden placed on defenders to keep pace with an ever-expanding attack surface.
For the same reason, you can never be 100% sure of identifying a given technique in your environment. To improve their chance of success, adversaries will continue to think up new ways to execute attacks, making it important to regularly review and validate your existing coverage.
Operationalizing ATT&CK with Breach and Attack Simulation (BAS)
If you and your team are considering adopting MITRE ATT&CK—or struggling to take your implementation to the next level—Breach and Attack Simulation (BAS) can be a powerful accelerator. It helps reduce the manual effort required to operationalize the framework and enables you to continuously measure and improve your security posture.
BAS solutions, such as the Picus Security Control Validation (SCV) module, simulate real-world cyber threats to automatically and continuously assess the effectiveness of your security controls.
Red Team Use Case
Internal red teams often struggle with repetitive, time-consuming tasks—such as testing the same techniques daily, like registry modifications—to assess system vulnerabilities. Over time, these routine activities can become monotonous and limit the team's ability to focus on more complex and creative attack simulations.
BAS solutions help alleviate this burden by automating these low-level tasks, enabling red teamers to concentrate on identifying critical attack paths and developing sophisticated, real-world threat scenarios. Since many of these tasks involve techniques already defined in the MITRE ATT&CK framework, BAS also allows red teams to structure their simulations around real-world adversary behavior in a repeatable and measurable way.
Beyond the ready-to-run threat templates offered by many BAS platforms, teams can also customize their own attack kill chains for continuous and automated testing.
For example, a red teamer working at a bank may want to test Windows endpoint attacks by crafting a tailored list of ATT&CK techniques. With the Picus Security Control Validation Threat Builder feature, they can design custom attack scenarios using a simple drag-and-drop interface—and even upload their own payloads.
Blue Team Use Case
1. Quick Response to Threats
In organizations without a dedicated red team, security teams are often responsible for everything—from assessments and patching to incident response and risk mitigation. When already juggling alert fatigue and manual workloads, it becomes extremely difficult to keep pace with the threat landscape.
This becomes especially stressful when a high-profile (like Salt Typhoon) threat emerges that targets your region or industry. Leadership often expects immediate answers: What techniques are involved? Are we exposed? Can this impact business operations? Responding to these questions requires fast analysis of adversary TTPs, mapping them to your environment, and validating whether your existing controls are working—all under pressure.
Breach and Attack Simulation solutions help reduce this pressure by providing up-to-date, ready-to-use attack scenarios based on real-world threats – every TTP mapped to MITRE ATT&CK framework. These simulations can be safely run in your environment to assess how well your controls detect or block specific behaviors.
For example, Picus SCV offers a 24-hour SLA to add emerging threats if a public proof-of-concept is available. This allows security teams to simulate new attack vectors quickly, without needing to manually recreate every technique.
By simulating attacks, you can identify:
- Which controls are missing or misconfigured
- Which detection rules need tuning
- Whether existing defenses block specific threats or silently fail
In addition to visibility, BAS platforms also provide ready-to-apply mitigation recommendations—both vendor-neutral (e.g., configuration hardening, detection logic) and vendor-specific—helping teams act swiftly without starting from scratch.
Below is an example mitigation suggestion for the Salt Typhoon APT group.
This not only saves valuable time but also ensures that defenses are adjusted with precision, reducing the risk of gaps going unnoticed.
2. Focusing on What Matters the Most
Too often, teams focus on theoretical risks surfaced by vulnerability scanners rather than the actual exploitability of a threat in their environment.
However, not all vulnerabilities present equal risk.
A critical vulnerability—rated 9.0 on the CVSS scale—might be technically exploitable, but if your perimeter controls block the attack vector entirely, the actual risk is low. Just because a vulnerability scanner flags something as "critical" doesn’t automatically mean it needs immediate patching.
The reality is that compliance requirements often push teams to address all high-severity vulnerabilities without considering real-world exploitability. This leads to wasted effort. When teams are flooded with “critical” findings, even large security teams can become overwhelmed, increasing the risk of missing the vulnerabilities that truly matter.
Breach and Attack Simulation (BAS) helps close this gap by testing actual attack paths and surfacing where your defenses fail in practice—not just on paper. This allows teams to prioritize remediation based on real exposure rather than theoretical severity.
In shorts, BAS aligns your efforts with what’s exploitable in your unique environment—not just what’s labeled 'critical' by default.
How Picus Can Improve Your Success
The Picus Security Control Validation Platform is an end-to-end Breach and Attack Simulation solution designed to assess how well your security controls perform against real-world threats. It doesn’t just simulate attacks—it also provides practical feedback to help improve your defenses.
The platform supports the operationalization of MITRE ATT&CK by automatically mapping assessment results to the framework. It enables security teams to test the effectiveness of various technologies—such as firewalls (NGFWs), intrusion prevention and detection systems (IPS/IDS), web application firewalls (WAFs), secure web gateways, SIEM, EDR/XDR, and DLP tools—against known techniques used by attackers.
With Picus, you can quickly and easily simulate a wide range of attack vectors, including malware, ransomware, trojan download attacks, APT and threat actor campaigns, atomic actions like OS credential dumping, data exfiltration, web application attacks, and techniques that exploit known vulnerabilities.
Picus SCV offers broad threat coverage, backed by a rich, continuously updated threat library.
- 26,000+ attack actions,
- 6,000+ threats from network infiltration, endpoint, web application, email-infiltration, and data exfiltration attacks,
- with 80,000+ vendor-specific prevention signatures, 600 generic mitigation suggestions, and 4,400+ validated detection rules, it offers extensive coverage for mitigation and remediation.
The platform also includes ready-to-run and dynamic threat templates for emerging threats, tailored to specific industries and regions. This reduces the need for in-house security teams to continuously track and replicate the latest TTPs from threat intelligence sources.
To help identify and address visibility gaps and weaknesses in threat coverage, Picus validates whether detection rules are in place and effectively generating alerts. For any gaps found, the platform provides log source recommendations along with vendor-specific prevention signatures and detection rules.
To support your implementation, Picus’ customer success team also offers guidance on using the platform with MITRE ATT&CK, helping you identify and prioritize the threats that pose the greatest risk to your organization.
See Picus in Action!
Below, we’ve provided a demo that walks you through a step-by-step simulation of malware activity, showcasing the top 10 MITRE ATT&CK techniques identified in Red Report 2025.
Share this:
