Understanding the Tactic vs Technique Distinction
MITRE ATT&CK's power lies in its hierarchical organization. Tactics represent the "why" behind adversary actions—their goals and objectives. Techniques represent the "how"—the specific methods for achieving those goals. Understanding this distinction transforms ATT&CK from a list into a powerful analytical framework.
Think of it like a building: the tactic is the floor (Privilege Escalation, for example), and techniques are the specific rooms on that floor. Every room on the Privilege Escalation floor contributes to the same goal but through different methods.
This hierarchical structure serves several purposes simultaneously: it enables high-level strategic thinking about adversary goals while also providing the granular detail needed for technical investigations. A CISO might focus on tactics; a threat hunter on specific techniques. Both views are valid and necessary.
What Are Tactics?
Tactics are the highest-level representation of adversary intent in MITRE ATT&CK. Each tactic answers the question: What is the adversary trying to accomplish with this action?
The enterprise ATT&CK matrix includes 14 tactics arranged roughly in order of a typical attack chain:
Initial Access - How does the attacker get in? Techniques include phishing, exploiting public-facing applications, and supply chain attacks. The tactic answers: How does the adversary establish their first foothold?
Execution - How does the attacker run code or commands? Techniques include command line, scripts, and native Windows utilities. The tactic answers: How do attackers execute their payload?
Persistence - How does the attacker maintain access? Techniques include creating accounts, establishing scheduled tasks, and modifying startup files. The tactic answers: How do adversaries maintain long-term access?
Privilege Escalation - How does the attacker gain higher permissions? Techniques exploit OS vulnerabilities, misconfigurations, and weak security controls. The tactic answers: How do attackers escalate from user to administrator?
Defense Evasion - How does the attacker avoid detection? Techniques include disabling security tools, obfuscating code, and hiding in legitimate processes. The tactic answers: How do attackers hide their activities?
Credential Access - How does the attacker obtain valid credentials? Techniques include keylogging, brute force, and credential dumping. The tactic answers: How do adversaries steal login credentials?
Discovery - How does the attacker learn about the environment? Techniques include system enumeration, network scanning, and account discovery. The tactic answers: What do attackers learn about the victim's network?
Lateral Movement - How does the attacker move through the network? Techniques include pass-the-hash, lateral tool transfer, and exploiting trust relationships. The tactic answers: How do attackers move from the initial foothold to other systems?
Collection - What data does the attacker gather? Techniques include capturing screenshots, recording keystrokes, and collecting email data. The tactic answers: What information are attackers gathering?
Command and Control - How does the attacker communicate with compromised systems? Techniques include using DNS, HTTP, and custom protocols. The tactic answers: How do attackers remotely control compromised systems?
Exfiltration - How does the attacker steal data? Techniques include compression, encoding, and using command-and-control channels. The tactic answers: How does stolen data leave the network?
Impact - What damage does the attacker cause? Techniques include data destruction, ransomware, and denial of service. The tactic answers: What harm does the attack cause?
Additional tactics for specific scenarios:
Resource Development - How does the attacker prepare? Techniques include acquiring infrastructure, developing malware, and gathering information.
What Are Techniques?
Techniques are specific methods for accomplishing a tactic. While tactics describe the goal, techniques describe exactly how attackers achieve that goal.
For example, under the Credential Access tactic, techniques include:
- Brute Force - Trying many passwords until one works
- Credential Dumping - Extracting credentials from memory or files
- Input Capture - Recording user input like keystrokes or screenshots
- OS Credential Dumping - Using OS tools to dump credentials
- Steal Application Access Token - Stealing authentication tokens from applications
- Steal Web Session Cookie - Capturing session cookies
Each technique is a distinct method achieving the same tactic goal: obtaining valid credentials.
The specificity of techniques makes them actionable. A detection rule for "Credential Access" is too vague. A rule for "OS Credential Dumping via lsass.exe" is precise and implementable.
Sub-Techniques
For additional granularity, many techniques include sub-techniques. These provide even more specific implementation details.
For example, Phishing (an Initial Access technique) includes sub-techniques:
- Phishing: Spearphishing Attachment - Phishing emails with malicious attachments
- Phishing: Spearphishing Link - Phishing emails with malicious links
- Phishing: Spearphishing via Service - Phishing through legitimate services
These sub-techniques are all phishing (the technique) but differ in specific method (the sub-technique).
How Tactics and Techniques Work Together
The relationship is hierarchical but not purely linear. A single adversary action might map to multiple techniques or tactics simultaneously.
For example, if an attacker uses PowerShell to execute a malicious script, this maps to:
- Execution tactic (running code)
- Command and Scripting Interpreter technique (using PowerShell)
- PowerShell sub-technique (specifically PowerShell)
But if that script is designed to steal credentials, the same action also maps to:
- Credential Access tactic (stealing credentials)
- Unsecured Credentials technique (finding unprotected credentials)
One action, multiple mappings—the action serves multiple adversary goals simultaneously.
Using Tactics and Techniques for Defense
Understanding tactics helps strategic defensive planning. If you're particularly concerned about Lateral Movement, you can identify all techniques under that tactic and prioritize defenses against each.
Understanding techniques enables tactical implementation. Once you know which techniques matter to you, you can build detections, write prevention rules, and configure tools.
In incident response, recognizing techniques helps predict next steps. If you detect Privilege Escalation, you know the attacker will likely attempt Lateral Movement or Exfiltration next. This insight helps focus your response.
Common Patterns Across Tactics
Certain techniques appear in multiple tactics. For example, system enumeration happens during Discovery but also during Lateral Movement and Defense Evasion.
Understanding which techniques support multiple tactics helps identify high-value detection targets. If a technique supports multiple tactics, detecting it catches multiple types of adversary activity.
Adversary-Specific Tactic and Technique Usage
Different adversary groups favor different tactics and techniques. Understanding an adversary's pattern helps with attribution and prediction.
Some groups focus heavily on Persistence and Command and Control, suggesting long-term access goals. Others focus on quick Exfiltration, suggesting data theft objectives.
MITRE ATT&CK maps known adversary groups to their typical tactics and techniques. If you detect an activity pattern matching a known group, it suggests that group might be responsible.
Tactic and Technique Coverage
Security teams often assess themselves against ATT&CK by measuring coverage: How many techniques can we detect? How many can we prevent?
This assessment happens at both tactic and technique levels. You might have good coverage for some tactics but poor coverage for others. This gap analysis helps prioritize security investments.
The Kill Chain vs ATT&CK Tactics
The traditional Lockheed Martin kill chain (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives) provides a high-level attack model.
ATT&CK tactics provide more granularity and more accurate representation of actual attack flows. The kill chain is useful for conceptual understanding; ATT&CK is better for practical implementation.
Challenges in Tactic and Technique Classification
Sometimes classifying an adversary action is ambiguous. Does an action belong to Defense Evasion or Discovery? Is this Persistence or Command and Control?
MITRE makes these classification decisions based on the primary purpose of the technique. However, reasonable people might disagree in some cases.
When analyzing an incident, classification can be subjective. Use ATT&CK as a guide, but don't get too caught up in perfect classification. The important part is understanding what the attacker is doing and defending against it.
Developing Custom Detections Using Tactics and Techniques
When developing detection rules, map them to specific techniques. This documentation helps analysts understand what each detection covers and identify gaps.
A well-organized detection program has rules for each critical technique within your priority tactics. For example, if Lateral Movement is critical to your environment, ensure you have detections for each Lateral Movement technique.
Conclusion
Tactics and techniques work together to describe adversary behavior at multiple levels of granularity. Tactics represent high-level goals and strategy; techniques represent specific methods. This hierarchy enables both strategic thinking about adversary intent and tactical implementation of defensive measures. Understanding the distinction helps you use MITRE ATT&CK effectively for threat analysis, defensive prioritization, and incident response. Whether discussing strategy with executives or implementing detection rules, the tactic vs technique distinction provides clear, actionable structure.
