Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is an ATT&CK Technique?
An ATT&CK technique is a foundational concept within the MITRE ATT&CK framework that describes how an adversary achieves a tactical objective during a cyberattack. While tactics represent the attacker’s goal, such as gaining initial access or exfiltrating data, a technique explains the behavior or method used to accomplish that objective. By mapping defensive controls to these known behaviors, security operations centers (SOCs) can improve threat detection, incident analysis, and threat hunting operations.
The Role of Techniques in Threat Modeling
In modern B2B cybersecurity, relying solely on static indicators of compromise (IoCs), such as malicious IP addresses or file hashes, can limit detection effectiveness. Attackers can frequently change these identifiers to evade traditional defenses. In contrast, ATT&CK techniques focus on adversarial behaviors, which may provide security teams with more durable detection opportunities.
By analyzing endpoint telemetry and network logs for behavioral patterns associated with ATT&CK techniques, enterprise security teams can build more resilient and targeted detection logic. This behavior-focused approach can help analysts identify suspicious activity even when attackers modify their malware variants or supporting infrastructure.
ATT&CK Technique vs. Tactic
Understanding the structural hierarchy of the MITRE ATT&CK matrix is important for effective incident response and security analysis.
| Feature | MITRE ATT&CK Tactic | MITRE ATT&CK Technique |
| Core Definition | The adversary’s overarching goal or objective. | The behavior or method used to achieve that tactical goal. |
| Framework Role | Represents the “Why” behind attacker activity. | Represents the “How” behind attacker activity. |
| Matrix Position | The column headers across the MITRE ATT&CK matrix. | The individual entries listed under each tactic column. |
| Example | Credential Access (TA0006) | OS Credential Dumping (T1003) |
How Hexnode UEM Supports Endpoint Security
Hexnode UEM helps organizations strengthen endpoint security through centralized device management, compliance enforcement, and policy controls. The platform supports Zero Trust workflows by helping administrators verify device compliance, manage access policies, and secure managed endpoints.
Hexnode also enables IT teams to configure OS-level restrictions, manage application access through allowlisting and blocklisting, and deploy patches on supported operating systems from a centralized console. These capabilities can help organizations reduce endpoint risk and maintain better visibility and control across enterprise devices.
FAQs
Each ATT&CK technique is assigned a unique identifier known as a T-code, such as T1566 for Phishing. This standardized naming structure helps cybersecurity teams and vendors communicate consistently about adversarial behaviors.
A technique describes a general adversarial behavior, while a sub-technique provides a more specific description of that behavior. For example, the “Phishing” technique includes sub-techniques such as “Spearphishing Attachment” and “Spearphishing Link.”
Security teams use ATT&CK techniques during breach and attack simulations (BAS) or red team exercises to evaluate whether their security controls can detect, prevent, or respond to specific adversarial behaviors.