Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is MITRE ATT&CK Tactics?
MITRE ATT&CK tactics are the high-level objectives that adversaries pursue during a cyberattack. Within the MITRE ATT&CK framework, tactics represent the “why” behind attacker actions, while techniques describe “how” those objectives are achieved. Understanding MITRE ATT&CK tactics helps security teams analyze attacker behavior, improve detection strategies, and structure incident investigations around known attack patterns.
Why are tactics important?
Security teams often investigate individual alerts without seeing how they fit into a larger attack sequence. ATT&CK tactics provide context by grouping related attacker activities according to their objectives.
Organizations use these categories to:
- Understand attacker goals
- Improve threat detection strategies
- Prioritize defensive controls
- Support threat hunting activities
- Structure incident response efforts
This approach helps analysts view security events as part of a broader attack lifecycle rather than isolated incidents.
How do tactics differ from techniques?
The framework separates attacker objectives from the methods used to achieve them. This distinction helps security teams understand both intent and execution. For example, an attacker may seek to gain access to an environment. That objective falls under a tactic, while the specific method used to achieve it represents a technique.
A simple relationship looks like this:
- The attacker pursues an objective
- The framework categorizes that objective as a tactic
- The attacker uses one or more techniques
- Security teams detect and investigate those activities
This structure creates a common language for discussing adversary behavior.
Which MITRE ATT&CK tactics are commonly referenced?
The framework organizes adversary objectives across multiple stages of an intrusion. Security teams often use these categories during threat analysis and investigations.
| Tactic | Example objective |
|---|---|
| Initial Access | Gain entry into an environment |
| Execution | Run malicious code |
| Persistence | Maintain long-term access |
| Privilege Escalation | Obtain higher-level permissions |
| Lateral Movement | Access additional systems |
Together, these categories help analysts understand how attackers progress through an environment.
How do security teams use ATT&CK tactics?
Organizations often map security controls, detections, and incidents to ATT&CK categories. This helps identify visibility gaps and improve defensive coverage.
Common use cases include:
- Threat hunting exercises
- Detection engineering
- Incident investigations
- Security assessments
- Analyst training
Using a shared framework improves communication between security teams and provides consistency during investigations.
Understanding attacker objectives during investigations
Security investigations often require more than reviewing individual alerts. Analysts need context to understand where suspicious activity fits within a broader attack sequence and what objectives an attacker may be pursuing.
Hexnode XDR helps security teams review incident details, examine endpoint activity, perform endpoint scans, and gather context from affected devices. Analysts can also use remote terminal capabilities when appropriate, restart devices, and update agents from a centralized interface.
These capabilities support investigations by providing visibility into security events occurring across managed endpoints.
FAQs
Yes. Attackers often move through several objectives during an intrusion, such as gaining access, establishing persistence, and attempting lateral movement.
Yes. MITRE periodically updates the framework to reflect new adversary behaviors, techniques, and changes in the threat landscape.
No. The framework documents behaviors observed across a wide range of adversaries, from opportunistic attackers to sophisticated threat groups.