MITRE ATT&CK Integration
Map security findings to adversary techniques for threat-informed defense.
Overview
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. Infracast automatically maps your security findings to ATT&CK techniques, helping you understand which adversary behaviors your environment is exposed to.
How It Works
- Infracast discovers your infrastructure and identifies security findings
- Findings are mapped to ATT&CK techniques based on the vulnerability or misconfiguration type
- You see which techniques adversaries could use against your environment
- Prioritize remediation based on technique coverage and threat intelligence
Viewing ATT&CK Coverage
Navigate to MITRE ATT&CK
- Go to Security → MITRE ATT&CK
- View the ATT&CK matrix with technique coverage
- Click any technique to see related findings
Understanding the View
Technique Colors:
- 🔴 Red — Your environment has findings mapped to this technique
- ⬜ Gray — No current exposure to this technique
Coverage Percentage: Shows what percentage of ATT&CK techniques you have findings for (lower is better).
Kill Chain Visualization
See how findings map across the attack lifecycle:
| Phase | Description |
|---|---|
| Reconnaissance | Information gathering about your organization |
| Initial Access | Entry points into your environment |
| Execution | Running malicious code |
| Persistence | Maintaining access |
| Privilege Escalation | Gaining higher permissions |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing credentials |
| Discovery | Learning about your environment |
| Lateral Movement | Moving through your network |
| Collection | Gathering target data |
| Exfiltration | Stealing data |
| Impact | Disrupting operations |
Common Technique Mappings
Initial Access (TA0001)
| Finding Type | Technique |
|---|---|
| Public-facing service vulnerability | T1190: Exploit Public-Facing Application |
| Exposed SSH/RDP | T1133: External Remote Services |
| Phishing risk (MFA gaps) | T1566: Phishing |
Privilege Escalation (TA0004)
| Finding Type | Technique |
|---|---|
| IAM overprivilege | T1078: Valid Accounts |
| Role assumption gaps | T1098: Account Manipulation |
| Sudo misconfigurations | T1548: Abuse Elevation Control |
Defense Evasion (TA0005)
| Finding Type | Technique |
|---|---|
| Logging disabled | T1562.008: Disable Cloud Logs |
| Security tool gaps | T1562: Impair Defenses |
| Unencrypted storage | T1027: Obfuscated Files (data at rest) |
Exfiltration (TA0010)
| Finding Type | Technique |
|---|---|
| Public S3 buckets | T1537: Transfer to Cloud Account |
| Unrestricted egress | T1041: Exfiltration Over C2 Channel |
| No DLP controls | T1048: Exfiltration Over Alternative Protocol |
Threat Actor Correlation
Infracast correlates your technique exposure with known threat actors:
- View which threat groups use techniques you're exposed to
- Prioritize based on threat relevance to your industry
- Focus on techniques used by actors targeting your sector
Using ATT&CK for Prioritization
Risk-Based Approach
Prioritize findings that map to:
- Initial Access techniques — prevent entry
- Privilege Escalation — limit blast radius
- Exfiltration — protect critical data
Threat-Informed Approach
- Identify threat actors relevant to your industry
- See which of their techniques you're exposed to
- Prioritize closing those specific gaps
Reports
Generate ATT&CK-aligned reports:
- Executive Summary — High-level technique coverage
- Technical Assessment — Detailed technique-to-finding mapping
- Threat Actor Brief — Relevant adversary exposure
Best Practices
- Focus on High-Impact Techniques — Not all techniques are equal; prioritize initial access and privilege escalation
- Track Coverage Over Time — Monitor your technique exposure trending down
- Align with Threat Intel — Focus on techniques used by actors targeting your industry
- Integrate with Detection — Use technique mapping to improve detection rules