MITRE ATT&CK Framework for MSPs Explained

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. For MSPs and MSSPs, it's the Rosetta Stone of cybersecurity — a common language for describing threats, measuring detection coverage, and identifying gaps.

The 14 Tactics

ATT&CK organizes adversary behavior into 14 tactics — the "why" of an attack:

Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact

Under each tactic are techniques (the "how") and sub-techniques (specific implementations). For example, under Initial Access, you'll find techniques like Phishing (T1566), Valid Accounts (T1078), and Exploit Public-Facing Application (T1190).

Why MSPs Should Care

ATT&CK gives you three superpowers:

1. Coverage Mapping: Map your detection rules, EDR capabilities, and SIEM correlations against ATT&CK techniques. This immediately shows you where you have coverage and where you have gaps. If you have zero detections for Credential Access techniques, you have a blind spot that adversaries will exploit.

2. Incident Communication: When reporting security findings to clients, ATT&CK provides a standardized framework. Instead of "we found suspicious activity," you can say "we detected T1055 Process Injection, a Defense Evasion technique commonly used by ransomware groups like LockBit." This is dramatically more actionable and professional.

3. Vendor Evaluation: When evaluating EDR or SIEM vendors, ask them to map their detection capabilities to ATT&CK. This lets you make apples-to-apples comparisons. If Vendor A covers 80% of ATT&CK techniques and Vendor B covers 45%, the choice is clear.

Practical Implementation

Start by mapping your current detection coverage. For each ATT&CK technique, document: Do you have a detection rule? Does your EDR cover this? What data source would you need? This audit typically takes 2-4 weeks and results in a heat map showing your coverage across all 14 tactics.

Focus your gap-filling efforts on the techniques most commonly used in real-world attacks against your clients' industries. Healthcare faces different ATT&CK techniques than financial services. Use MITRE's threat intelligence to prioritize based on actual adversary behavior, not theoretical risk.