·8 min read·Blog

ATT&CKv19: Changes in MITRE ATT&CK® Framework

SS
Shailendra Singh Sachan

Security Researcher

Image

Overview: MITRE & it's ATT&CK® Framework

MITRE is a not-for-profit organization that operates federally funded research and development centers (FFRDCs) for the U.S. government. MITRE works across cybersecurity, defense, healthcare, aviation, and other critical sectors.

In cybersecurity, MITRE is best known for developing and maintaining the ATT&CK® Framework, which is a globally recognized knowledge base that documents real-world adversary behaviors based on observed cyberattacks. ATT&CK® stands for "Adversarial Tactics, Techniques, and Common Knowledge". The framework helps organizations understand attacker behavior, map cyber threats and malware activities, develop detections and monitoring rules, etc.

MITRE on its ATT&CK® Framework webpage displays the cybersecurity-related information under five major tabs/fields:

  • Matrices
  • Tactics
  • Techniques
  • Defenses
  • CTI

Matrices contain the following information for 3 domains: Enterprise, Mobile & ICS

  1. (T) Tactics: Tactics represent the "why" of an ATT&CK® technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
  2. (T) Techniques: Techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
  3. (P) Sub-Techniques/Procedures: Sub-techniques provide more detailed variations of a technique.

Defenses contain the following information for 3 domains: Enterprise, Mobile & ICS

  1. Mitigations: Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
  2. Assets for ICS: Assets represent the devices and systems commonly found within Industrial Control System environments.
  3. Detection strategies, Analytics, and Data components

CTI (Cyber Threat Intelligence) contains information regarding

  1. Groups: Known threat actors, APTs [Advanced Persistent Threats], or adversary organizations that conduct cyber operations (e.g., APT29, Lazarus Group).
  2. Software: Malware, tools, frameworks, or utilities used by threat actors during attacks (e.g., Mimikatz, Cobalt Strike).
  3. Campaigns: Specific cyber operations or attack activities conducted by a threat actor over a defined period against particular targets or sectors. A campaign connects a threat Group, software, techniques, and victims of that cyber attack campaign.

ATT&CK® (v18.1 VS v19.1) : Update Overview and Where it Resides

ATT&CK® v19.1 represents a significant evolution from ATT&CK® v18.1, introducing changes across all three ATT&CK® domains, Enterprise, Mobile, and Industrial Control Systems (ICS), to better reflect modern adversary tradecraft and emerging threat landscapes. From a TTP (Tactics, Techniques, and Procedures) perspective, Enterprise ATT&CK® expanded from 14 to 15 tactics, driven by the introduction of the new Defense Impairment tactic and the renaming of Defense Evasion to Stealth. Enterprise techniques increased from 216 to 222, while Mobile remained unchanged at 12 tactics and 77 techniques. Within the ICS domain, the number of tactics remained constant at 12, while techniques were refined from 83 to 79 through the consolidation of several techniques into new parent-child relationships and the introduction of 18 sub-techniques, providing greater granularity and alignment with the Enterprise ATT&CK® structure. Overall, v19.1 focuses on improving ATT&CK®'s ability to model modern adversary behaviors through better categorization, refined technique structures, and enhanced cross-domain consistency.

Image

From a Cyber Threat Intelligence (CTI) perspective, v19.1 significantly expands ATT&CK®’s representation of real-world threat actors, malware, and campaigns across all domains. The framework grew from 176 to 178 Groups, 910 to 949 Software entries, and 55 to 59 Campaigns, reflecting emerging nation-state activity, AI-enabled operations, supply chain compromises, and cross-domain attacks. New additions include Iranian-linked actors such as Void Manticore, PRC-linked actors such as MirrorFace, AI-related campaign and malware entries including the Anthropic AI-orchestrated Campaign and LAMEHUG, as well as new malware families associated with MuddyWater, Volt Typhoon, and other threat groups. ATT&CK® also introduced coverage for destructive campaigns targeting critical infrastructure, software supply chain attacks affecting the npm ecosystem, and malware spanning Enterprise, Mobile, and ICS environments.

Image

ATT&CK® v19.1: Understanding the Updates in Detail

Updates in Enterprise Edition

TTPs adjustments prior to the "Defense Evasion Tactic" [TA0043 - TA0004]

Image Image

Note: In MITRE ATT&CK® v18.1, technique “Hijack Execution Flow” was used in both the tactics “TA0003: Persistence”, and “TA0004: Privilege Escalation”. In MITRE ATT&CK® v19.1, it was removed from both the tactics and added in execution & stealth tactics.

The Defense Evasion Split: TA0005 & TA0112

  • In MITRE ATT&CK® v18.1, TA0005 was named as a “Defense Evasion” tactic with 47 techniques, and no tactic “TA0112” existed.
  • In MITRE ATT&CK® v19.1, TA0005 is renamed as “Stealth” tactic with 20 Techniques, and tactic “TA0112” is created with the name “Defense Impairment” with 18 techniques.
Image Image

Updates in "Industrial Control Systems (ICS)"

The most significant enhancement introduced in MITRE ATT&CK® for ICS v19 is the addition of sub-techniques to the ICS matrix. Prior to version 19, the ICS ATT&CK® framework (v18.1) contained 12 tactics and 83 techniques, but it did not support sub-techniques. With the v19 release, MITRE restructured several existing ICS techniques into parent-child relationships, resulting in the introduction of 18 sub-techniques. This change brings the ICS matrix closer in structure to the Enterprise ATT&CK® matrix and provides greater granularity for describing adversary behaviors in industrial environments.

Image

Updates in “Cyber Threat Intelligence (CTI)”

New Groups, Campaigns, and Software added as part of the v19 release.

Image

ATT&CK® Framework & Bloo Command

The MITRE ATT&CK® Framework helps Bloo in their efforts to understand attacker behaviour and mitigate the risks and threats facing them using Workbooks, Connected Signals, and other threat detection mechanisms. With Bloo, the threat detection, investigation, and response procedure is automated. You can directly map the observations in the environment to the techniques and tactics.

Security teams can associate the different alerts generated with specific tactics and techniques within the MITRE ATT&CK® framework. As time advances, more and more tactics, techniques, malicious actors, tools, malware, and mitigations are identified during operations and added to the MITRE ATT&CK® knowledge base. This helps in the management and tracking of defensive measures and strengthens the overall security of the organization. By utilizing this data, security teams can track alerts and gather insight with a clearer understanding of the different attack vectors used against your organization.

Benefits

  • Context: For true security effectiveness, threat alerts must contain context to allow security teams to effectively prioritize threats and organize a response.
  • Adversary awareness: Adversary awareness helps you to identify the threats that are capable of causing harm to the enterprise data, its sensitivity, value, and other factors that contribute to the formulation of an appropriate response.

ATT&CK® for Threat Research & Intelligence

MITRE ATT&CK® is a valuable resource for Threat Research and Cyber Threat Intelligence (CTI) because it provides a standardized framework for understanding and analyzing adversary behavior. Instead of focusing only on indicators such as IP addresses or malware hashes, ATT&CK® enables security professionals to study the tactics, techniques, and procedures (TTPs) used by threat actors. Threat Research & Intelligence (TRI) team at bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs), and the MITRE ATT&CK® framework is referred to as an initial point to start the tracking. To support threat research and detection engineering, this APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

ATT&CK® for Detection and Mitigations

MITRE ATT&CK® plays a critical role in Detection Engineering and Mitigation Planning by providing a structured catalog of adversary tactics and techniques observed in real-world cyber attacks. Security teams use ATT&CK® to map detection rules, alerts, logs, and security controls to specific attacker behaviors, helping identify gaps in visibility and monitoring coverage. By understanding how adversaries operate, organizations can develop more effective detection use cases, create threat-hunting scenarios, and prioritize security monitoring based on the techniques most likely to be used against their environment. ATT&CK® also supports the development of behavioral detections that remain effective even when attackers change indicators such as IP addresses, domains, or malware variants.

In addition to detection, ATT&CK® provides guidance on defensive measures through its Mitigations and ATT&CK® Defenses components. Organizations can use these recommendations to implement security controls that prevent, limit, or reduce the impact of specific attack techniques. ATT&CK® helps security teams evaluate the effectiveness of existing defenses, identify control gaps, and align security investments with real-world threats. By mapping mitigations to adversary techniques, defenders can build layered security strategies, improve incident response readiness, and continuously strengthen their security posture against evolving cyber threats.

Conclusion

The MITRE ATT&CK® Framework is a globally recognized knowledge base that provides a structured representation of real-world adversary tactics, techniques, and procedures (TTPs), enabling organizations to better understand, detect, prevent, and respond to cyber threats. Widely used across threat intelligence, detection engineering, threat hunting, incident response, red teaming, and security assessments, ATT&CK® offers a common language for describing and analyzing attacker behavior. The latest ATT&CK® v19.1 release further enhances the framework through expanded coverage of AI-enabled attacks, nation-state operations, software supply chain compromises, cross-domain campaigns, and critical infrastructure threats, while introducing significant improvements such as ICS sub-techniques and the separation of the Defense Evasion tactic into Stealth and Defense Impairment. These updates ensure that ATT&CK® continues to accurately reflect the evolving threat landscape and remains an essential resource for cybersecurity professionals seeking to strengthen their security posture and improve resilience against modern cyber adversaries.

References

  1. Change logs: (v18.1-v19.0) and (v19.0-v19.1)
  1. https://medium.com/mitre-attack/attack-v19-ff329cb65d66
  2. https://attack.mitre.org/versions/v18/
  3. https://attack.mitre.org/versions/v19/
  4. https://attack.mitre.org/resources/versions/
  5. https://attack.mitre.org/detectionstrategies/

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy