Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MITRE ATT&CK Applications in Cybersecurity and The Way Forward

Yuning Jiang, Qiaoran Meng, Feiyang Shang, Nay Oo, Le Thi Hong Minh, Hoon Wei Lim, Biplab Sikdar

TL;DR

This systematic review analyzes 417 peer‑reviewed publications to evaluate how the MITRE ATT&CK framework is applied across threat intelligence, threat hunting, threat modeling, attack simulation, risk assessment, incident response, IDS, APT/malware detection, and vulnerability management. It documents widespread NLP/ML integrations for CTI extraction, explores interoperability with frameworks like the Cyber Kill Chain, NIST, STRIDE, and D3FEND, and assesses validation methods (case studies, empirical experiments, simulations, qualitative assessments). The study highlights sectoral patterns, with CTI and threat hunting as dominant domains, but notes underrepresentation in ICS, energy, transportation, and healthcare, along with practical challenges in data quality and mapping scalability. It concludes with future directions emphasizing automated TTP mapping, graph-based and large-language-model approaches, expanded domain coverage, and privacy-preserving analytics to keep ATT&CK effective in dynamic cyber environments.

Abstract

The MITRE ATT&CK framework is a widely adopted tool for enhancing cybersecurity, supporting threat intelligence, incident response, attack modeling, and vulnerability prioritization. This paper synthesizes research on its application across these domains by analyzing 417 peer-reviewed publications. We identify commonly used adversarial tactics, techniques, and procedures (TTPs) and examine the integration of natural language processing (NLP) and machine learning (ML) with ATT&CK to improve threat detection and response. Additionally, we explore the interoperability of ATT&CK with other frameworks, such as the Cyber Kill Chain, NIST guidelines, and STRIDE, highlighting its versatility. The paper further evaluates the framework from multiple perspectives, including its effectiveness, validation methods, and sector-specific challenges, particularly in industrial control systems (ICS) and healthcare. We conclude by discussing current limitations and proposing future research directions to enhance the applicability of ATT&CK in dynamic cybersecurity environments.

MITRE ATT&CK Applications in Cybersecurity and The Way Forward

TL;DR

This systematic review analyzes 417 peer‑reviewed publications to evaluate how the MITRE ATT&CK framework is applied across threat intelligence, threat hunting, threat modeling, attack simulation, risk assessment, incident response, IDS, APT/malware detection, and vulnerability management. It documents widespread NLP/ML integrations for CTI extraction, explores interoperability with frameworks like the Cyber Kill Chain, NIST, STRIDE, and D3FEND, and assesses validation methods (case studies, empirical experiments, simulations, qualitative assessments). The study highlights sectoral patterns, with CTI and threat hunting as dominant domains, but notes underrepresentation in ICS, energy, transportation, and healthcare, along with practical challenges in data quality and mapping scalability. It concludes with future directions emphasizing automated TTP mapping, graph-based and large-language-model approaches, expanded domain coverage, and privacy-preserving analytics to keep ATT&CK effective in dynamic cyber environments.

Abstract

The MITRE ATT&CK framework is a widely adopted tool for enhancing cybersecurity, supporting threat intelligence, incident response, attack modeling, and vulnerability prioritization. This paper synthesizes research on its application across these domains by analyzing 417 peer-reviewed publications. We identify commonly used adversarial tactics, techniques, and procedures (TTPs) and examine the integration of natural language processing (NLP) and machine learning (ML) with ATT&CK to improve threat detection and response. Additionally, we explore the interoperability of ATT&CK with other frameworks, such as the Cyber Kill Chain, NIST guidelines, and STRIDE, highlighting its versatility. The paper further evaluates the framework from multiple perspectives, including its effectiveness, validation methods, and sector-specific challenges, particularly in industrial control systems (ICS) and healthcare. We conclude by discussing current limitations and proposing future research directions to enhance the applicability of ATT&CK in dynamic cybersecurity environments.

Paper Structure

This paper contains 47 sections, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. MITRE ATT&CK
  4. Related Works
  5. Methodology for Systematization
  6. Databases and Search Keywords
  7. Inclusion and Exclusion Criteria
  8. Data Extraction
  9. Analysis Strategy
  10. Applications of MITRE ATT&CK
  11. Research Focus Areas
  12. Cyber Threat Intelligence (CTI)
  13. Threat Hunting
  14. Threat Modeling
  15. Attack Simulation
  16. ...and 32 more sections