MITRE ATT&CK: THE CHEAT SHEET FOR HOW THE BAD GUYS ACTUALLY OPERATE (AND THE NIGHT WE ALMOST LOST IT)

Okay, real talk. You know that friend everyone has who's better than the FBI? Yeah. That's me. Finding things, connecting dots, being a little nosey on purpose it's just how my brain is wired.

So picture my face the day I found out there's a giant, free, ridiculously organized catalog of exactly how attackers behave. Not what software is broken. How they actually move. Reader, I fell in love.

It's called MITRE ATT&CK. And if you're in cyber and nobody's put you on yet, let me.

SO WHAT EVEN IS IT?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. (Say that five times fast.) It's a knowledge base of how real attackers behave in the wild, built not from theory, but from intrusions that actually happened. The nonprofit MITRE keeps it, it's free, and somewhere along the way it quietly became the language the whole industry talks in.

Here's the part that made it click for me. It's organized from the big picture down to the receipts:

• Tactics: the WHY. What's the attacker trying to do right now? Get in the door, climb to admin, move sideways, steal the data. These are the big buckets.

• Techniques: the HOW. Phishing. Dumping credentials. Hijacking your own admin tools against you. Each one gets a code, like T1566 for phishing.

• Sub-techniques: the HOW, BUT SPECIFIC. Phishing isn't one thing. Spearphishing with an attachment hits different than a malicious link, and your defenses need to know the difference.

• Procedures: the RECEIPTS. Exactly how a known group or piece of malware pulled it off in a real attack.

And it doesn't stop there. ATT&CK actually maps the named threat groups (yes, the APTs in the headlines) and their go-to malware straight to the techniques they like to use. So you can literally look up a group and see their playbook. (My OSINT-loving heart? Soaring.)

Great. BUT WHY SHOULD YOU CARE?

Because before ATT&CK, everybody made up their own words. One person's "lateral movement" was another person's "pivoting" was some vendor's trademarked buzzword nobody else understood. It was chaos. ATT&CK gave us all the same map.

Here's what people actually do with it:

• Build detections and know exactly what they can and can't catch

• Find the blind spots the corners of the matrix where an attacker could walk right in unwatched

• Write threat intel that's specific instead of vibes-based

• Run red and purple team exercises against moves attackers really make

• Walk leadership through a breach scenario that isn't made up

The fancy term for all this is threat-informed defense. My translation: stop guessing what might happen and start preparing for what attackers actually do. Big difference.

NOW HERE'S THE THING PEOPLE CONSTANTLY GET WRONG.

ATT&CK is NOT CVE. I see smart people mix these up all the time, so let me make it stupid simple:

• CVE tells you WHAT you're flaw is, the specific cracked window in your software, each one with its own ID number.

• ATT&CK tells you HOW attackers behave once they decide to climb through.

One is the broken window. The other is the burglar's whole routine. You need both. And keep this in your back pocket both of them are run by MITRE. Which is exactly why, for about 24 hours last year, the entire industry lost its mind.

THE NIGHT THE LIGHTS ALMOST WENT OUT

I posted about this the day it happened, and honestly I don't think I'll forget the feeling.

April 15, 2025. A letter goes around saying the federal funding for the CVE program the thing the entire planet uses to track vulnerabilities was set to expire the next day. No renewal lined up. No plan. Just… poof, potentially gone.

Let that sink in. CVE feeds your scanners, your patching, your threat intel tools. It's everywhere. If it went dark, new vulnerabilities might stop getting tracked at all, and a piece of the language we all speak just disappears overnight.

Here's how the 24 hours played out:

• April 15 MITRE warns the board that funding for CVE (and its sibling, CWE) expires tomorrow. The industry collectively loses it.

• April 16, morning CISA swoops in at the literal last minute, executes a contract option, and buys an 11-month extension. Crisis averted.

• April 16, same day board members spin up a new nonprofit, the CVE Foundation, as a lifeboat so the work can survive no matter who's paying the bill.

And here's the nuance most of the panic missed: this scare was about CVE and CWE not ATT&CK itself. ATT&CK runs on separate funding and kept right on going through all the chaos. But honestly? That was cold comfort in the moment. What that night really showed us is how much of the stuff we lean on every single day hangs on one thread of federal funding that almost snapped without warning.

When I posted about it back then: tagged #CVEs, #MITREATT&CK, somewhere between alarmed and stunned, it wasn't really about a contract. It was about how fragile our shared infrastructure turned out to be, and how almost nobody outside our field even knew it existed until it nearly wasn't there.

WHERE THINGS STAND NOW

Good news: the panic has passed. As of early 2026, that emergency patch got replaced with something more stable. The CVE board was told there's no funding cliff coming in March, and CISA leadership says the program is fully funded with plans well past that. The lights are on.

But I'd be doing you dirty if I let you click away thinking the lesson expired with the crisis. It didn't.

SO HERE'S WHAT I ACTUALLY WANT YOU TO TAKE FROM THIS:

• Know the difference. ATT&CK is behavior, CVE are the flaws. If you can't explain that, there's a gap in your strategy.

• Keep your own copy. The CVE data is open source and mirrored on GitHub, build your defense so it survives a bad week at any one organization.

• Map your stuff to ATT&CK now, while it's calm. Not when you're already on fire.

• Pay attention to who keeps the lights on. The things we depend on are more fragile (and more political) than they look.

The threats don't stop circling just because we looked away for a day. A map is only as good as the people who actually learn to read it. So learn the matrix. Speak the language. And never assume the lighthouse is always going to be lit.