MITRE ATT&CK v18: What’s in it — and why it matters

MITRE has released a major new version of its ATT&CK framework that broadens how organizations track, detect, and respond to cyberthreats across cloud, mobile, industrial, and traditional IT systems.

Version 18 of ATT&CK introduces more structured detection strategies and analytics, making it easier for organizations to translate observed adversary tactics, techniques, and procedures (TTPs) into actionable defenses. It also expands coverage of modern threats that target cloud infrastructure and DevOps workflows, as well as cross-domain attacks spanning mobile and enterprise environments. In addition, the update adds cyberthreat intelligence (CTI) on six groups, 29 software tools, and five attack campaigns.

Here’s what’s new to the ATT&CK framework — and how you can best make use of it.

See webinar: Operationalizing MITRE ATT&CK for Smarter Malware Detection

ATT&CK now easier to operationalize

Version 18 makes ATT&CK significantly easier to operationalize, said Nir Mishal, CISO at Seraphic Security. “ATT&CK’s guidance was rich but sometimes too generic for direct implementation and didn’t always capture cloud/DevOps,” he said.

Mishal said v18 makes noticeable progress on both fronts and aligns better with the environments that most organizations monitor today. 

Structured analytics plus 11 new cloud/DevOps-oriented techniques and more detailed CTI provide better fidelity, from intel to analytics to validation. Still, organizations must map these to their own telemetry and tune for environment specifics.

Nir Mishal

One of the most significant changes in v18 is how ATT&CK handles threat detections. MITRE has replaced the brief, one-sentence notes in prior versions of the framework — for example, “Monitor for PowerShell execution” or “Monitor process creation logs” — with two new objects: Detection Strategies, and Analytics. The objects specify behavior patterns, telemetry sources, parameters, and platform-specific examples so defenders know which event IDs to look for, the sequence of behavior to monitor, and how the indicators might vary between Windows, Linux, and other operating systems.

Adam Pennington, ATT&CK team lead at MITRE, noted in a recent webinar on operationalizing the updated framework that ATT&CK has had detections assistance since its beginnings, but it consisted only of text descriptions of different strategies that an organization could take to find a particular behavior. 

They weren’t codified; they were fairly loosey-goosey. They were of the sort, ‘You might be able to look over here and see this thing.

Adam Pennington

ATT&CK v18 introduces a more structured approach to threat detection that looks at specific behaviors and log sources. That informs teams which Windows event log or event ID they need to look at to be able to see those behaviors, as well as the range of values to look for. “Its a huge increase in data that people have,” Pennington said.

Sagy Kratu, senior product manager at Vicarius, said the detection updates can help translate into day-to-day improvements for threat hunting and detection teams. On the ground, teams gain clear detection blueprints. Instead of getting prompts such as “Look for Sysmon process spawn,” they now have a full logic chain that spans behavior, log source, and analytics, he said.

The new model clearly identifies which log sources and data components an organization must have, enabling for better telemetry triage. From a threat-hunting standpoint, defenders can move from “Find anomaly X” to “Trace the chain: Adversary did A, then B, then C,” Kratu said. 

But you’ll only see the benefit if you act, i.e., upgrade your log sources, restructure your analytic library, map your asset inventory. Otherwise, it remains theory.

Sagy Kratu

How ATT&CK bolsters defense evasion with granularity

With v18, MITRE has proposed a significant restructuring of its guidance on defense evasion by focusing on two attack types: those that employ stealth to hide activity or blend it with normal system behavior, and those that impair defenses by disabling or manipulating security controls to maintain persistence and carry out postcompromise actions. 

The goal of this split is to clearly distinguish between behaviors that require stealth-focused detection and those that need disruption-focused mitigation, so that defenders can employ the appropriate rules, playbooks, and automated detection needed for more precise and aligned information about how attacks unfold.

Agnidipta Sarkar, chief evangelist at ColorTokens, said the updates enable faster detection and eviction of a threat actor from a compromised environment. From an operational standpoint, defenders can create deterministic, signature-based detection rules tied to specific, high-severity events such as security tool shutdowns, group policy changes, and logging suppression and then map them to critical response playbooks and auto-escalation.

For example, Impair Defenses techniques like disabling antivirus, shutting off logging, [and] modifying security policies often signal imminent escalation activities like ransomware, destructive action, or evidence wiping.

Agnidipta Sarkar

Stealth techniques such as hiding user accounts, process hollowing, and covert persistence are designed to prolong attacker dwell time and evade casual detection. “Stealth detection would focus on outlier behaviors and hidden activity like hidden scheduled tasks, odd service chains, unusual child processes, [and] unknown binaries,” Sarkar said. 

How ATT&CK captures adversary behavior 

ATT&CK v18 adds techniques that capture adversary behavior across cloud, DevOps, and containerized environments, including in Kubernetes clusters, where misconfigurations and exposed APIs have become prime entry points for attacks. MITRE’s expanded coverage targets attacker techniques for poisoning CI/CD pipelines, abusing Kubernetes commands to escalate privileges, and targeting cloud databases for credential theft, ransomware attacks, and data exfiltration. 

The changes are designed to modernize ATT&CK with a focus on current TTPs  so defenders can better protect against attacks targeting code, infrastructure, and runtime environments.

Jason Soroko, senior fellow at Sectigo, said that teams can now translate the updates into concrete work by building analytic stories around the provided stages and wiring them into detection as code. Teams can, for instance, start with a coverage map of required data sources for detecting the new techniques that includes Kubernetes audit logs, cloud provider control plane logs, registry and image scan events, CI pipeline logs, and cloud database audit trails.

Use the campaign sequences and group tooling to drive purple-team exercises and adversary emulation, then backfill detections and validation tests. Fold the strategies into backlog grooming, add data quality gates for each analytic, and track detection health with runbooks and unit tests so new telemetry or schema changes do not silently break coverage.

Jason Soroko

ATT&CK’s CTI gets an overhaul

MITRE has also overhauled ATT&CK’s CTI layer so defenders can get a better feel for how major threat actors operate and execute campaigns. Version 18’s six new threat groups, 29 new software and tooling entries, and five new attack campaigns are each tied to the framework’s underlying techniques and behaviors. 

The additions are intended, among other things, to shed light on the TTPs that major cybercriminals, ransomware groups, initial access brokers, nation-state groups, and other threat actors are using and provide guidance on how to detect them. In addition, MITRE has expanded coverage of threat groups operating out of North Korea and China.

Changes to mobile and operational technology

On the mobile front, ATT&CK expands coverage of threats that bridge enterprise and personal devices. The update highlights techniques such as abusing the linked-device feature in apps such as Signal and WhatsApp, whereby attackers trick users into registering their accounts on malicious devices. 

It also expands coverage of data harvesting via Android’s AccountManager API and iOS Keychain services, particularly on jailbroken or rooted phones. Also back is MITRE guidance around the growing abuse of accessibility features on mobile devices by threat actors. Like the other updates, the changes to ATT&CK’s mobile domain give defenders the context and information on the techniques they need to monitor to protect mobile devices from being used as entry points into their broader enterprise network.

On the operational technology (OT) side, MITRE has refined how ATT&CK maps to technology environments. Version 18 introduces three new asset types: DCS controllers, firewalls, and switches. It also builds out the “Related Assets” section for identifying similar devices that might be referred to differently in different sectors. The goal is to make incident analysis and information sharing more consistent across the OT sector.

How ATT&CK v18 bridges the detection gap

The updates make the ATT&CK framework significantly more useful, Vicarius’s Kartu said. The largest gap up to now has been in detecting what adversaries do, he said. Too many teams lack comprehensive telemetry or log coverage, Kartu said, meaning behaviors described in ATT&CK are invisible. Detection logic was often designed to assess isolated events rather than behavior chains, making it easier for adversaries to slip through. And while many organizations could describe what they needed to detect, they didn’t have the analytic tools, platforms, or process to convert detections into operational capability, Kartu said.

Kartu said he welcomed the new guidance on structured detection and the expanded coverage involving OT and industrial control systems. ATT&CK v18 has bridged the gaps, he said, but there’s still work to be done.

Many teams still don’t have the data-readiness of analytic maturity to consume these structured models. Migration overhead, your detection library, dashboards, and mapping may need overhaul to align with the new objects. So, yes, v18 delivers major progress, but expect additional effort to turn that progress into finished capability.

Sagy Kratu