In a recent TFiR interview, Swapnil Bhartiya spoke with Steve Winterfeld, Advisory CISO at Akamai, about how MITRE’s family of frameworks — ATT&CK, ATLAS, CRAFT, and CALDERA — helps enterprise security teams think like attackers, map defensive coverage, and validate controls against real-world threat group TTPs.

WHAT IS MITRE AND WHY IT MATTERS FOR ENTERPRISE SECURITY

MITRE is a federally funded research and development center focused on critical infrastructure, defense, aviation, and healthcare. Within cybersecurity, it manages the CVE (Common Vulnerabilities and Exposures) system and the Common Weakness Enumeration (CWE) — but its most operationally valuable contribution for security practitioners is its suite of adversarial frameworks.

MITRE ATT&CK: The Adversarial Playbook

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It maps 14 adversarial tactics — from initial reconnaissance to data exfiltration — and documents over 200 techniques and 400+ sub-techniques used by real-world threat actors. Separate matrices exist for enterprise (Windows, Mac, Linux, cloud, containers), mobile (iOS/Android), and industrial control systems/SCADA.

“As a CISO, I think about somebody attacking—how they do it and what they do—and across those 14 original steps, there are 200 techniques and over 400 sub-techniques.”

Winterfeld explained two primary use cases. First, program maturity assessment — using ATT&CK to evaluate whether security controls are distributed across the attack chain or concentrated only at entry and exit points. Second, training — walking SOC analysts, red teams, and developers through real attacker methodologies so teams recognize indicators at each stage.

ATLAS: MITRE’s Framework for AI and LLM-Specific Threats

ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) extends the ATT&CK philosophy to externally facing AI applications, including large language models. It covers attack techniques specific to generative AI — including prompt injection, model evasion, and inference-layer attacks — that traditional enterprise ATT&CK techniques do not address.

“They’ve taken that original framework and said those are not the kind of attacks we would see against a large language model — so ATLAS is tailored just to your external-facing Gen AI programs.”

MITRE has also introduced a Safe AI framework for AI assurance during development, and an AI Incident Sharing Initiative for collaborative threat intelligence across organizations deploying generative AI.

CRIMINAL GROUP PROFILING AND THE ATT&CK NAVIGATOR

One of the most operationally valuable features of ATT&CK is its criminal group profiling capability. Threat actor groups — including APT39, the Lazarus Group, and others — are documented with their specific techniques, malware, and sequencing. Security teams can overlay a specific group’s TTPs onto the ATT&CK Navigator visualization to instantly see which techniques map to their current controls — and where gaps exist.

“You click on Display Attack Navigator, it overlays the criminal techniques on the attack framework, and instantly you can see where everything links up — it’s a great visualization.”

This enables red teams and pen testers to run simulations using actual criminal group methodologies, validating whether defensive controls would catch an attack at each stage.

HOW AKAMAI MAPS ITS SECURITY STACK TO THE ATT&CK CHAIN

Akamai structures its security product portfolio around the ATT&CK chain, creating layered interception at multiple stages. WAF products address initial reconnaissance and access attempts. Prolexic handles infrastructure-level denial of service. API Firewall covers API-layer attacks. Micro-segmentation interrupts lateral movement and internal discovery. Exfiltration and command-and-control are addressed by additional data protection tooling.

“Across that entire thing — they have 14 opportunities to stop them — Akamai is going to be a partner in a lot of those different steps to interdict and disrupt their methodology.”

ADDITIONAL MITRE RESOURCES FOR ENTERPRISE SECURITY TEAMS

Beyond ATT&CK and ATLAS, MITRE maintains several additional frameworks relevant to enterprise security practitioners: CRAFT (Cyber Resiliency Engineering Framework) for NIST SP 800-160 alignment; Caldera for automated red team assessments; and ADAPT (Adversarial Actions in Digital Payment Technologies) for financial sector threat modeling. Industry-specific breakouts exist for healthcare, critical infrastructure, and other high-threat verticals.