Certified: The GIAC GISF Audio Course

In this episode, we’re going to take the clear attacker-behavior notes you learned to write and connect them to a shared language used across the security world. That shared language is the miter attack framework, which organizes common attacker behaviors into categories. The goal is not to memorize a giant list. The goal is to learn how to translate what you observed into a consistent set of labels so your analysis becomes easier to communicate, compare, and improve over time. When you map observed actions to Tactics, Techniques, and Procedures, you create a bridge between raw events and higher-level understanding. This helps you answer questions like, what stage of an attack are we seeing, what did the attacker try to accomplish, and what defenses should we strengthen next. For beginners, the key is to treat this framework as a map, not as a test you have to pass by memorization.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

Start by clarifying what TTPs means in practice. A tactic is the attacker’s goal at a stage of an intrusion, such as getting in, maintaining access, or stealing data. A technique is a general method used to accomplish that goal, such as phishing for initial access or creating scheduled tasks for persistence. Procedures are the specific ways an attacker implements a technique in a real case, such as the exact message they sent or the specific configuration change they made. Miter attack is mostly a catalog of tactics and techniques, along with examples and related details. The value of mapping is that it forces you to describe behavior in a standardized way. Instead of saying the attacker was sneaky, you can say they performed credential access and persistence using specific techniques. That precision is what makes analysis actionable and comparable across incidents.

Miter attack organizes behavior into tactics that often align with a rough progression of an intrusion. The flow typically begins with initial access and then moves into execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. These are not always linear, and attackers can loop back and forth, but the structure helps you situate events in the bigger story. For example, a phishing email fits naturally into initial access. A new scheduled task fits into persistence. A burst of internal network scanning fits into discovery. A new outbound beaconing pattern fits into command and control. When you map events to these tactics, you gain a clearer view of what the attacker is trying to accomplish right now. That clarity helps you choose whether to prioritize containment, credential resets, system isolation, or data protection measures.

Now connect this framework to your adversary analysis notes. Remember the subject, action, object method you used to write clear observations. Miter mapping begins with those same observations. If you saw that a user account authenticated from an unusual location and then accessed a cloud application, you might map that under initial access or credential access depending on what evidence suggests. If you saw that a process created a new auto-start mechanism, that maps to persistence. If you saw attempts to access credential stores, that maps to credential access. If you saw a host connecting repeatedly to an unusual external destination, that maps to command and control. Notice what is happening here: you are translating plain-language actions into a framework label that others recognize. The framework does not replace your notes; it adds structure and makes your notes easier to use for planning defenses.

It is important to understand how to choose a technique mapping without overconfidence. Many events could fit multiple categories depending on context. A login could be legitimate user activity or could be attacker use of valid accounts. A scheduled task could be normal maintenance or could be persistence. Mapping therefore benefits from confidence statements. You might map a behavior as suspected persistence if you have partial evidence, and then update to confirmed persistence when you find supporting details. This is not a weakness; it is disciplined analysis. Frameworks are most useful when they reflect reality, not when they force a neat story prematurely. Beginners should not worry about being perfect on first pass. The goal is to create a working map that guides investigation and response, and then refine it as evidence improves.

One of the biggest practical benefits of miter mapping is identifying coverage gaps. A coverage gap is a place where you have little detection, weak prevention, or weak visibility for a technique. If you map an incident and realize that you had no alerts for early discovery behavior, that suggests a monitoring gap. If you realize that credential access was possible because M F A was not enforced on a certain portal, that suggests a control gap. If you realize that command and control traffic blended into normal outbound traffic because egress rules were too permissive, that suggests an architecture gap. Mapping makes these gaps visible because it turns a chaotic incident into a set of technique categories. Once you know which technique categories were used, you can ask whether you have controls that would detect or block them in the future. This is how a framework turns into a practical improvement plan.

Another benefit is communicating across teams. Different teams may speak different languages: network teams focus on traffic, endpoint teams focus on processes, identity teams focus on logins, and leadership focuses on risk. Miter attack provides a shared vocabulary that helps these teams align. When you say you observed credential access and lateral movement, that communicates intent and risk more clearly than a pile of log snippets. It also helps teams compare incidents. If multiple incidents involve similar techniques, that suggests a recurring weakness. If a new incident uses a technique you have never seen before, that suggests changing attacker behavior or a new exposure. For beginners, this is the real power: frameworks help humans coordinate, not just categorize.

Miter mapping also supports threat-informed defense, which is the idea of improving defenses based on how attackers actually operate, not just based on theoretical best practices. If your organization sees repeated phishing attempts, it makes sense to invest in stronger email filtering, phishing-resistant authentication, and user verification processes. If you see repeated exploitation of exposed web apps, it makes sense to invest in patching discipline, web application protection, and reducing internet-facing exposure. If you see repeated command and control patterns, it makes sense to refine egress controls and outbound visibility. These improvements are more persuasive and more targeted when you can point to mapped techniques rather than vague statements about risk. Framework mapping turns a security conversation into a conversation about concrete behaviors and concrete controls. That clarity also helps justify why certain security investments matter.

It is worth noting that Miter attack is not the only threat framework, and it is not meant to replace other structures like risk frameworks or compliance requirements. Risk frameworks focus on governance and control objectives, while ATT&CK focuses on adversary behavior. These can complement each other. Your risk framework might tell you that you need access control and monitoring, while ATT&CK helps you understand which specific behaviors those controls should address. For beginners, the key is to see frameworks as tools for different questions. ATT&CK answers how attackers operate, while other frameworks answer how to manage security programs and controls. When you combine them, your security decisions become both strategically aligned and operationally grounded.

A common misconception is that mapping to MITER ATTACK requires deep technical detail. While detail helps, you can often map at a high level using well-understood behaviors. A phishing email maps to initial access even if you do not know the exact attachment type. A repeated outbound beacon maps to command and control even if you do not know the malware name. A new scheduled task maps to persistence even if you do not know the full payload. Another misconception is that mapping is only for reporting, when in reality it can guide response decisions in real time. If you identify that the attacker has moved into credential access, you might prioritize resetting credentials and reviewing privileged accounts. If you identify that they are in collection and exfiltration, you might prioritize data protection and outbound monitoring. The framework helps you decide what the attacker may try next, which helps you choose what to protect first.

To make this skill stick, practice a simple translation habit. Take a plain-language observation and ask, what was the attacker trying to accomplish, and what general method did they use. Then map it to the closest tactic and technique category. For example, if you observe a user being tricked into entering credentials, that maps to initial access via phishing. If you observe a new account created unexpectedly, that maps to persistence or privilege escalation depending on the context. If you observe internal scanning, that maps to discovery. If you observe repeated outbound connections to an unfamiliar destination, that maps to command and control. The goal is to get comfortable making these translations quickly and then refining them as evidence improves. Over time, you will build a mental library of common mappings that makes analysis faster.

In conclusion, mapping TTPs using MITER ATTACK strengthens adversary analysis by turning raw observations into a shared, structured vocabulary. Tactics represent attacker goals, techniques represent general methods, and procedures represent the specific implementation details seen in a case. By mapping what you observed to these categories, you improve communication, identify control and visibility gaps, and support threat-informed defensive improvements. The framework is most valuable when used as a guide for action, not as a memorization exercise. The decision rule to remember is this: if you can describe an observed attacker action as a clear behavior and map it to a tactic and technique, you can more easily decide what the attacker is trying to do next and which control improvements will most directly break that behavior in the future.