Security Testing in the Context of the MITRE ATT&CK Framework
Cyberattacks follow recurring patterns. The MITRE ATT&CK Framework systematically catalogs these patterns and provides organizations with a common language.
Cyberattacks follow recurring patterns. The MITRE ATT&CK Framework systematically catalogs these patterns and provides organizations with a common language to understand threats and prioritize protective measures. Particularly relevant is the "Initial Access" tactic (TA0001), which describes how attackers first gain entry into a network.
This article maps various security testing disciplines to their corresponding MITRE techniques and shows how organizations can systematically assess their attack surface.
External Network Pentest
The External Network Pentest simulates an attacker attempting to penetrate the IT infrastructure from outside. Publicly accessible systems such as firewalls, VPN gateways, mail servers, and exposed services are examined for vulnerabilities.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Exploitation of vulnerabilities in internet-exposed applications |
| T1133 | External Remote Services | Attacks on VPN, RDP, Citrix, and other remote access services |
Scope of Testing
A professional infrastructure pentest includes identification of active services through port scans, analysis of configuration errors, testing for known vulnerabilities such as ProxyLogon or Ripple20, and evaluation of firewall rules and network segmentation. The results serve as a foundation for targeted hardening measures.
Further information: turingpoint - Infrastructure Pentest
Web Application Pentest
Web applications are a preferred target for attackers as they are often directly accessible from the internet and process sensitive data. A Web Application Pentest examines the application layer for security vulnerabilities.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Exploitation of vulnerabilities in web applications and APIs |
| T1189 | Drive-by Compromise | Compromise through manipulated web content |
Scope of Testing
The assessment follows recognized standards such as the OWASP Testing Guide and covers authentication and authorization mechanisms, session management, input validation (SQL Injection, XSS, Command Injection), API security, and business logic flaws. Modern web applications frequently use third-party APIs, which should also be included in the assessment.
Further information: turingpoint - Web Application Pentest
Cloud Security Assessment
Cloud infrastructures such as AWS, Azure, and GCP offer tremendous flexibility but also introduce new attack vectors. Misconfigurations in IAM policies, open storage buckets, or insecure service accounts are among the most common vulnerabilities.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts | Abuse of compromised cloud credentials |
| T1199 | Trusted Relationship | Exploitation of trust relationships (Federated Identity, Service Accounts) |
| T1190 | Exploit Public-Facing Application | Attacks on cloud APIs and serverless functions |
Scope of Testing
A Cloud Security Assessment analyzes IAM permissions for exploitable misconfigurations, storage configurations and data access rights, network security groups and virtual private clouds, logging and monitoring, and compliance with cloud-specific best practices such as CIS Benchmarks. The assessment is conducted within the shared responsibility model, where the customer is responsible for secure configuration.
Further information: turingpoint - Cloud Pentests
Static Code Analysis / SAST
While the previous disciplines uncover vulnerabilities in production systems, Static Application Security Testing (SAST) intervenes earlier: in the source code, before it goes into production. SAST is not an attacker technique in the MITRE sense but rather a preventive measure that complements the framework.
Relation to the MITRE Framework
| Reference | Description |
|---|---|
| Prevention for T1190 | Identification of injection flaws, buffer overflows, and insecure configurations before deployment |
| Prevention for T1195.001 | Detection of vulnerable dependencies through Software Composition Analysis (SCA) |
Scope of Testing
Static code analysis identifies security vulnerabilities through data flow analysis, taint analysis, and lexical analysis of source code. The assessment covers SQL injections, cross-site scripting, hardcoded credentials, insecure cryptography, and violations of coding standards (MISRA, CERT, OWASP). SAST can be integrated into CI/CD pipelines and provides direct feedback during development.
Further information: turingpoint - Static Code Analysis
Social Engineering Assessment
Technical security measures can be as sophisticated as possible - humans often remain the weakest link. Social Engineering Assessments test how well employees can recognize and defend against manipulative attacks.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1566 | Phishing | Attacks via email with malicious attachments or links |
| T1566.001 | Spearphishing Attachment | Targeted attacks with manipulated file attachments |
| T1566.002 | Spearphishing Link | Targeted attacks with malicious links |
| T1566.003 | Spearphishing via Service | Attacks via third-party platforms (social media, messenger) |
| T1566.004 | Spearphishing Voice | Attacks via telephone (vishing) |
| T1659 | Content Injection | Manipulation of network traffic to inject malicious content |
Scope of Testing
A Social Engineering Assessment includes phishing simulations with realistic scenarios, smishing (SMS-based phishing), vishing (telephone manipulation), pretexting, and measurement of detection rates and response times. More than 75 percent of all social engineering attacks begin with a phishing email. The results serve to raise targeted awareness and build a security awareness culture.
Further information: turingpoint - Social Engineering
Physical Security Assessment
Not all attack vectors are digital. Physical penetration tests examine whether attackers can gain physical access to buildings, server rooms, or endpoints.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1200 | Hardware Additions | Introduction of hardware such as keyloggers, rogue access points, or USB devices |
| T1091 | Replication Through Removable Media | Spread of malware via USB sticks and other removable media |
| T1669 | Wi-Fi Networks | Attacks via wireless networks, rogue access points |
Scope of Testing
Physical security assessments cover access controls (tailgating, badge cloning), server room security, USB drop attacks, WLAN security (evil twin, deauthentication), and verification of clean desk policies. Successful physical access often enables further digital attacks.
Further information: turingpoint - Security Assessments
Mobile Application Pentest
Mobile applications process sensitive data directly on the device and communicate with backend systems. Vulnerabilities can lead to compromise of user data and corporate resources.
MITRE Mapping (Mobile Matrix)
The Mobile Matrix of the MITRE ATT&CK Framework catalogs specific attack techniques for iOS and Android, including malicious apps through sideloading or manipulated app stores, drive-by compromise via mobile browsers, exploitation of MDM vulnerabilities, and insecure data storage and communication.
Scope of Testing
Mobile app pentests follow the OWASP Mobile Security Testing Guide (MSTG) and the Mobile Application Security Verification Standard (MASVS). The assessment covers local data storage and encryption, authentication and session management, network communication and certificate pinning, reverse engineering and tampering protection, and inter-process communication and API security.
Further information: turingpoint - Mobile Application Pentest
Red Team Engagement
A Red Team Engagement is the most comprehensive form of security testing. Unlike traditional pentests, which aim to uncover as many vulnerabilities as possible, the Red Team pursues a defined objective using all available means.
MITRE Mapping
| Technique ID | Name | Description |
|---|---|---|
| T1195 | Supply Chain Compromise | Manipulation of the supply chain (software, hardware) |
| T1195.001 | Compromise Software Dependencies | Manipulation of software dependencies and development tools |
| T1195.002 | Compromise Software Supply Chain | Manipulation of application software before delivery |
| T1199 | Trusted Relationship | Exploitation of trust relationships with partners and service providers |
| T1078 | Valid Accounts | Use of compromised credentials |
A Red Team Engagement combines all previously mentioned disciplines and emulates the behavior of real attackers, including Advanced Persistent Threats (APT).
Scope of Testing
Red Teaming tests an organization's detection and response capabilities. The team attempts to remain undetected as long as possible while gaining access to sensitive information. The methods employed include technical exploitation, social engineering (physical and electronic), and chaining of multiple vulnerabilities. Red Team Assessments are suitable for organizations with mature security programs that already conduct regular pentests.
Further information: turingpoint - Red Teaming
Conclusion
The MITRE ATT&CK Framework provides a structured foundation for mapping security testing measures to real attack techniques. The combination of different testing disciplines enables a holistic assessment of the security posture:
| Discipline | Focus | Recommended Frequency |
|---|---|---|
| External Network Pentest | Perimeter security | Annually or after major changes |
| Web Application Pentest | Application security | With every major release |
| Cloud Security Assessment | Cloud configuration | Quarterly |
| SAST | Preventive code security | Continuously in CI/CD |
| Social Engineering | Employee awareness | Semi-annually |
| Physical Security | Buildings and hardware | Annually |
| Mobile App Pentest | Mobile applications | With every major release |
| Red Team Engagement | Entire organization | Every 1-2 years |
The choice of appropriate measures depends on the maturity level of the IT security organization, regulatory requirements, and the individual threat landscape. A structured approach aligned with the MITRE ATT&CK Framework enables prioritization of measures and provides evidence to regulatory authorities and auditors.