MITRE ATT&CK for network engineers: turning the matrix into controls

ATT&CK is the common language between SOC and network. Use it to translate threats into firewall rules, flow detection and segmentation.

Initial access

• Block known C2 domains via DNS RPZ.
• Web filtering with category and reputation.

Lateral movement

• Microsegmentation; restrict SMB/RDP between zones.
• Anomaly detection on east-west flow.

Command and control

• DNS tunneling detection.
• TLS metadata analysis (JA3, certs).

Exfiltration

• DLP at egress; large flow anomalies.
• Geo-blocking for high-risk destinations.

Operations

• Tabletop exercises with SOC quarterly.
• Document playbooks per technique.

Train detection and response in a TechLeague tournament.