Study survey


    This survey investigates how practitioners map real-world observations to MITRE ATT&CK techniques and where ambiguities arise in this process.

    It combines background questions with practical classification tasks to measure consistency, confidence, and differences in interpretation across participants.

    Participants are asked to complete the consent and background sections and at least one of the three main parts (Exercise 1, Exercise 2, or “How Much Detail is Enough?”). Each part targets a distinct research question and can therefore be completed independently, although full participation across all sections is encouraged.

    Participation Consent


    This study investigates how cybersecurity professionals classify cyber attack techniques using the MITRE ATT&CK framework.

    Participation is voluntary. You may withdraw at any time by closing the survey before submission.

    By continuing, you confirm that you are at least 18 years old and consent to participate.

    More information (GDPR Art. 13/14)

    Data Protection Officer


    Friedrich-Alexander University Erlangen-NĂĽrnberg (FAU)

    Freyeslebenstr. 1, 91058 Erlangen, Germany
    Email: datenschutzbeauftragter@fau.de

    Purpose of Processing


    The purpose of this study is to analyze subjectivity, abstraction, and decision-making processes in the classification of cyber attack techniques using the MITRE ATT&CK framework. The study builds upon prior expert interviews and aims to improve consistency and understanding of attack classification in research and practice.

    Legal Basis


    Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR.

    Categories of Data


    Responses to classification tasks

    Questionnaire answers (closed and open-ended)

    Professional background information (e.g., role, experience)

    Recipients


    Data is processed by authorized researchers at FAU and collaborating academic partners. No personal data is shared with third parties.

    Data Storage and Security


    Data is collected via a web-based system hosted on FAU (RRZE) servers and transmitted using secure encryption (HTTPS/TLS). Data is stored within the university infrastructure.

    Data Retention


    Research data will be stored in anonymized or pseudonymized form for up to 10 years in accordance with good scientific practice.

    Third Country Transfers


    No data is transferred to countries outside the EU/EEA.

    Your Rights


    You have the right to access (Art. 15 GDPR), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), and data portability (Art. 20), as well as the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

    Withdrawal of Consent


    You may withdraw your consent at any time. Due to the anonymous or pseudonymous nature of the study, it may not be possible to identify and delete individual responses after submission, unless you have voluntarily provided identifiable information (e.g., name or email address).

    Provision of Data


    Providing data is voluntary and not required by law or contract.

    Automated Decision-Making


    No automated decision-making according to Art. 22 GDPR takes place.

    Please confirm:

    If you do not consent, please close this survey.

    Your Background

    Background, Experience & Usage

    What is your current job title or position?

    How many years have you been working in your current position?

    How many years have you been working in the cybersecurity field?

    How would you describe the main focus of your current responsibilities?

    Please assess your expertise in the following areas:

    (None, Basic, Intermediate, Advanced, Expert)











    Do you use MITRE ATT&CK regularly in your professional life?

    How many years have you worked with MITRE ATT&CK?

    How would you rate your knowledge of MITRE ATT&CK?

    In the past five years, approximately how many cyber incidents have you personally analyzed and mapped to MITRE ATT&CK techniques?

    When mapping cyber incidents to MITRE ATT&CK techniques, what do you primarily rely on?

    (Select all that apply)

    For which use cases do you use MITRE ATT&CK?

    (Select all that apply)

    Exercise 1: Technique Assignment


    Two of your colleagues are discussing possible ATT&CK techniques that could apply to the artifact described in
    [[ARTIFACT]]
    and ask for your input. Which technique would you select?


    Mandiant assesses with moderate confidence that UNC4736 is related to financially motivated North Korean “AppleJeus” activity as reported by CISA. This is further corroborated with findings from Google TAG who reported the compromise of www.tradingtechnologies[.]com in February 2022, preceding the distribution of compromised X_TRADER updates from the site.
    [[ The site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X_TRADER software package.]]


    On a scale from 1 to 5, where 1 means "not confident" and 5 means "very confident", how confident were you selecting your last answer ?

    Exercise 2: Scenario-Based Structuring


    Please analyze the given scenario using the provided dimensions and criteria, extend them if needed, and map the results to Attacker, Attack Process, and Victim by selecting all applicable expressions.

    Social storm — vishing, MFA bypass & cloud-native ransomware


    A financially motivated threat actor — characterised by native-language social engineering and deep familiarity with enterprise IT support processes — targeted a multinational retail and hospitality conglomerate to deploy ransomware across its cloud-hosted infrastructure. The campaign opened with passive intelligence gathering: the actors profiled the target organisation's IT service-desk procedures using publicly available job postings, LinkedIn employee data, and leaked
    internal documentation from a prior unrelated breach. Armed with an employee's name, employee ID format, and office location, the actor placed voice calls (vishing) to the IT help desk, impersonating the employee and successfully convincing support staff to reset MFA credentials and
    enroll a new authenticator device.
    With valid cloud SSO credentials and a registered authenticator, the actor authenticated to the corporate identity platform, escalated privileges by abusing a misconfigured conditional access policy that permitted legacy authentication from certain IP ranges, and added additional cloud credentials to a service principal account for durable access. Over the following days, the actor enumerated cloud infrastructure, identified virtual machines running point-of-sale backend services,
    and located an Azure-equivalent object-storage bucket containing customer payment tokenization configuration. They harvested credentials stored in plaintext within infrastructure-as-code files discovered in an internal code repository, then used these to authenticate to a secrets management service and retrieve database connection strings. After staging the target data in a cloud instance they created themselves, the actor exfiltrated it to an external cloud storage location. In the final
    phase, the actor deleted volume snapshots, modified cloud IAM roles to prevent recovery operations by defenders, and triggered a cloud-native encryption action across attached storage volumes — rendering POS systems inoperable across multiple regions simultaneously. Forensic traces included help-desk ticket anomalies, new MFA device enrollment events, legacy authentication sign-in logs, and IAM role-modification events in cloud audit trails.

    Attacker

    Dimension

    Criterion

    Expressions

    Who

    Attacker Type

    i

    What type of attacker is most likely responsible for this attack? Classifies the type of adversary behind the attack, distinguishing between highly sophisticated groups (APT) and less advanced or opportunistic actors.

    Why

    Attack Objective

    i

    Describes the primary goal of the attack. Select all goals that apply.

    Reconnaissance (General Information Gathering): Collecting general information about a system, user, or organization (e.g., system details, usernames), not necessarily targeting vulnerabilities.

    Vulnerability Discovery: Identifying specific technical weaknesses in a system with the intention of exploiting them.

    Data Collection: Gathering sensitive or relevant data such as files, credentials, or confidential information.

    Lateral Movement: Moving within a network to access additional systems, accounts, or resources.

    Privilege Escalation: Gaining higher-level permissions or access rights (e.g., from user to administrator).

    Defense Evasion: Avoiding detection by security mechanisms (e.g., hiding processes, obfuscating activity).

    Exfiltration: Transferring collected data out of the system or organization.

    Impact / Disruption: Causing damage or disruption, such as data destruction, encryption, or service unavailability.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3

    Process of Attack

    Social storm — vishing, MFA bypass & cloud-native ransomware


    A financially motivated threat actor — characterised by native-language social engineering and deep familiarity with enterprise IT support processes — targeted a multinational retail and hospitality conglomerate to deploy ransomware across its cloud-hosted infrastructure. The campaign opened with passive intelligence gathering: the actors profiled the target organisation's IT service-desk procedures using publicly available job postings, LinkedIn employee data, and leaked
    internal documentation from a prior unrelated breach. Armed with an employee's name, employee ID format, and office location, the actor placed voice calls (vishing) to the IT help desk, impersonating the employee and successfully convincing support staff to reset MFA credentials and
    enroll a new authenticator device.
    With valid cloud SSO credentials and a registered authenticator, the actor authenticated to the corporate identity platform, escalated privileges by abusing a misconfigured conditional access policy that permitted legacy authentication from certain IP ranges, and added additional cloud credentials to a service principal account for durable access. Over the following days, the actor enumerated cloud infrastructure, identified virtual machines running point-of-sale backend services,
    and located an Azure-equivalent object-storage bucket containing customer payment tokenization configuration. They harvested credentials stored in plaintext within infrastructure-as-code files discovered in an internal code repository, then used these to authenticate to a secrets management service and retrieve database connection strings. After staging the target data in a cloud instance they created themselves, the actor exfiltrated it to an external cloud storage location. In the final
    phase, the actor deleted volume snapshots, modified cloud IAM roles to prevent recovery operations by defenders, and triggered a cloud-native encryption action across attached storage volumes — rendering POS systems inoperable across multiple regions simultaneously. Forensic traces included help-desk ticket anomalies, new MFA device enrollment events, legacy authentication sign-in logs, and IAM role-modification events in cloud audit trails.

    Dimension

    Criterion

    Expressions

    When

    Duration

    i

    Indicates the duration of the attack within the given scenario.

    Short: Seconds to minutes

    Medium: Minutes to hours

    Long: Hours to days

    Very Long: Days to weeks or longer

    When

    Attack Steps

    i

    Indicates which steps occurred during the attack in the given scenario.

    Select all steps that apply to the attack.

    Reconnaissance: Gathering information about the target (e.g., systems, users, network structure).

    Resource Development: Preparing resources for the attack (e.g., creating malware, setting up infrastructure, acquiring credentials).

    Exploit: Actively exploiting a vulnerability or executing malicious code to gain access.

    Pivot: Using a compromised system to move into another network or environment.

    Lateral Movement: Moving within a network to access additional systems or accounts.

    Impact: Achieving the final objective of the attack (e.g., data destruction, service disruption, data encryption, or exfiltration consequences).

    Where

    Stealth Level

    i

    Indicates how detectable the attack is by users or security systems.

    Low: Easily noticeable (e.g., visible pop-ups, system crashes, obvious alerts).

    Medium: Partially hidden, but detectable with standard monitoring or attentive users.

    High: Highly stealthy and difficult to detect, often requiring advanced security tools or detailed analysis.

    Where

    Detection Method

    i

    Describes how this attack could be detected using monitoring or analysis techniques. Select all that apply.

    Signature-Based Detection: Identifying known attack patterns or signatures (e.g., malware hashes, known indicators of compromise).

    Anomaly Detection: Detecting deviations from normal system or user behavior.

    Network Traffic Monitoring: Detecting unusual or suspicious network activity (e.g., unexpected connections, data transfers).

    Resource Usage Monitoring: Identifying abnormal CPU, GPU, or memory usage caused by malicious activity.

    System Log Monitoring: Analyzing logs for suspicious events or anomalies (e.g., login attempts, process execution).

    Behavioral Pattern Analysis: Detecting unusual sequences of actions or behaviors across systems or users.

    How

    Communication Path

    i

    Describes the communication channel or infrastructure used by the attack to transfer data or commands. Select all that apply.

    Local Endpoint: Communication occurs within the same device (e.g., local processes, inter-process communication).

    Internal Network: Communication within a private or organizational network (e.g., lateral movement between systems).

    Web Infrastructure: Communication over the internet via web-based services or protocols (e.g., HTTP/HTTPS, web servers).

    Cloud Services: Communication through cloud-based platforms or services (e.g., SaaS, storage services, APIs).

    Who

    User Interaction Required

    i

    Indicates whether the attack depends on user actions, such as clicking a link or opening a file.

    How

    Supply Chain Involvement

    i

    Indicates whether the attack involves components from the software or service supply chain.

    None: The attack does not rely on any third-party or external components.

    Third-Party Software: Exploiting or abusing external software provided by vendors (e.g., installed applications, platforms).

    External Libraries: Targeting or compromising dependencies such as libraries, packages, or modules used by software.

    CI/CD Pipeline: Manipulating build, integration, or deployment processes to introduce malicious code or artifacts.

    How

    Attack Vector

    i

    Indicates the attack vectors used during the attack in the given scenario. Select all that apply.

    Attack vectors describe the paths or methods used by the attacker to access or interact with the target at any stage of the attack.

    Network Access: Exploiting exposed services or vulnerabilities over a network connection.

    Phishing: Using social engineering techniques (e.g., emails, messages) to trick users into revealing information or executing actions.

    Scripting / Exploitation: Using scripts or code to exploit vulnerabilities or execute malicious actions.

    Physical Access: Gaining access through physical interaction with a device or system.

    Credential Access: Using stolen, guessed, or leaked credentials to gain access.

    Supply Chain Attack: Compromising the target through third-party software, services, or dependencies.

    How

    Level of Automation

    i

    Indicates the extent to which the attack is automated by the attacker.

    Manual: The attacker performs actions directly without automation.

    Semi-Automated: The attacker uses tools or scripts but still requires manual interaction or decision-making.

    Fully Automated: The attack step is executed automatically with little or no human intervention.

    With what

    Execution / Delivery Mechanism Type

    i

    Describes the type of mechanism or software used to execute or deliver the attack. Select all that apply.

    Custom Malicious Code: Tailored or attacker-developed code designed specifically for the attack.

    Commodity Malware: Widely available or reused malware not specifically developed for this target.

    Legitimate Software Abuse: Misuse of legitimate tools or software for malicious purposes (e.g., living-off-the-land techniques).

    Adware: Software primarily designed to display advertisements, potentially abused for malicious purposes.

    In-Person / Physical Interaction: Execution or delivery through direct physical interaction (e.g., USB devices, hands-on access).

    With what

    Attacker Tools

    i

    Specifies the concrete tools or resources used by the attacker to execute the attack. Select all that apply.

    Scripts: Custom or generic scripts used to automate tasks or execute commands.

    Custom Malware: Malware specifically developed or tailored for the attack.

    Living-off-the-Land Tools: Legitimate system tools or utilities abused for malicious purposes (e.g., PowerShell, Bash).

    Exploit Kit: Pre-packaged tools designed to exploit known vulnerabilities automatically.

    Other: Any additional tools not covered by the categories above.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3

    Victim

    Social storm — vishing, MFA bypass & cloud-native ransomware


    A financially motivated threat actor — characterised by native-language social engineering and deep familiarity with enterprise IT support processes — targeted a multinational retail and hospitality conglomerate to deploy ransomware across its cloud-hosted infrastructure. The campaign opened with passive intelligence gathering: the actors profiled the target organisation's IT service-desk procedures using publicly available job postings, LinkedIn employee data, and leaked
    internal documentation from a prior unrelated breach. Armed with an employee's name, employee ID format, and office location, the actor placed voice calls (vishing) to the IT help desk, impersonating the employee and successfully convincing support staff to reset MFA credentials and
    enroll a new authenticator device.
    With valid cloud SSO credentials and a registered authenticator, the actor authenticated to the corporate identity platform, escalated privileges by abusing a misconfigured conditional access policy that permitted legacy authentication from certain IP ranges, and added additional cloud credentials to a service principal account for durable access. Over the following days, the actor enumerated cloud infrastructure, identified virtual machines running point-of-sale backend services,
    and located an Azure-equivalent object-storage bucket containing customer payment tokenization configuration. They harvested credentials stored in plaintext within infrastructure-as-code files discovered in an internal code repository, then used these to authenticate to a secrets management service and retrieve database connection strings. After staging the target data in a cloud instance they created themselves, the actor exfiltrated it to an external cloud storage location. In the final
    phase, the actor deleted volume snapshots, modified cloud IAM roles to prevent recovery operations by defenders, and triggered a cloud-native encryption action across attached storage volumes — rendering POS systems inoperable across multiple regions simultaneously. Forensic traces included help-desk ticket anomalies, new MFA device enrollment events, legacy authentication sign-in logs, and IAM role-modification events in cloud audit trails.

    Dimension

    Criterion

    Expressions

    What / Result

    Attack Impact

    i

    Describes the consequences or outcomes of the attack on data, systems, or services. Select all that apply.

    Data Manipulation: Unauthorized modification or alteration of data.

    Data Exfiltration: Unauthorized transfer of data of the system or organization.

    Data Deletion: Removal or destruction of data.

    Data Encryption: Data is encrypted to deny access (e.g., ransomware).

    Loss of System Control: The attacker gains control over systems or accounts.

    Availability Reduction: Systems or services become partially or fully unavailable.

    What

    Targeted Object

    i

    Describes the type of entity or component targeted by the attack. Select all that apply.

    Hardware: Physical devices such as computers, servers, or peripherals.

    Software: Applications, operating systems, or services.

    Firmware: Low-level software embedded in hardware components.

    Network Infrastructure: Network components such as routers, switches, or communication systems.

    Human / Social Infrastructure: People and organizational structures targeted through social engineering or manipulation.

    What

    Targeted System

    i

    Refers to the type of system or device targeted by the attack. Select all that apply.

    What

    Target Operating System

    i

    Specifies the operating system targeted or affected by the attack. Select all that apply.

    Windows: Microsoft Windows-based systems.

    Linux: Linux-based systems (e.g., servers, desktops).

    macOS: Apple macOS systems.

    Unix: Unix or Unix-like systems (excluding Linux/macOS where distinguished).

    Mobile OS: Mobile operating systems (e.g., Android, iOS).

    Who

    Targeted Sector

    i

    Describes the industry or sector to which the targeted organization or victim belongs. Select all that apply.

    Finance: Banking, insurance, and financial services.

    Education: Universities, schools, and research institutions.

    Government: Public sector organizations and authorities.

    Manufacturing: Industrial production and manufacturing companies.

    Healthcare: Hospitals, clinics, and health-related services.

    Critical Infrastructure: Essential services such as energy, water, transportation, and utilities.

    Technology: IT companies, software providers, and technology services.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3


    On a scale from 1 to 5, where 1 means "not confident" and 5 means "very confident", how confident were you in your mapping decisions when using the provided criteria to interpret the scenario ?

    How Much Detail is Enough?

    Perception of Ambiguity, Consistency & Required Precision

    In your opinion, how important is assigning the most specific possible MITRE ATT&CK technique (e.g., at sub-technique level rather than a more general technique) in your professional context?

    When mapping to MITRE ATT&CK, what do you typically prioritize?

    Please briefly explain your reasoning.

    What level of granularity is typically sufficient when mapping scenarios in your professional role?

    If you selected “Broad cluster”: How do you typically define such clusters?

    (e.g., based on tools, environments, attacker behavior, or other criteria)

    To what extent would it be helpful to include additional information—beyond simple technique assignments—alongside artifact-to-ATT&CK mappings when interpreting and using mapping results?
    (e.g., indicating ambiguous techniques or providing annotator confidence levels)

    To what extent would additional information increase your trust in mapping results?

    To what extent would providing such additional information increase your confidence in your own mapping decisions?

    If you consider additional information to be helpful: Which types of additional information would be most useful for increasing your confidence in mapping decisions?

    (e.g., ambiguity indicators, annotator confidence levels, example mappings, or contextual explanations)