Study survey


    This survey investigates how practitioners map real-world observations to MITRE ATT&CK techniques and where ambiguities arise in this process.

    It combines background questions with practical classification tasks to measure consistency, confidence, and differences in interpretation across participants.

    Participants are asked to complete the consent and background sections and at least one of the three main parts (Exercise 1, Exercise 2, or “How Much Detail is Enough?”). Each part targets a distinct research question and can therefore be completed independently, although full participation across all sections is encouraged.

    Participation Consent


    This study investigates how cybersecurity professionals classify cyber attack techniques using the MITRE ATT&CK framework.

    Participation is voluntary. You may withdraw at any time by closing the survey before submission.

    By continuing, you confirm that you are at least 18 years old and consent to participate.

    More information (GDPR Art. 13/14)

    Data Protection Officer


    Friedrich-Alexander University Erlangen-NĂĽrnberg (FAU)

    Freyeslebenstr. 1, 91058 Erlangen, Germany
    Email: datenschutzbeauftragter@fau.de

    Purpose of Processing


    The purpose of this study is to analyze subjectivity, abstraction, and decision-making processes in the classification of cyber attack techniques using the MITRE ATT&CK framework. The study builds upon prior expert interviews and aims to improve consistency and understanding of attack classification in research and practice.

    Legal Basis


    Processing is based on your consent in accordance with Art. 6 (1) (a) GDPR.

    Categories of Data


    Responses to classification tasks

    Questionnaire answers (closed and open-ended)

    Professional background information (e.g., role, experience)

    Recipients


    Data is processed by authorized researchers at FAU and collaborating academic partners. No personal data is shared with third parties.

    Data Storage and Security


    Data is collected via a web-based system hosted on FAU (RRZE) servers and transmitted using secure encryption (HTTPS/TLS). Data is stored within the university infrastructure.

    Data Retention


    Research data will be stored in anonymized or pseudonymized form for up to 10 years in accordance with good scientific practice.

    Third Country Transfers


    No data is transferred to countries outside the EU/EEA.

    Your Rights


    You have the right to access (Art. 15 GDPR), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), and data portability (Art. 20), as well as the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

    Withdrawal of Consent


    You may withdraw your consent at any time. Due to the anonymous or pseudonymous nature of the study, it may not be possible to identify and delete individual responses after submission, unless you have voluntarily provided identifiable information (e.g., name or email address).

    Provision of Data


    Providing data is voluntary and not required by law or contract.

    Automated Decision-Making


    No automated decision-making according to Art. 22 GDPR takes place.

    Please confirm:

    If you do not consent, please close this survey.

    Your Background

    Background, Experience & Usage

    What is your current job title or position?

    How many years have you been working in your current position?

    How many years have you been working in the cybersecurity field?

    How would you describe the main focus of your current responsibilities?

    Please assess your expertise in the following areas:

    (None, Basic, Intermediate, Advanced, Expert)











    Do you use MITRE ATT&CK regularly in your professional life?

    How many years have you worked with MITRE ATT&CK?

    How would you rate your knowledge of MITRE ATT&CK?

    In the past five years, approximately how many cyber incidents have you personally analyzed and mapped to MITRE ATT&CK techniques?

    When mapping cyber incidents to MITRE ATT&CK techniques, what do you primarily rely on?

    (Select all that apply)

    For which use cases do you use MITRE ATT&CK?

    (Select all that apply)

    Exercise 1: Technique Assignment


    Two of your colleagues are discussing possible ATT&CK techniques that could apply to the artifact described in
    [[ARTIFACT]]
    and ask for your input. Which technique would you select?


    [[The site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X_TRADER software package.]]


    On a scale from 1 to 5, where 1 means "not confident" and 5 means "very confident", how confident were you selecting your last answer ?

    Exercise 2: Scenario-Based Structuring


    Please analyze the given scenario using the provided dimensions and criteria, extend them if needed, and map the results to Attacker, Attack Process, and Victim by selecting all applicable expressions.

    Wicked backdoor — dual-purpose espionage & supply-chain ransomware


    A threat actor pursuing dual objectives — long-term espionage for state intelligence and opportunistic financial gain — targeted a managed service provider (MSP) serving healthcare and pharmaceutical clients. Initial access was achieved by exploiting a publicly exposed web application on the MSP's customer-facing portal: a known but unpatched deserialization vulnerability allowed unauthenticated remote code execution, and the actor deployed a web shell within minutes of identifying the vulnerable endpoint via automated vulnerability scanning. The web shell, masquerading as a legitimate admin script, provided a persistent interactive foothold on
    the IIS server.
    The actor used BITS Jobs as an alternative download mechanism to retrieve secondary tooling without triggering standard web-proxy alerts. A rootkit was installed in kernel space to hide process and file artefacts. The actor then pivoted laterally using pass-the-hash with NTLM hashes obtained from LSASS memory, moving across client-segregated network segments by abusing the MSP's software deployment tool — a legitimate remote management platform — which had domain-wide execution rights across all customer endpoints. During a six-month dwell period, the actor exfiltrated pharmaceutical research data and clinical-trial documents via an encrypted C2 channel
    using domain-generation algorithms to frustrate sinkholing. Separately, during a maintenance window, the actor deployed a ransomware payload to a subset of healthcare operator clients via the same remote management platform, encrypting patient record servers and destroying VSS snapshots. The ransomware was packaged using environmental keying so it only executed on systems meeting specific locale and domain membership conditions, frustrating sandbox analysis.
    Indicators included anomalous BITS job creation events, kernel driver loads not matching signed catalogue, and mass encryption activity detectable via file-rename telemetry.

    Attacker

    Dimension

    Criterion

    Expressions

    Who

    Attacker Type

    i

    What type of attacker is most likely responsible for this attack? Classifies the type of adversary behind the attack, distinguishing between highly sophisticated groups (APT) and less advanced or opportunistic actors.

    Why

    Attack Objective

    i

    Describes the primary goal of the attack. Select all goals that apply.

    Reconnaissance (General Information Gathering): Collecting general information about a system, user, or organization (e.g., system details, usernames), not necessarily targeting vulnerabilities.

    Vulnerability Discovery: Identifying specific technical weaknesses in a system with the intention of exploiting them.

    Data Collection: Gathering sensitive or relevant data such as files, credentials, or confidential information.

    Lateral Movement: Moving within a network to access additional systems, accounts, or resources.

    Privilege Escalation: Gaining higher-level permissions or access rights (e.g., from user to administrator).

    Defense Evasion: Avoiding detection by security mechanisms (e.g., hiding processes, obfuscating activity).

    Exfiltration: Transferring collected data out of the system or organization.

    Impact / Disruption: Causing damage or disruption, such as data destruction, encryption, or service unavailability.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3

    Process of Attack

    Wicked backdoor — dual-purpose espionage & supply-chain ransomware


    A threat actor pursuing dual objectives — long-term espionage for state intelligence and opportunistic financial gain — targeted a managed service provider (MSP) serving healthcare and pharmaceutical clients. Initial access was achieved by exploiting a publicly exposed web application on the MSP's customer-facing portal: a known but unpatched deserialization vulnerability allowed unauthenticated remote code execution, and the actor deployed a web shell within minutes of identifying the vulnerable endpoint via automated vulnerability scanning. The web shell, masquerading as a legitimate admin script, provided a persistent interactive foothold on
    the IIS server.
    The actor used BITS Jobs as an alternative download mechanism to retrieve secondary tooling without triggering standard web-proxy alerts. A rootkit was installed in kernel space to hide process and file artefacts. The actor then pivoted laterally using pass-the-hash with NTLM hashes obtained from LSASS memory, moving across client-segregated network segments by abusing the MSP's software deployment tool — a legitimate remote management platform — which had domain-wide execution rights across all customer endpoints. During a six-month dwell period, the actor exfiltrated pharmaceutical research data and clinical-trial documents via an encrypted C2 channel
    using domain-generation algorithms to frustrate sinkholing. Separately, during a maintenance window, the actor deployed a ransomware payload to a subset of healthcare operator clients via the same remote management platform, encrypting patient record servers and destroying VSS snapshots. The ransomware was packaged using environmental keying so it only executed on systems meeting specific locale and domain membership conditions, frustrating sandbox analysis.
    Indicators included anomalous BITS job creation events, kernel driver loads not matching signed catalogue, and mass encryption activity detectable via file-rename telemetry.

    Dimension

    Criterion

    Expressions

    When

    Duration

    i

    Indicates the duration of the attack within the given scenario.

    Short: Seconds to minutes

    Medium: Minutes to hours

    Long: Hours to days

    Very Long: Days to weeks or longer

    When

    Attack Steps

    i

    Indicates which steps occurred during the attack in the given scenario.

    Select all steps that apply to the attack.

    Reconnaissance: Gathering information about the target (e.g., systems, users, network structure).

    Resource Development: Preparing resources for the attack (e.g., creating malware, setting up infrastructure, acquiring credentials).

    Exploit: Actively exploiting a vulnerability or executing malicious code to gain access.

    Pivot: Using a compromised system to move into another network or environment.

    Lateral Movement: Moving within a network to access additional systems or accounts.

    Impact: Achieving the final objective of the attack (e.g., data destruction, service disruption, data encryption, or exfiltration consequences).

    Where

    Stealth Level

    i

    Indicates how detectable the attack is by users or security systems.

    Low: Easily noticeable (e.g., visible pop-ups, system crashes, obvious alerts).

    Medium: Partially hidden, but detectable with standard monitoring or attentive users.

    High: Highly stealthy and difficult to detect, often requiring advanced security tools or detailed analysis.

    Where

    Detection Method

    i

    Describes how this attack could be detected using monitoring or analysis techniques. Select all that apply.

    Signature-Based Detection: Identifying known attack patterns or signatures (e.g., malware hashes, known indicators of compromise).

    Anomaly Detection: Detecting deviations from normal system or user behavior.

    Network Traffic Monitoring: Detecting unusual or suspicious network activity (e.g., unexpected connections, data transfers).

    Resource Usage Monitoring: Identifying abnormal CPU, GPU, or memory usage caused by malicious activity.

    System Log Monitoring: Analyzing logs for suspicious events or anomalies (e.g., login attempts, process execution).

    Behavioral Pattern Analysis: Detecting unusual sequences of actions or behaviors across systems or users.

    How

    Communication Path

    i

    Describes the communication channel or infrastructure used by the attack to transfer data or commands. Select all that apply.

    Local Endpoint: Communication occurs within the same device (e.g., local processes, inter-process communication).

    Internal Network: Communication within a private or organizational network (e.g., lateral movement between systems).

    Web Infrastructure: Communication over the internet via web-based services or protocols (e.g., HTTP/HTTPS, web servers).

    Cloud Services: Communication through cloud-based platforms or services (e.g., SaaS, storage services, APIs).

    Who

    User Interaction Required

    i

    Indicates whether the attack depends on user actions, such as clicking a link or opening a file.

    How

    Supply Chain Involvement

    i

    Indicates whether the attack involves components from the software or service supply chain.

    None: The attack does not rely on any third-party or external components.

    Third-Party Software: Exploiting or abusing external software provided by vendors (e.g., installed applications, platforms).

    External Libraries: Targeting or compromising dependencies such as libraries, packages, or modules used by software.

    CI/CD Pipeline: Manipulating build, integration, or deployment processes to introduce malicious code or artifacts.

    How

    Attack Vector

    i

    Indicates the attack vectors used during the attack in the given scenario. Select all that apply.

    Attack vectors describe the paths or methods used by the attacker to access or interact with the target at any stage of the attack.

    Network Access: Exploiting exposed services or vulnerabilities over a network connection.

    Phishing: Using social engineering techniques (e.g., emails, messages) to trick users into revealing information or executing actions.

    Scripting / Exploitation: Using scripts or code to exploit vulnerabilities or execute malicious actions.

    Physical Access: Gaining access through physical interaction with a device or system.

    Credential Access: Using stolen, guessed, or leaked credentials to gain access.

    Supply Chain Attack: Compromising the target through third-party software, services, or dependencies.

    How

    Level of Automation

    i

    Indicates the extent to which the attack is automated by the attacker.

    Manual: The attacker performs actions directly without automation.

    Semi-Automated: The attacker uses tools or scripts but still requires manual interaction or decision-making.

    Fully Automated: The attack step is executed automatically with little or no human intervention.

    With what

    Execution / Delivery Mechanism Type

    i

    Describes the type of mechanism or software used to execute or deliver the attack. Select all that apply.

    Custom Malicious Code: Tailored or attacker-developed code designed specifically for the attack.

    Commodity Malware: Widely available or reused malware not specifically developed for this target.

    Legitimate Software Abuse: Misuse of legitimate tools or software for malicious purposes (e.g., living-off-the-land techniques).

    Adware: Software primarily designed to display advertisements, potentially abused for malicious purposes.

    In-Person / Physical Interaction: Execution or delivery through direct physical interaction (e.g., USB devices, hands-on access).

    With what

    Attacker Tools

    i

    Specifies the concrete tools or resources used by the attacker to execute the attack. Select all that apply.

    Scripts: Custom or generic scripts used to automate tasks or execute commands.

    Custom Malware: Malware specifically developed or tailored for the attack.

    Living-off-the-Land Tools: Legitimate system tools or utilities abused for malicious purposes (e.g., PowerShell, Bash).

    Exploit Kit: Pre-packaged tools designed to exploit known vulnerabilities automatically.

    Other: Any additional tools not covered by the categories above.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3

    Victim

    Wicked backdoor — dual-purpose espionage & supply-chain ransomware


    A threat actor pursuing dual objectives — long-term espionage for state intelligence and opportunistic financial gain — targeted a managed service provider (MSP) serving healthcare and pharmaceutical clients. Initial access was achieved by exploiting a publicly exposed web application on the MSP's customer-facing portal: a known but unpatched deserialization vulnerability allowed unauthenticated remote code execution, and the actor deployed a web shell within minutes of identifying the vulnerable endpoint via automated vulnerability scanning. The web shell, masquerading as a legitimate admin script, provided a persistent interactive foothold on
    the IIS server.
    The actor used BITS Jobs as an alternative download mechanism to retrieve secondary tooling without triggering standard web-proxy alerts. A rootkit was installed in kernel space to hide process and file artefacts. The actor then pivoted laterally using pass-the-hash with NTLM hashes obtained from LSASS memory, moving across client-segregated network segments by abusing the MSP's software deployment tool — a legitimate remote management platform — which had domain-wide execution rights across all customer endpoints. During a six-month dwell period, the actor exfiltrated pharmaceutical research data and clinical-trial documents via an encrypted C2 channel
    using domain-generation algorithms to frustrate sinkholing. Separately, during a maintenance window, the actor deployed a ransomware payload to a subset of healthcare operator clients via the same remote management platform, encrypting patient record servers and destroying VSS snapshots. The ransomware was packaged using environmental keying so it only executed on systems meeting specific locale and domain membership conditions, frustrating sandbox analysis.
    Indicators included anomalous BITS job creation events, kernel driver loads not matching signed catalogue, and mass encryption activity detectable via file-rename telemetry.

    Dimension

    Criterion

    Expressions

    What / Result

    Attack Impact

    i

    Describes the consequences or outcomes of the attack on data, systems, or services. Select all that apply.

    Data Manipulation: Unauthorized modification or alteration of data.

    Data Exfiltration: Unauthorized transfer of data of the system or organization.

    Data Deletion: Removal or destruction of data.

    Data Encryption: Data is encrypted to deny access (e.g., ransomware).

    Loss of System Control: The attacker gains control over systems or accounts.

    Availability Reduction: Systems or services become partially or fully unavailable.

    What

    Targeted Object

    i

    Describes the type of entity or component targeted by the attack. Select all that apply.

    Hardware: Physical devices such as computers, servers, or peripherals.

    Software: Applications, operating systems, or services.

    Firmware: Low-level software embedded in hardware components.

    Network Infrastructure: Network components such as routers, switches, or communication systems.

    Human / Social Infrastructure: People and organizational structures targeted through social engineering or manipulation.

    What

    Targeted System

    i

    Refers to the type of system or device targeted by the attack. Select all that apply.

    What

    Target Operating System

    i

    Specifies the operating system targeted or affected by the attack. Select all that apply.

    Windows: Microsoft Windows-based systems.

    Linux: Linux-based systems (e.g., servers, desktops).

    macOS: Apple macOS systems.

    Unix: Unix or Unix-like systems (excluding Linux/macOS where distinguished).

    Mobile OS: Mobile operating systems (e.g., Android, iOS).

    Who

    Targeted Sector

    i

    Describes the industry or sector to which the targeted organization or victim belongs. Select all that apply.

    Finance: Banking, insurance, and financial services.

    Education: Universities, schools, and research institutions.

    Government: Public sector organizations and authorities.

    Manufacturing: Industrial production and manufacturing companies.

    Healthcare: Hospitals, clinics, and health-related services.

    Critical Infrastructure: Essential services such as energy, water, transportation, and utilities.

    Technology: IT companies, software providers, and technology services.

    Custom 1

    Custom Criterion 1

    Custom Expressions 1

    Custom 2

    Custom Criterion 2

    Custom Expressions 2

    Custom 3

    Custom Criterion 3

    Custom Expressions 3


    On a scale from 1 to 5, where 1 means "not confident" and 5 means "very confident", how confident were you in your mapping decisions when using the provided criteria to interpret the scenario ?

    How Much Detail is Enough?

    Perception of Ambiguity, Consistency & Required Precision

    In your opinion, how important is assigning the most specific possible MITRE ATT&CK technique (e.g., at sub-technique level rather than a more general technique) in your professional context?

    When mapping to MITRE ATT&CK, what do you typically prioritize?

    Please briefly explain your reasoning.

    What level of granularity is typically sufficient when mapping scenarios in your professional role?

    If you selected “Broad cluster”: How do you typically define such clusters?

    (e.g., based on tools, environments, attacker behavior, or other criteria)

    To what extent would it be helpful to include additional information—beyond simple technique assignments—alongside artifact-to-ATT&CK mappings when interpreting and using mapping results?
    (e.g., indicating ambiguous techniques or providing annotator confidence levels)

    To what extent would additional information increase your trust in mapping results?

    To what extent would providing such additional information increase your confidence in your own mapping decisions?

    If you consider additional information to be helpful: Which types of additional information would be most useful for increasing your confidence in mapping decisions?

    (e.g., ambiguity indicators, annotator confidence levels, example mappings, or contextual explanations)