Information system attack methods and techniques are the structured, replicable approaches adversaries use to compromise the confidentiality, integrity, or availability of information systems. An attack method is a category of adversarial action — for example, social engineering, credential abuse, or malware deployment. An attack technique is a specific implementation within that category — for example, spearphishing with a malicious PDF attachment, or pass-the-hash lateral movement. Together they form the adversarial playbook that security professionals must understand to design effective defenses, detect intrusions, and respond to incidents. The MITRE ATT&CK framework is the dominant industry taxonomy, organizing techniques across 14 tactic categories that map the phases of an attack lifecycle: from Initial Access through Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, and Exfiltration/Impact. This competency covers understanding and classifying attack methods and techniques — not operating offensive tooling.
Where it stops · what it isn't
- —IN SCOPE — TTPs (tactics, techniques, and procedures): how adversaries operate. Covers taxonomy, classification, technique chaining, and detection indicators.
- —OUT OF SCOPE — specific offensive tools: malware families (Cobalt Strike, Mimikatz) and exploit frameworks are implementation details. This competency addresses what class of technique a tool represents, not its operational use.
- —OUT OF SCOPE — adversary attribution and threat-actor profiling: identifying which nation-state uses which technique belongs to the threat intelligence competency domain.
- —OUT OF SCOPE — defensive controls implementation: firewall rules, SIEM tuning, and patch management processes are addressed in sibling competencies (Network and Endpoint Security; Security Testing Tools). This cubelet establishes the threat taxonomy that informs those controls.
- —OUT OF SCOPE — vulnerability management: a CVE's existence is distinct from the technique that exploits it. This competency covers exploitation as a method, not patch-prioritization process.
- —IN SCOPE — full attack-chain coverage: social engineering, malware, software vulnerability exploitation, credential attacks, insider threats, supply chain attacks, lateral movement, and data exfiltration — from initial access to impact.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFCISA Domain 5: Protection of Information Assets
REQUIRESCore Cybersecurity Concepts (Assets, Threats, Vulnerabilities, Exploits)IT Systems Architecture Fundamentals (Networks, Applications, Cloud, OT)
ENABLESSecurity Testing Tools and Techniques (CISA sibling competency)Security Incident Response Management (CISA Domain 4)Network and End-Point Security (CISA sibling competency)Identity and Access Management — Attack Context
RELATED TOData Loss Prevention and EncryptionVulnerability Assessment and Penetration Testing
CONSTRAINSRisk Assessment and Treatment (attack probability inputs)