McAfee and UC Berkeley Center for Long-term Cybersecurity Study Finds MITRE ATT&CK® Improves Cloud Security, Yet Many Enterprises Struggle to Implement It

Research highlights the need for a holistic framework to track security threats across enterprise IT environments. 

News highlights:

  • Eighty-one percent report experiencing ATT&CK adversary tactics and techniques against their cloud environments on a regular—even daily—basis
  • Eighty-seven percent of security professionals agree that implementing the MITRE ATT&CK for Cloud framework will improve cloud security in their organizations
  • Nearly half of respondents find it challenging to use MITRE ATT&CK because of a lack of interoperability with their security products

SAN JOSE, Calif.--()--McAfee® and the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC) today released a new research study, MITRE ATT&CK as a Framework for Cloud Threat Investigation, developed by CLTC researchers. The report focuses on threat investigation in the cloud through the lens of the most widely adopted framework, MITRE ATT&CK. The research shows that as cloud offerings change the delineation of security responsibilities between cloud service providers and organizations consuming cloud services, this complicates and overwhelms security operations center (SOC) teams—creating the need and desire for a framework that can standardize investigation across cloud services and traditional on-premises infrastructure.

While some enterprises adopt other frameworks for threat protection, research shows more than 80 percent of enterprises use MITRE ATT&CK. Furthermore, the study examined adoption of the MITRE ATT&CK Matrix for Enterprise and MITRE ATT&CK Matrix for Cloud, with 63 percent of respondents indicating they leverage both. Currently, 57 percent of those surveyed say they use MITRE ATT&CK to determine gaps in deployed security solutions in their enterprise, with 55 percent recommending it for security policy implementation and 54 percent using it for threat modeling.

Despite this widespread adoption, the study indicates security professionals still are not fully confident of their existing security solutions’ ability to detect the adversary tactics and techniques identified by the MITRE ATT&CK framework. While 81 percent of security professionals say they experience the adversary tactics and techniques in the ATT&CK Cloud Matrix on a daily, monthly or annual basis, fewer than half (49 percent) feel highly confident that their implemented security solutions will detect them. This doubt stems from challenges associated with MITRE ATT&CK: about 45 percent of survey respondents said their greatest challenge is the framework’s inoperability with their security products and 43 percent said they find it difficult to map event-specific data to tactics and techniques.

Additionally, a large fraction (61 percent) of enterprises said they are not correlating events from cloud, networks, and endpoints to investigate threats. This further blurs the lines of shared responsibility between SOCs and cloud providers and adds to the difficulty of managing threats that are intertwined with on-premises and hybrid environments.

The study suggests that security professionals remain optimistic, however, with 87 percent agreeing that adopting MITRE ATT&CK Matrix for Cloud will improve cloud security in their organizations and 79 percent stating it would make them more comfortable with cloud adoption.

“The widespread adoption of Work From Home initiatives is accelerating cloud adoption, and adversaries are increasingly targeting attacks towards organizations' data and workloads in the cloud,” said Rajiv Gupta, senior vice president, Cloud Security, McAfee. “As organizations review their existing technology stacks and strategies to keep their security posture effective both from an efficacy and operational perspective, they should strongly consider interoperability with a consistent framework such as MITRE ATT&CK, which remains the most widely used framework across all industries to find gaps in visibilities, tools and processes.”

The study highlights key tips for maintaining a strong security posture:

  • Use the MITRE ATT&CK Cloud Matrix: More enterprises are moving toward the adoption of this framework for threat investigation as integration and automation capabilities improve, creating the possibility to better leverage the benefits of cloud computing.
  • Employ comprehensive threat investigation: Increased visibility into events to detect threat patterns is crucial. Investigating threats systematically and correlating events from network, endpoints and cloud are critical for successful threat detection and prevention.
  • Embrace automation: To reduce the workload of SOC analysts investigating multiple environments, security professionals agree that automating tagging of events using a security framework would be beneficial.

Report Methodology

For MITRE ATT&CK as a Framework for Cloud Threat Investigation, McAfee and CLTC researchers conducted a survey of security leaders — including CISOs, CIOs, CTOs, and SOC analysts — across 325 large- and medium-sized enterprises in the United Kingdom, United States and Australia, categorizing enterprises with 5000+ employees as large and 1000+ as medium sized. The research targeted diverse sectors, including IT, technology and telecoms, retail, transport, financial services, manufacturing and production, and others.

Additional Resources:

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates consumer and business solutions that make our world a safer place.

About the Center for Long-Term Cybersecurity

The Center for Long-Term Cybersecurity (CLTC) was established in 2015 as a research and collaboration hub in the School of Information at the University of California, Berkeley. The Center’s mission is to help individuals and organizations address tomorrow’s information security challenges to amplify the upside of the digital revolution. Learn more at

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. No computer system can be absolutely secure. McAfee® and the McAfee logo are trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others.



Tracy Holden, McAfee

Ann Cleaveland, Center for Long-Term Cybersecurity


Tracy Holden, McAfee

Ann Cleaveland, Center for Long-Term Cybersecurity