* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* How The MITRE ATT\&CK ...

# How The MITRE ATT\&CK For Cloud Framework Can Improve Threat Detection

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmitre-attck-for-cloud-improve-threat-detection%2F)  
[](https://twitter.com/share?text=How+The+MITRE+ATT%26amp%3BCK+For+Cloud+Framework+Can+Improve+Threat+Detection&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmitre-attck-for-cloud-improve-threat-detection%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fmitre-attck-for-cloud-improve-threat-detection%2F&title=How+The+MITRE+ATT%26amp%3BCK+For+Cloud+Framework+Can+Improve+Threat+Detection&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/mitre-attck-for-cloud-improve-threat-detection/&ts=markdown)  
\[\](mailto:?subject=How The MITRE ATT\&CK For Cloud Framework Can Improve Threat Detection)  
Link copied  
By [Rachel Deng](https://www.paloaltonetworks.com/blog/author/rachel-deng/?ts=markdown "Posts by Rachel Deng")  
Apr 22, 2021  
5 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)  
[MITRE ATT\&CK](https://www.paloaltonetworks.com/blog/tag/mitre-attck/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)

Threats in cloud environments are becoming more sophisticated, and that means they are more challenging to monitor, detect and mitigate. Furthermore, what works in the traditional enterprise environment rarely works for cloud. How do you assess risks, validate compliance or detect, investigate and respond to threats in the cloud where environments are rapidly changing and resources are ephemeral?

One of the most effective methods to address the broad scope of these issues is to adopt a unified security framework that has been purpose-built for the unique challenges of cloud. The MITRE ATT\&CK® knowledge base is the most widely adopted framework for security teams across the industry, and for good reason. The [MITRE ATT\&CK framework](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack?ts=markdown) offers a [globally-accessible knowledge base](https://attack.mitre.org/) of adversary tactics and techniques based on real-world observations, and provides threat modeling and methodologies for organizations of all sizes.

The group recently updated a new framework specifically tailored for cloud, which offers guidance on techniques specific to Microsoft Azure, Amazon Web Services (AWS), Google Cloud and other cloud services. Here are some primary use cases:

* Understand the tactics and techniques used by adversaries and guide security policy implementation.
* Identify gaps in currently deployed security products or tools.
* Assess how effective the security strategy is from a comprehensive perspective.

![The list of tactics included in the ATT\&CK for Cloud framework](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/word-image.png)
The list of tactics included in the ATT\&CK for Cloud framework

## Prisma Cloud and ATT\&CK for Cloud

The [Cloud Security Posture Management](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown) modules in Prisma Cloud use this new ATT\&CK framework to address use cases for risk assessment and mitigation, compliance and threat detection.

![Image showing the 3 Prisma Cloud use cases that utilize ATT\&CK for Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/word-image-1.png)

### Risk Assessment and Mitigation

Our customers need to know if their cloud infrastructure resources are configured properly to prevent accidental exposure. Prisma Cloud ships with [over 200 policies](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies.html) covering ATT\&CK for Cloud, which include coverage for configuration issues as well as risk mitigation. Therefore, users can use ATT\&CK for Cloud as a guiding standard to prioritize security policy implementation and evaluate the effectiveness of their internal controls.
![ATT\&CK for Cloud tactics with corresponding policies in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/word-image-2.png)
ATT\&CK for Cloud tactics with corresponding policies in Prisma Cloud

Let's look at an example of how Prisma Cloud leverages ATT\&CK for Cloud to help customers assess risks in their cloud infrastructure and mitigate accordingly.

Prisma Cloud has mapped the policy, "AWS Security Group overly permissive to all traffic" to the ATT\&CK technique, "[Network Service Scanning (Technique ID: T1046)](https://attack.mitre.org/techniques/T1046/)" of the tactic, "Discovery." This policy identifies security groups that are overly permissive to all traffic. Overly permissive groups may allow a bad actor to [brute-force](https://www.paloaltonetworks.com/cyberpedia/brute-force?ts=markdown) their way into the system and potentially gain access to the entire network. If this tactic is of grave concern to the user, they could fix this misconfiguration. If it is less concerning, the customers could choose to accept the risk.

### Compliance

ATT\&CK for Cloud itself is not a regulatory compliance standard. Nevertheless, Prisma Cloud can generate reports aligned to the framework. These reports are a helpful tool that tells users about the misconfiguration status of their clouds, and provides recommendations for mitigation. This way users can monitor their accounts across all cloud providers and ensure that their [infrastructure security posture](https://www.paloaltonetworks.com/blog/prisma-cloud/multicloud-infrastructure-security/?ts=markdown) is aligned to ATT\&CK for Cloud.

For example, a customer checks the report and it shows that they have very high fail rates in both Initial Access and Persistence tactics. The reports help them decide to focus first on fixing the misconfiguration of Initial Access and temporarily accept the risks of Persistence because Initial Access is a more critical issue to their business.
![The compliance dashboard in Prisma Cloud can display which resources pass or fail each component of the ATT\&CK for Cloud framework along with a trending view](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/10/word-image-3.png)
The compliance dashboard in Prisma Cloud can display which resources pass or fail each component of the ATT\&CK for Cloud framework along with a trending view

### Threat Detection

There is no such thing as "perfect" protection. In spite of all the risk mitigation techniques, sophisticated adversaries can still evade them and gain access to your environment. As a critical complementary piece to the risk assessment, mitigation and compliance use cases above, effective threat detection can help make your [cloud security](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-security?ts=markdown) strategy complete.

Prisma Cloud goes beyond just mapping threat detection policies to ATT\&CK for Cloud. The framework is in fact the guiding principle for developing the platform's overall detection and risk mitigation capabilities. This helps ensure Prisma Cloud can cover *all* stages of the matrix so that it can detect and respond to all potential cloud threats.

Powered by industry-leading machine learning techniques and bolstered by [multiple threat intelligence sources](https://www.paloaltonetworks.com/blog/2020/07/cloud-autofocus-prisma-integration/?ts=markdown), Prisma Cloud continuously monitors the entire threat lifecycle from discovery/initial access to impact/exfiltration, enabling security teams to automatically detect different attack tactics targeted at their public cloud environments.

For example, one of our anomaly policies, "port scan activity", is mapped to the ATT\&CK technique, "[Network Service Scanning (Technique ID: T1046)](https://attack.mitre.org/techniques/T1046/)" under the tactics, "Discovery". If this threat policy generates an alert, customers would know that an adversary has been attempting reconnaissance, looking for vulnerable resources with open ports. If this is a critical concern, customers could immediately address the issue based on MITRE's recommendation for this specific attack technique.

## Conclusion

ATT\&CK for Cloud is a comprehensive matrix of tactics and techniques to better understand attacks and enhance security strategy. Prisma Cloud now harnesses the power of the framework from risk assessment mitigation to compliance and threat detection to secure your cloud infrastructure environment.

For more detailed information on the breadth of compliance standards Prisma Cloud supports, [check out our documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-compliance/compliance-dashboard.html).

*** ** * ** ***

## Related Blogs

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment](https://www.paloaltonetworks.com/blog/cloud-security/anomaly-detection-policies-azure/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Provides New Extensive Use Cases for Azure Customers](https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-provides-new-extensive-use-cases-for-azure-customers/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Prisma Cloud Supports the Latest Amazon Inspector for Enhanced Security](https://www.paloaltonetworks.com/blog/cloud-security/amazon-inspector-for-enhanced-security/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Enhancing UEBA with Compute Provisioning Anomaly Detection](https://www.paloaltonetworks.com/blog/cloud-security/compute-provisioning-anomaly-detection/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Network-Based Data Exfiltration Detection Extends Visibility of Threats](https://www.paloaltonetworks.com/blog/cloud-security/network-based-data-exfiltration-detection/)

### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Reducing Alert Fatigue with True Internet Exposure](https://www.paloaltonetworks.com/blog/cloud-security/true-internet-exposure/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language