Mapping Honeypot Detections to MITRE ATT&CK Tactics: A Complete Framework

When your honeypot catches an attacker probing a fake API endpoint, what do you tell your SOC? “We detected something bad” does not cut it anymore. Security teams need context. They need to understand where the attack fits in the threat landscape, how it relates to other alerts, and what the adversary might do next.

That is where MITRE ATT&CK comes in. By mapping honeypot detections to ATT&CK tactics and techniques, you transform isolated alerts into actionable threat intelligence that speaks the same language as your entire security stack.

This guide explains how WebDecoy maps every detection type to the MITRE ATT&CK framework, why this matters for your security operations, and how to leverage ATT&CK-enriched events for better threat detection and response.

Why MITRE ATT&CK Mapping Matters for Deception Technology

Deception technology generates uniquely high-fidelity alerts. When an attacker interacts with a honeypot, there is no ambiguity. Legitimate users do not stumble onto fake endpoints or invisible trap links. Every detection represents genuine adversary activity.

But high fidelity alone is not enough. Your honeypot alerts need to integrate with your broader security ecosystem. They need to correlate with endpoint detections, network alerts, and identity events. They need to feed threat intelligence platforms and compliance reports.

MITRE ATT&CK provides the common language that makes this integration possible.

Consider what happens without ATT&CK mapping:

• Your honeypot detects credential stuffing against a fake login endpoint
• The alert says “Credential Stuffing Attempt” with source IP and payload details
• Your SOC analyst has to manually determine the attack category
• No automatic correlation with other ATT&CK-tagged events in your SIEM
• Compliance reports require manual mapping to frameworks

Now consider the same detection with ATT&CK enrichment:

• Alert automatically tagged with T1110.001 (Brute Force: Password Guessing) and T1110.004 (Credential Stuffing)
• SIEM correlation rules fire based on technique IDs
• Automatic grouping with endpoint events showing the same technique
• Compliance reports auto-generate with framework coverage
• Threat intelligence feeds consume structured technique data

The difference is operational efficiency at scale.

What Is MITRE ATT&CK: Essential Context

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behavior. It categorizes attack activities into:

Tactics: The adversary’s tactical objectives (the “why”). Examples include Reconnaissance, Initial Access, Credential Access, and Collection.

Techniques: How adversaries achieve those objectives (the “how”). Each tactic contains multiple techniques. For example, Credential Access includes Brute Force, Credential Dumping, and Input Capture.

Sub-techniques: Granular variations of techniques. Brute Force (T1110) has sub-techniques like Password Guessing (T1110.001), Password Spraying (T1110.003), and Credential Stuffing (T1110.004).

Procedures: Specific implementations by threat actors. These provide real-world examples of how particular groups execute techniques.

For deception technology, ATT&CK mapping enables you to understand exactly where honeypot detections fit within the adversary lifecycle. An attacker crawling your site looking for hidden endpoints is performing Reconnaissance. The same attacker attempting SQL injection against a decoy API is demonstrating Execution capabilities.

WebDecoy Detection Types and MITRE ATT&CK Mappings

WebDecoy generates detections across three primary sources: Bot Scanner (behavioral analysis), Link Decoys (invisible honeypot links), and Endpoint Decoys (API honeypots). Each detection maps to specific ATT&CK tactics and techniques based on the adversary behavior observed.

Bot Scanner Behavioral Analysis

Bot Scanner adds a critical detection layer that catches threats honeypots might miss. By analyzing behavioral signals—mouse entropy, interaction timing, TLS fingerprints, and headless browser characteristics—Bot Scanner detects automation frameworks before they interact with any decoy.

{
  "detection_source": "bot_scanner",
  "signals": {
    "headless_browser": true,
    "automation_framework": "puppeteer",
    "mouse_entropy": 0.12,
    "webgl_spoofed": true,
    "tls_fingerprint_mismatch": true
  },
  "mitre_attack": {
    "tactics": ["TA0043"],
    "techniques": ["T1595", "T1592"],
    "technique_names": ["Active Scanning", "Gather Victim Host Information"]
  },
  "threat_score": 92,
  "action": "blocked",
  "latency_ms": 47
}

Complete Detection-to-ATT&CK Mapping Table

Detailed Tactic-by-Tactic Breakdown

Reconnaissance (TA0043)

Reconnaissance is the adversary’s information-gathering phase. They are mapping your attack surface, identifying technologies, and looking for entry points. Honeypots excel at detecting reconnaissance because legitimate users never interact with hidden decoys.

Link Decoy Detections:

When WebDecoy deploys invisible honeypot links (hidden via CSS or placed in low-visibility locations), only automated crawlers and manual attackers discover them. Detection here indicates:

• Active Scanning (T1595): Automated vulnerability scanners probing for hidden endpoints
• Search Victim-Owned Websites (T1594): Manual or automated enumeration of your web properties
• Gather Victim Host Information (T1592): AI bots and scrapers collecting data about your infrastructure

{
  "detection_type": "link_decoy_triggered",
  "decoy_path": "/assets/sitemap-backup.xml",
  "source_ip": "45.33.32.156",
  "user_agent": "Mozilla/5.0 (compatible; GPTBot/1.0)",
  "mitre_attack": {
    "tactics": ["TA0043"],
    "techniques": ["T1594", "T1592"],
    "technique_names": ["Search Victim-Owned Websites", "Gather Victim Host Information"]
  },
  "threat_score": 78,
  "verdict": "block"
}

Endpoint Decoy Detections:

Fake API endpoints catch attackers performing active reconnaissance against your API surface:

• Active Scanning: Vulnerability Scanning (T1595.002): Automated tools probing for exploitable endpoints
• Active Scanning: Wordlist Scanning (T1595.003): Attackers using common path wordlists to enumerate APIs

Resource Development (TA0042)

Resource Development involves adversaries acquiring or building infrastructure to support attacks. While harder to detect directly, certain honeypot interactions indicate this tactic:

• Attackers testing infrastructure against decoys before targeting real assets
• Validation of proxy networks and VPN configurations
• Testing credential lists against honeypot login endpoints

When WebDecoy detects requests from known hosting providers or proxy networks that appear to be testing attack tooling, this maps to Resource Development activities.

Initial Access (TA0001)

Initial Access is how adversaries get their first foothold. Endpoint Decoys positioned at authentication endpoints catch multiple Initial Access techniques:

Credential Stuffing at Fake Login Endpoints:

{
  "detection_type": "endpoint_decoy_triggered",
  "decoy_path": "/api/v1/auth/login",
  "method": "POST",
  "body": {
    "username": "john.doe@company.com",
    "password": "Summer2024!"
  },
  "mitre_attack": {
    "tactics": ["TA0001", "TA0006"],
    "techniques": ["T1078", "T1110.004"],
    "technique_names": ["Valid Accounts", "Brute Force: Credential Stuffing"]
  },
  "attack_signatures": ["credential_stuffing"],
  "threat_score": 94
}

Cross-Site Scripting in Decoy Forms:

When attackers inject XSS payloads into honeypot endpoints:

• Drive-by Compromise (T1189): Attempting to establish persistence via client-side attacks

Execution (TA0002)

Execution tactics involve running adversary-controlled code. Endpoint Decoys detect multiple Execution techniques when attackers send malicious payloads:

Command Injection Attempts:

{
  "detection_type": "attack_signature_detected",
  "signature": "command_injection",
  "decoy_path": "/api/admin/export",
  "payload": "filename=report.csv;cat /etc/passwd",
  "mitre_attack": {
    "tactics": ["TA0002"],
    "techniques": ["T1059"],
    "technique_names": ["Command and Scripting Interpreter"]
  },
  "severity": "critical"
}

SQL Injection:

{
  "detection_type": "attack_signature_detected",
  "signature": "sql_injection",
  "decoy_path": "/api/users/search",
  "payload": "q=' UNION SELECT username,password FROM users--",
  "mitre_attack": {
    "tactics": ["TA0002"],
    "techniques": ["T1203"],
    "technique_names": ["Exploitation for Client Execution"]
  },
  "severity": "critical"
}

XXE (XML External Entity) Attacks:

{
  "detection_type": "attack_signature_detected",
  "signature": "xxe",
  "decoy_path": "/api/import",
  "payload": "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><data>&xxe;</data>",
  "mitre_attack": {
    "tactics": ["TA0002"],
    "techniques": ["T1210"],
    "technique_names": ["Exploitation of Remote Services"]
  },
  "severity": "critical"
}

Credential Access (TA0006)

Credential Access is attempting to steal credentials. Endpoint Decoys at authentication endpoints provide direct visibility into these techniques:

Brute Force Variants:

{
  "detection_type": "credential_attack",
  "sub_type": "password_spraying",
  "decoy_path": "/api/auth/login",
  "attempts": [
    {"username": "admin@company.com", "password": "Winter2024!"},
    {"username": "user1@company.com", "password": "Winter2024!"},
    {"username": "helpdesk@company.com", "password": "Winter2024!"}
  ],
  "mitre_attack": {
    "tactics": ["TA0006"],
    "techniques": ["T1110.003"],
    "technique_names": ["Brute Force: Password Spraying"]
  },
  "source_ip": "192.168.1.100",
  "threat_score": 91
}

Discovery (TA0007)

Discovery involves adversaries exploring your environment to understand what they can access. Honeypots detect this when attackers enumerate decoy endpoints:

Path Traversal and Directory Discovery:

{
  "detection_type": "attack_signature_detected",
  "signature": "path_traversal",
  "decoy_path": "/api/files/download",
  "payload": "file=../../../etc/passwd",
  "mitre_attack": {
    "tactics": ["TA0007"],
    "techniques": ["T1083"],
    "technique_names": ["File and Directory Discovery"]
  }
}

API Enumeration:

When attackers systematically probe API endpoints:

• Software Discovery (T1518): GraphQL introspection queries mapping your schema
• Account Discovery (T1087): Probing user/admin endpoints to enumerate accounts

Collection (TA0009)

Collection tactics involve gathering data of interest. Decoys positioned at export or data access endpoints catch:

Data Export Attempts:

{
  "detection_type": "endpoint_decoy_triggered",
  "decoy_path": "/api/customers/export",
  "method": "GET",
  "query_params": {"format": "csv", "all": "true"},
  "mitre_attack": {
    "tactics": ["TA0009"],
    "techniques": ["T1213"],
    "technique_names": ["Data from Information Repositories"]
  },
  "threat_score": 85
}

Content Scraping:

AI bots and scrapers attempting to harvest content from your site map to:

• Data from Information Repositories (T1213)
• Automated Collection (T1119)

Complete Webhook Payload with ATT&CK Enrichment

When WebDecoy sends detection events to your SIEM or webhook endpoint, ATT&CK data is included automatically:

{
  "event_id": "evt_8f3a2b1c9d4e5f6g",
  "timestamp": "2024-11-28T14:32:18.445Z",
  "event_type": "bot_detection",

  "detection": {
    "type": "endpoint_decoy_triggered",
    "decoy_name": "Admin Login Honeypot",
    "decoy_path": "/api/admin/authenticate",
    "decoy_type": "endpoint"
  },

  "request": {
    "method": "POST",
    "path": "/api/admin/authenticate",
    "content_type": "application/json",
    "body": {
      "username": "admin' OR '1'='1",
      "password": "password123"
    },
    "headers": {
      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0",
      "Accept": "application/json"
    }
  },

  "source": {
    "ip": "185.220.101.42",
    "geo": {
      "country": "RU",
      "city": "Moscow",
      "region": "Moscow",
      "latitude": 55.7558,
      "longitude": 37.6173
    },
    "network": {
      "asn": "AS12345",
      "isp": "Bulletproof Hosting Ltd",
      "org": "Anonymous VPN Provider",
      "is_datacenter": true,
      "is_proxy": true,
      "is_vpn": true,
      "is_tor": false
    }
  },

  "tls_fingerprint": {
    "ja3": "e7d705a3286e19ea42f587b344ee6865",
    "ja4": "t13d1516h2_8daaf6152771_b0da82dd1658",
    "ja3_match": "python-requests/2.28",
    "user_agent_mismatch": true
  },

  "attack_signatures": [
    {
      "type": "sql_injection",
      "severity": "critical",
      "pattern": "OR statement in authentication field",
      "payload_location": "body.username"
    },
    {
      "type": "auth_probe",
      "severity": "high",
      "pattern": "Admin endpoint probe"
    }
  ],

  "mitre_attack": {
    "tactics": [
      {
        "id": "TA0006",
        "name": "Credential Access",
        "url": "https://attack.mitre.org/tactics/TA0006/"
      },
      {
        "id": "TA0002",
        "name": "Execution",
        "url": "https://attack.mitre.org/tactics/TA0002/"
      }
    ],
    "techniques": [
      {
        "id": "T1110.001",
        "name": "Brute Force: Password Guessing",
        "url": "https://attack.mitre.org/techniques/T1110/001/",
        "tactic": "TA0006"
      },
      {
        "id": "T1203",
        "name": "Exploitation for Client Execution",
        "url": "https://attack.mitre.org/techniques/T1203/",
        "tactic": "TA0002"
      }
    ]
  },

  "threat_assessment": {
    "score": 94,
    "confidence": 98,
    "verdict": "block",
    "risk_factors": [
      "SQL injection attempt",
      "TLS fingerprint indicates bot tool",
      "User agent mismatch",
      "Known malicious hosting provider",
      "Admin endpoint targeting"
    ]
  },

  "response_actions": {
    "blocked": true,
    "added_to_blocklist": true,
    "webhook_triggered": true,
    "email_sent": false
  }
}

Benefits of ATT&CK Mapping for Security Operations

Unified Threat Language with SOC Teams

When your honeypot says “T1110.004 detected,” every analyst immediately understands you caught a credential stuffing attack. No translation needed. No context switching. The same terminology appears in your SIEM, EDR, threat intelligence feeds, and incident reports.

This shared vocabulary accelerates:

• Triage speed: Analysts instantly recognize attack categories
• Escalation decisions: Clear severity based on technique risk
• Communication: Consistent terminology across teams and tools

Better SIEM Correlation

ATT&CK technique IDs enable powerful correlation rules:

Splunk Example: Multi-Stage Attack Detection

index=* mitre_attack=T1595*
| append [search index=* mitre_attack=T1110*]
| append [search index=* mitre_attack=T1078*]
| stats values(mitre_attack) as techniques, dc(index) as source_count by src_ip
| where source_count > 1
| eval attack_stage=case(
    match(techniques, "T1595"), "Reconnaissance",
    match(techniques, "T1110"), "Credential Access",
    match(techniques, "T1078"), "Initial Access",
    true(), "Unknown"
)
| sort -source_count

This query identifies attackers observed across multiple data sources performing different ATT&CK techniques. The same adversary scanning your site (WebDecoy T1595), attempting credential stuffing (WebDecoy T1110), and successfully authenticating (Identity Provider T1078) surfaces as a correlated attack chain.

Elastic Security Detection Rule:

{
  "name": "WebDecoy: Reconnaissance Leading to Credential Attack",
  "description": "Attacker performed reconnaissance followed by credential access attempts",
  "risk_score": 85,
  "severity": "high",
  "query": "mitre_attack.techniques.id:T1595* and mitre_attack.techniques.id:T1110*",
  "filters": [
    {"range": {"@timestamp": {"gte": "now-1h"}}}
  ],
  "threshold": {
    "field": "source.ip",
    "value": 1
  }
}

Compliance and Reporting

Security frameworks increasingly require demonstrating detection coverage. ATT&CK mapping enables:

Coverage Reports: Automatically generate reports showing which ATT&CK techniques your deception layer detects.

Gap Analysis: Identify techniques not covered by honeypots and plan additional decoy deployments.

Audit Evidence: Provide auditors with framework-aligned detection logs for SOC 2, PCI-DSS, and other compliance requirements.

Threat Intelligence Enrichment

ATT&CK-tagged detections feed threat intelligence platforms:

• TIP Integration: Export technique-tagged IOCs to MISP, OpenCTI, or commercial TIPs
• Actor Attribution: Correlate observed techniques with known threat actor TTPs
• Trend Analysis: Track which techniques adversaries use against your organization over time

Integration with Security Tools

SIEM Integration with ATT&CK Tags

WebDecoy’s native SIEM integrations include ATT&CK data in every event:

Splunk HEC Event:

{
  "time": 1732803138,
  "source": "webdecoy:bot_detection",
  "sourcetype": "_json",
  "event": {
    "mitre_attack_tactics": ["TA0006", "TA0002"],
    "mitre_attack_techniques": ["T1110.001", "T1203"],
    "mitre_attack_technique_names": ["Brute Force: Password Guessing", "Exploitation for Client Execution"]
  }
}

Elasticsearch Document:

{
  "@timestamp": "2024-11-28T14:32:18.445Z",
  "mitre_attack": {
    "tactics": ["TA0006", "TA0002"],
    "techniques": ["T1110.001", "T1203"],
    "technique_names": ["Brute Force: Password Guessing", "Exploitation for Client Execution"]
  }
}

CEF Format:

CEF:0|WebDecoy|BotDetection|1.0|BOT_DETECTED|Bot Detection Event|8|
cs4Label=mitre_attack cs4=T1110.001,T1203
cs5Label=mitre_tactics cs5=TA0006,TA0002

SOAR Playbook Triggers

ATT&CK technique IDs drive automated response:

# Splunk SOAR Playbook
def on_webdecoy_detection(container, **kwargs):
    techniques = container['artifact']['mitre_attack']['techniques']

    # High-priority response for execution techniques
    if any(t.startswith('T1059') or t.startswith('T1203') for t in techniques):
        phantom.block_ip(container['artifact']['source']['ip'], duration='24h')
        phantom.isolate_endpoint(container['artifact']['source']['ip'])
        phantom.create_incident(severity='critical')

    # Standard response for credential attacks
    elif any(t.startswith('T1110') for t in techniques):
        phantom.block_ip(container['artifact']['source']['ip'], duration='4h')
        phantom.notify_soc(channel='#credential-attacks')

ATT&CK Navigator Integration

Export WebDecoy detection coverage to ATT&CK Navigator for visualization:

{
  "name": "WebDecoy Detection Coverage",
  "versions": {
    "attack": "14",
    "navigator": "4.9.1"
  },
  "domain": "enterprise-attack",
  "techniques": [
    {"techniqueID": "T1595", "score": 100, "comment": "Detected via Link Decoys"},
    {"techniqueID": "T1594", "score": 100, "comment": "Detected via Link Decoys"},
    {"techniqueID": "T1110", "score": 100, "comment": "Detected via Endpoint Decoys"},
    {"techniqueID": "T1203", "score": 100, "comment": "Detected via Endpoint Decoys"},
    {"techniqueID": "T1059", "score": 100, "comment": "Detected via Endpoint Decoys"},
    {"techniqueID": "T1083", "score": 100, "comment": "Detected via Endpoint Decoys"}
  ]
}

Implementing ATT&CK-Aligned Deception

Strategic Decoy Placement by Tactic

Deploy decoys strategically to maximize ATT&CK coverage:

Reconnaissance Coverage:

• Hidden links in HTML comments, robots.txt mentions, sitemap breadcrumbs
• Fake API documentation endpoints
• Decoy JavaScript files with embedded endpoint references

Credential Access Coverage:

• Fake login endpoints at predictable paths (/api/auth/login, /admin/signin)
• Decoy OAuth endpoints (/oauth/token, /api/v1/authenticate)
• Password reset honeypots (/api/password/reset)

Execution Coverage:

• File upload decoys for injection testing
• Import/export endpoints expecting structured data
• Admin command endpoints (/api/admin/execute, /api/debug/run)

Discovery Coverage:

• Fake directory listings
• Decoy GraphQL endpoints with introspection enabled
• Admin panel honeypots with enumerable user lists

Continuous Coverage Improvement

Use ATT&CK mapping to identify and close detection gaps:

1. Export current coverage to ATT&CK Navigator
2. Identify uncovered techniques relevant to your threat model
3. Deploy additional decoys targeting those techniques
4. Validate detection by simulating attacks
5. Update coverage map and iterate

Key Takeaways

MITRE ATT&CK mapping transforms honeypot detections from isolated alerts into integrated threat intelligence. By tagging every detection with standardized technique IDs, WebDecoy enables:

• Immediate analyst understanding through shared vocabulary
• Powerful SIEM correlation across security data sources
• Automated SOAR response triggered by technique severity
• Framework-aligned compliance reporting with coverage visibility
• Threat intelligence enrichment for actor attribution and trend analysis

Your deception layer should not exist in a silo. ATT&CK mapping ensures honeypot detections integrate seamlessly with your SOC workflows, correlation rules, and security reporting.

Ready to add ATT&CK-enriched deception to your security stack? Start your free WebDecoy trial and see technique-tagged detections flowing to your SIEM within the hour.

Need help designing ATT&CK-aligned decoy deployments? Contact our security team for architecture guidance tailored to your threat model.

Share this post

Like this post? Share it with your friends!

• Share on Facebook, opens in a new tab
• Share on Twitter, opens in a new tab
• Share on LinkedIn, opens in a new tab