MITRE is planning a significant change in v19 of the ATT&CK framework: the deprecation of Defense Evasion (TA0005) in favor of two new tactics, Stealth and Impair Defenses.
This update will have wide ripple effects in the SOC community: many detection tools, playbooks, and reporting workflows mapped to ATT&CK will need adjustment. SOC leaders should begin preparing now by understanding the changes, updating their defenses mapping, and coordinating with vendors and teams to ensure a smooth transition.
In a recent presentation at ATT&CKCon 6.0, Cat Self, the Mac OS and Linux lead at MITRE explained how the Defense Evasion deprecation is likely to play out, signaling a significant evolution in the framework. Here are some notes from the talk.
Why They’re Killing It: Defense Evasion Was Never a True Goal
With over 45 techniques under it, the Defense Evasion tactic is considered “too big” and has become a “dumping ground” for a wide variety of behaviors. The core reason for this change is that the “Defense Evasion” tactic violates the fundamental definition of a tactic within the ATT&CK framework. According to Self, a tactic is defined by the adversary’s goal, such as achieving initial access or establishing persistence.
In contrast, Defense Evasion is not a final objective. “Defense Evasion is actually something that you’re trying to do as an attacker throughout your entire attack life cycle, right?,” said Self in the presentation. This has made it a messy “add-on” to many other techniques, reducing its clarity and usefulness for defenders trying to understand an adversary’s ultimate intent.
What’s Next: Meet “Stealth” and “Impair Defenses”
Defense Evasion is being replaced by two new, more precise tactics that better reflect an adversary’s true goals.
Stealth This tactic’s goal is to hide and be sneaky. An adversary employing Stealth techniques is focused on covering their tracks and avoiding detection while they operate. Proposed techniques under the Stealth tactic include:
- Mutual Exclusion
- Email Hiding Rules
- Hidden Users/Files
- Build Image on Host
- Impersonation
- Modify Cloud Compute Infrastructure (all but two)
- Break Process Trees
- Unsupported/Unused Cloud Regions
- Execution Guardrails
Impair Defenses This tactic’s goal is to actively disrupt a defender’s tools and visibility. Rather than just hiding, the adversary is taking direct action to make defenses “no longer effective.” This new tactic will include:
- All of “Impair Defenses“
- Conditional Access Policies
- Code Signing Policy Modification
- Most of “Indicator Removal”
- Domain or Tenant Policy Modification
- Debugger Evasion
- Credential Access Policies
- Subvert Trust Controls
The “Rip Off the Band-Aid” Moment: A Massive Cleanup is Coming
Since deprecating a long-standing tactic is already a disruptive change, the ATT&CK team is taking the opportunity to perform a much broader cleanup of the framework. Self explained the logic using a “ripping off the Band-Aid” analogy: it’s better to make all the painful changes at once rather than drag them out over time. Notable changes include:
• Technique Re-categorization: Many existing techniques will be re-aligned. For some, like ‘Bits Jobs’, the ‘Defensive Evasion’ tactic will simply be removed, as the primary goal is already captured by Persistence. Other techniques will be moved to more appropriate tactics like Execution.
• Technique Refinement: Certain complex techniques will be refined for greater precision. ‘Process Injection’ will be split into two distinct techniques to differentiate between methods that manipulate memory within a process, and Process Redirection, which points to a process to execute different code.
• Proposed Technique Deletion: There’s also a proposal for the complete deletion of the ‘Modify Registry’ (T1112) technique. An analysis of all 269 associated procedures revealed that modifying the registry is almost always a procedure used to achieve another goal (e.g., Persistence, Execution) rather than a standalone technique.
This Isn’t Happening in a Vacuum: A Call for Community Conversation
Adam Pennington, MITRE ATT&CK Lead, issued a strong warning that the next release contains major architectural updates that are “most likely to break your products.” ATT&CK v18 will bring a detections architecture overhaul and will directly affect anyone parsing content related to Data Sources and Data Components.
The MITRE team is handling these massive changes with intentionality. Cat Self prefaced the presentation with a direct apology to the community, emphasizing that the decision was not made lightly or with a cavalier attitude toward “breaking things.” They are keenly aware of the significant impact it will have on the community, especially on EDRs and automated tools that have been built around existing technique IDs.
While the technical work of remapping procedures is complete, MITRE is explicitly opening a conversation with the community about how to implement these changes with the least disruption. To facilitate this, they have released a public Navigator layer that helps the community visualize and discuss the proposed changes. The team is stressing that while the change needs to happen, the method of implementation is still open for discussion.
Adapt to Framework Changes Without Rebuilding Your SOC
Framework updates like this one remind us that security operations must be built on flexible foundations. The tools that survive these shifts are the ones that can adapt without requiring teams to stop and rebuild. Morpheus was designed for this reality: it investigates alerts, generates responses, and adjusts to changes in threat intelligence and taxonomies without manual intervention. Book a demo to see how Morpheus ensures operational resilience.
