The MITRE ATT&CK framework provides comprehensive information for organizations looking to defend against cyberthreats and beef up their cybersecurity strategies. The acronym ATT&CK, according to TechTarget, stands for Adversarial Tactics, Techniques, and Common Knowledge.
This framework and knowledgebase are used to evaluate common cyber adversary behavior and categorize the phases of an adversary’s attack lifecycle and preferred platform targets. The ATT&CK framework also provides a taxonomy related to adversary tactics and techniques from both an offensive and defensive viewpoint.
Essentially, ATT&CK focuses on how adversaries breach and infiltrate various types of computer information systems and communication networks. Originally a project to systematically categorize adversary behavior against Microsoft Windows systems, the framework has grown to include multiple systems, such as Linux and macOS, alongside varying environments, such as mobile devices, cloud-based systems, and industrial control systems. According to MITRE themselves, the ATT&CK behavioral model consists of the following core components:
These tactics and techniques, as well as their relationships to one another, are visualized as the ATT&CK Matrix.
The MITRE ATT&CK Matrix is a way to visualize phases in the attack chain from entry or “Initial Access” to an outcome or “Impact,” as well as to explore the tactics and techniques associated with each phase. MITRE themselves claim their ATT&CK matrices visualize the relationship between tactics, techniques, and sub-techniques. For example, the ATT&CK Matrix for Enterprise appears so:
Under the column for “Credential Access,” for example, the potential tactics used to achieve this objective are listed, and include “brute force,” “man-in-the-middle,” and “unsecured credentials.” Essentially, this column tries to explain all of the tactics and techniques that an adversary could use to execute an effective account takeover.
There are 12 tactics/objectives covered by the Enterprise ATT&CK Matrix:
Some of these techniques contain sub-techniques, helping to explain in greater detail how adversaries achieve their objectives.
The MITRE D3FEND framework is based on and works as a partner to ATT&CK tactics and frameworks and focuses solely on defensive countermeasures and prevention solutions. Funded by the NSA, D3FEND is also presented as a matrix that mirrors ATT&CK to a certain extent. It presents defensive tactics and techniques based on common MITRE ATT&CK tactics, including:
Each of the defensive techniques found in the D3FEND matrix contains a summary and cross-references the specific ATT&CK-based tactics and techniques it is meant to defend against.
There are three ATT&CK matrices in total:
The MITRE ATT&CK for Enterprise Matrix includes a subsection called the MITRE ATT&CK for Cloud Matrix. While adversary behavior that affects Windows, Linux, and macOS systems usually involves malware and attacks on the target organization’s systems through vectors that said organization controls, this isn’t always the case for third-party cloud systems and other enterprise cloud environments.
The MITRE ATT&CK for Cloud Matrix differs because an adversary’s tactics in the cloud environment differ. The targeted platforms might include Amazon Web Services, Office 365, or Azure, for example. Attackers will generally work within the cloud service provider’s environment to achieve their objectives, using techniques specific to that environment to achieve many of the same objectives covered in the Enterprise Matrix. Organizations at the enterprise level would do well to include a threat detection and response solution for hybrid and cloud environments if they’re working with third-party CSP or SaaS providers.
The MITRE Corporation (pronounced “might-er”) is a not-for-profit with dual headquarters in the U.S. — one in Bedford, Massachusetts, and the other in McLean, Virginia. Founded in 1958, MITRE has become a powerhouse in advancing national and public security in the cyber realm.
In a Medium article on the philosophy of ATT&CK, Blake Storm mentions that “the space of possible techniques that adversaries can use is huge… scaling that down and focusing in on empirically documented threat activity happening in the wild is a useful way to prioritize what to tackle first, and that serves as the core influence driving the types of information within ATT&CK.”
As such, it’s easy to see how the ATT&CK and D3FEND frameworks were developed in a way very similar to how traditional antivirus software works. Drawing upon information sources such as threat intelligence reports, conference presentations, webinars, social media, and blogs among others. The most common adversarial tactics and techniques are then prioritized and documented on the ATT&CK side, while countermeasures would be drawn up for D3FEND.
Organizations can use the ATT&CK framework to inform their own cybersecurity operations. MITRE presents multiple organizational use cases, including:
ATT&CK, while effective on its own, can be even more useful alongside the D3FEND framework.
ATT&CK and D3FEND are alike in that they aim to provide a standard vocabulary for cybersecurity tactics, techniques, and countermeasures. The ability to understand threats and countermeasures in detail helps decision-makers keep abreast of the most pertinent threats in today’s cyberlandscape, identify strategic weak points in their current systems, and compare the risks of a breach to the costs of countermeasure deployment.
Let’s take one of the biggest and most financially devastating threats from the last few years: ransomware. According to MITRE ATT&CK framework, this technique is known as “Data Encrypted for Impact” denoted with the ID: T1486. Threat intelligence reports would have already alerted many organizations to this cyberthreat and they might turn to countermeasures to prevent this tactic. These D3FEND countermeasures might include organization-wide “File Analysis” denoted by ID: D3-FA or “Executable Denylisting” denoted by ID: D3-EDL.
Once these security measures are put in place, an organization can then engage in red teaming to determine how well the countermeasures hold up. After assessing how well their systems work, they can engineer new, more effective solutions, contributing to a more secure world for both clients and consumers alike.