MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible framework that provides a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs). Developed by MITRE, ATT&CK is widely used in the cybersecurity industry to describe and categorize adversary behaviors, aiding in threat detection, incident response, and improving cybersecurity defenses. It enables organizations to understand potential attack vectors and develop effective countermeasures.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible framework that provides a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs). Developed by MITRE, ATT&CK is widely used in the cybersecurity industry to describe and categorize adversary behaviors, aiding in threat detection, incident response, and improving cybersecurity defenses. It enables organizations to understand potential attack vectors and develop effective countermeasures.
What are the core components of MITRE ATT&CK?
Essentially, ATT&CK focuses on how adversaries breach and infiltrate various types of computer information systems and communication networks. Originally a project to systematically categorize adversary behavior against Microsoft Windows systems, the framework has grown to include multiple systems, such as Linux and macOS, alongside varying environments, such as mobile devices, cloud-based systems, and industrial control systems.
“Tactics, denoting short-term, tactical adversary goals during an attack;
Techniques, describing how adversaries achieve tactical goals;
Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
Documented adversary usage of techniques, their procedures, and other metadata.”
These tactics and techniques, as well as their relationships to one another, are visualized as the ATT&CK Matrix.
What is the MITRE ATT&CK Matrix?
The MITRE ATT&CK Matrix is a way to visualize phases in the attack chain from entry or “Initial Access” to an outcome or “Impact,” as well as to explore the tactics and techniques associated with each phase. MITRE themselves claim their ATT&CK matrices visualize the relationship between tactics, techniques, and sub-techniques. For example, the ATT&CK Matrix for Enterprise appears so:
Under the column for “Credential Access,” for example, the potential tactics used to achieve this objective are listed, and include “brute force,” “man-in-the-middle,” and “unsecured credentials.” Essentially, this column tries to explain all of the tactics and techniques that an adversary could use to execute an effective account takeover.
How many tactics are covered in the MITRE ATT&CK Matrix?
The MITRE ATT&CK Matrix covers a total of 14 tactics:
Reconnaissance: Techniques used by threat actors to gather information about the target organization or its assets. This includes activities such as researching public sources, scanning for publicly accessible information, identifying relevant individuals or systems, and profiling the target's infrastructure. The purpose of reconnaissance is to gain a better understanding of the target's environment, identify potential vulnerabilities, and tailor subsequent attack techniques accordingly.
Resource Development: Techniques employed by threat actors to create or acquire tools, infrastructure, or other resources necessary for carrying out cyber attacks. This includes activities such as developing custom malware, acquiring exploit code, setting up command and control infrastructure, or establishing phishing infrastructure. Resource development encompasses the creation or acquisition of any components required to execute an attack successfully.
Initial Access: Techniques used to gain initial entry into a target environment. This includes exploiting vulnerabilities, phishing, or leveraging social engineering techniques.
Execution: Methods for running malicious code or commands on a target system. This encompasses techniques such as launching processes, executing scripts, or exploiting software vulnerabilities.
Persistence: Techniques used to maintain a presence in the target environment even after a system reboot or network connection loss. This includes methods like creating autostart entries or establishing backdoors.
Privilege Escalation: Methods to acquire higher levels of access privileges within a system or network. This may involve exploiting misconfigurations, weak permissions, or leveraging vulnerabilities to escalate privileges.
Defense Evasion: Techniques used to bypass or hinder security measures and avoid detection. This includes methods like using encryption, disguising malicious files, or disabling security software.
Credential Access: Methods to obtain valid credentials or authentication tokens. This encompasses techniques such as password cracking, keylogging, or stealing credentials through phishing or brute-force attacks.
Discovery: Techniques used to gather information about the target environment, including network resources, user accounts, and configurations. This includes activities like network scanning, system enumeration, or querying active directory services.
Lateral Movement: Techniques employed to move through a target environment and gain access to additional systems or resources. This includes methods like exploiting trust relationships, remote service exploitation, or using stolen credentials.
Collection: Techniques for gathering data or information from target systems or networks. This may involve techniques such as keylogging, screen capturing, or data extraction from databases.
Command and Control: Techniques used by attackers to communicate with compromised systems or maintain control over them. This includes establishing communication channels, using remote administration tools, or employing covert channels.
Exfiltration: Methods for stealing or transferring data from a compromised system or network. This includes techniques like using command and control channels, encrypting and exfiltrating data, or leveraging covert channels.
Impact: Techniques that result in disruption, modification, or destruction of data, systems, or networks. This may involve activities such as data destruction, tampering with system configurations, or conducting ransomware attacks.
How does MITRE ATT&CK benefit organizations?
MITRE ATT&CK offers several benefits to organizations, including:
Improved threat intelligence: By providing a structured framework of adversary TTPs, ATT&CK helps organizations better understand the tactics and techniques employed by threat actors, enabling them to enhance their threat intelligence capabilities.
Enhanced detection and response: ATT&CK allows organizations to align their security controls and detection mechanisms with specific adversary techniques, improving their ability to detect and respond to sophisticated attacks.
Comprehensive coverage: ATT&CK covers a wide range of attack techniques across multiple platforms and technologies, providing organizations with a holistic view of potential threats across their infrastructure.
Standardized language: ATT&CK introduces a common language for describing adversary behaviors, facilitating better communication and collaboration among security teams, vendors, and the broader cybersecurity community.
How can organizations use MITRE ATT&CK?
Organizations can use MITRE ATT&CK in various ways, such as:
Threat hunting: ATT&CK can serve as a guide for proactive threat hunting activities, allowing organizations to search for specific adversary techniques within their environment.
Security assessments: Organizations can use ATT&CK to evaluate their existing security controls, identify potential gaps, and enhance their defenses accordingly.
Incident response: During incident response, ATT&CK can help incident responders identify and understand the techniques used by adversaries, enabling a more effective and targeted response.
Tool development: ATT&CK can be used by security tool developers to align their products with known adversary behaviors, ensuring better coverage and detection capabilities.
