MITRE ATT&CK framework

The ATT&CK in MITRE ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.

MITRE ATT&CK catalogs cybercriminal tactics, techniques and procedures (TTPs) through each phase of the cyberattack lifecycle—from an attacker's initial information gathering and planning behaviors, through to the ultimate execution of the attack. The information in MITRE ATT&CK can help security teams

• accurately simulate cyberattacks to test cyber defenses;

• create more effective security policies, security controls and incident response plans; and

• choose and configure security technologies to better detect, prevent and mitigate cyberthreats.

In addition, the MITRE ATT&CK taxonomy of adversary tactics, techniques and subtechniques (see below) establishes a common language that security professionals can use to share information about cyberthreats and collaborate on threat prevention.

MITRE ATT&CK isn’t software per se. But many enterprise security software solutions—such as user and entity behavior analytics (UEBA), extended detection and response (XDR), security orchestration, automation and response (SOAR) and security information and event management (SIEM)—can integrate MITRE ATT&CK’s threat information to update and enhance their threat detection and response capabilities.

MITRE ATT&CK was developed by MITRE Corporation, a non-profit, and is maintained by MITRE with input from a global community of cybersecurity professionals.

MITRE ATT&CK organizes adversary tactics and techniques (and subtechniques) into matrices. Each matrix includes tactics and techniques corresponding to attacks on specific domains:

Each MITRE ATT&CK tactic represents a specific adversarial goal—something the attacker wants to accomplish at a given time. ATT&CK tactics correspond closely to stages or phases of a cyberattack. For example, ATT&CK tactics covered by the Enterprise Matrix include:

• Reconnaissance: Gathering information for planning an attack.

• Resource development: Establishing resources to support attack operations.

• Initial access: Penetrating the target system or network.

• Execution: Running malware or malicious code on the compromised system.

• Persistence: Maintaining access to the compromised system (in the event of shutdown or redonfigurations).

• Privilege escalation: Gaining higher-level access or permissions (e.g., moving from user to administrator access).

• Defense evasion: Avoiding detection once inside a system.

• Credential access: Stealing usernames, passwords and other logon credentials.

• Discovery: Researching the target environment to learn what resources can be accessed or controlled to support a planned attack.

• Lateral movement: Gaining access to additional resources within the system.

• Collection: Gathering data related to the attack goal (e.g., data to encrypt and/or exfiltrate as part of a ransomware attack).

• Command and control: Establishing covert/undetectable communications that enable the attacker to control the system.

• Exfiltration: Stealing data from the system.

• Impact: Interrupting, corrupting, disabling or destroying data or business processes.

Again, tactics and techniques vary from matrix to matrix (and submatrix). For example, the Mobile Matrix does not include Reconnaissance and Resource Development tactics, but includes other tactics—Network Effects and Remote Service Effects—not found in the Enterprise Matrix.

If MITRE ATT&CK tactics represent what attackers want to accomplish, MITRE ATT&CK techniques represent how they try to accomplish it. For example, drive-by compromise and spear phishing are types of initial access techniques; using fileless storage is an example of a defense evasion technique.

The knowledge base provides the following information for each technique:

• A description and overview of the technique.

• Any known subtechniques associated with the technique. For example, subtechniques for phishing include spear phishing attachment, spear phishing link and spear phishing via service. At this writing, MITRE ATT&CK documents 196 individual techniques and 411 subtechniques.

• Examples of related procedures. These can include ways that attack groups use the technique, or types of malicious software used to execute the technique.

• Mitigations—security practices (e.g., user training) or software (e.g. antivirus software, intrusion prevention systems) that can block or address the technique.

• Detection methods. Typically these are log data or system data sources that security teams or security software can monitor for evidence of the technique.

MITRE ATT&CK offers several other ways to view and work with the knowledge base. Instead of researching specific tactics and techniques via the matrices, users can research based on the following:

• Data Sources—an index of all the log data or system data sources and data components that security teams or security software can monitor for evidence of attempted attack techniques.

• Mitigations—an index of all mitigations referenced in the knowledge base. Users can drill down to learn which techniques a particular mitigation addresses.

• Groups—an index of adversary groups and the attack tactics and techniques they employ. At this writing, MITRE ATT&CK documented 138 groups.

• Software—an index of the malicious software or services (740 at this writing) that attackers may use to execute particular techniques.

• Campaigns—essentially a database of cyberattack or cyberespionage campaigns, including information about groups who launched them and any techniques and software employed.

MITRE ATT&CK Navigator is an open-source tool for searching, filtering, annotating and presenting data from the knowledge base. Security teams can use MITRE ATT&CK Navigator to quickly identify and compare tactics and techniques used by particular threat groups, identify software used to execute a specific technique, match mitigations to specific techniques and more.

ATT&CK Navigator can export results in JSON, Excel or SVG graphics format (for presentations). Security teams can use it online (hosted on GitHub) or download it to a local computer.

MITRE ATT&CK supports a number of activities and technologies that organizations use to optimize their security operations and improve their overall security posture.

Alert triage, threat detection and response. The information in MITRE ATT&CK is extremely valuable for sifting through and prioritizing the deluge of security-related alerts generated by software and devices on a typical enterprise network. In fact, many enterprise security solutions—including SIEM (security information and event management), UEBA (user and entity behavior analytics), EDR (endpoint detection and response) and XDR (extended detection and response)—can ingest information from MITRE ATT&CK and use it to triage alerts, enrich cyber threat intelligence from other sources and trigger incident response playbooks or automated threat responses.

Threat hunting. Threat hunting is a proactive security exercise in which security analysts search their network for threats that have slipped past existing cybersecurity measures. MITRE ATT&CK information on adversary tactics, techniques and procedures provide literally hundreds of points for starting or continuing threat hunts.

Red teaming/adversary emulation. Security teams can use the information in MITRE ATT&CK to simulate real-world cyberattacks. These simulations can test the effectiveness of the security policies, practices and solutions they have in place, and help identify vulnerabilities that need to be addressed.

Security gap analysis and security operations center (SOC) maturity assessments. Security gap analysis compares an organization’s existing cybersecurity practices and technologies against current industry standard. An SOC maturity assessment evaluates the maturity of an organization’s SOC based on its ability to consistently block or mitigate cyberthreats or cyberattacks with minimal or no manual intervention. In each case, MITRE ATT&CK data can help organizations conduct these assessments using the latest data on cyberthreat tactics, techniques and mitigations.

Like MITRE ATT&CK, Lockheed Martin’s Cyber Kill Chain models cyberattacks as a series of adversarial tactics. Some of the tactics even have the same names. But that’s where the similarity ends.

Cyber Kill Chain is more of a descriptive framework than a knowledge base. It’s much less detailed than MITRE ATT&CK. It covers just seven (7) tactics—Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives—compared with MITRE ATT&CK’s 18 (including Mobile- and ICS-only tactics). It doesn’t provide discrete models for attacks on Mobile or ICS platforms. And it doesn’t catalog anything approximating the level of detailed information on tactics, techniques and procedures in MITRE ATT&CK.

Another important distinction: Cyber Kill Chain is based on the assumption that any cyberattack must accomplish adversarial tactics in sequence to succeed, and that blocking any one of the tactics will ‘break the kill chain’ and thwart the adversary from achieving it’s ultimate goal. MITRE ATT&CK does not take this approach; it focuses on helping security professionals identify and block or mitigate individual adversarial tactics and techniques in whatever context they are encountered.