The MITRE ATT&CK Framework

The MITRE ATT&CK framework is a curated knowledge base that focuses on cyber adversary tactics and techniques throughout the entire attack lifecycle. It serves as a valuable tool for threat hunters, defenders, and red teams to classify attacks, discern attack attribution and objectives, and assess an organization’s risk. By adopting the adversary’s perspective, the framework allows security operations teams to deduce motivations behind adversary actions and understand the relationship between those actions and various defense mechanisms. This approach aids organizations in identifying security gaps and prioritizing mitigations based on the assessed risk, ultimately contributing to the enhancement of overall security postures.

What Are Tactics in the MITRE ATT&CK Framework?

Tactics are the objectives a malicious actor wants to achieve. The MITRE ATT&CK Framework identifies 14 tactics

  1. Reconnaissance: get information to use in future operations;
  2. Resource Development: get resources to use in future attack;
  3. Initial access: gain a basic entrance into a network;
  4. Execution: run malicious code;
  5. Persistence: maintain access;
  6. Privilege Escalation: gain higher-level permission;
  7. Defense Evasion: avoid detection;
  8. Credential Access: retrieve credentials;
  9. Discovery: gain an understanding of the environment;
  10. Lateral movement: move through the environment;
  11. Collection: gather information from within;
  12. Command and Control (C2): communicate with compromised systems;
  13. Exfiltration: steal data;
  14. Impact: disrupting availability or integrity;

Techniques: basically a specific way bad actors might try to get something done. There are loads of techniques listed under each “tactics” category because the baddies can use different tricks depending on things like their skills, the setup of the target systems, and what tools they have access to. Each technique comes with a rundown of how it works, the systems it works on, which bad guy groups use it (if we know), ways to stop it, and examples of it happening in the real world. Subtechniques provide more detailed descriptions of adversarial behaviors aimed at achieving a goal. They delve into behavior at a more granular level compared to a technique.

Procedures: step-by-step descriptions of how an adversary intends to accomplish their objective. These are the specific applications that adversaries employ for techniques or sub techniques. In the ATT&CK framework, procedures are classified as techniques observed in real-world scenarios and are found in the “Procedure Examples” section on the respective technique pages.

img1 You can see at a glance how comprehensive the framework is

Some PROs

Here is a list of the reasons why the MITRE ATT&CK Framework is used:

  1. Comprehensive Coverage: The framework provides a comprehensive and detailed mapping of tactics, techniques, and procedures used by adversaries across the entire cyber attack lifecycle. This comprehensive coverage helps organizations understand various aspects of potential threats;
  2. Vocabulary: It establishes a common language and framework for discussing and categorizing cyber threats. This standardization improves communication and collaboration within and across organizations, allowing security professionals to share information more effectively. This also improves communication between red and blue teams;
  3. Prioritization: Organizations can use the framework to identify security gaps and prioritize mitigation efforts based on the assessed risk. This allows for a more effective allocation of resources and efforts to address the most critical vulnerabilities;
  4. Collaboration: It promotes collaboration between red teams and blue teams. Red teams can use ATT&CK to model realistic attack scenarios, while blue teams can leverage it to enhance detection and defense mechanisms;
  5. Continuous Updates: MITRE regularly updates the framework to reflect the latest tactics and techniques used by adversaries. This ensures that the framework remains relevant in the face of evolving cyber threats;
  6. Real-world Examples: The inclusion of real-world examples in the framework provides practical illustrations of how specific techniques have been observed in actual cyber incidents. This helps organizations contextualize the information and understand its relevance;
  7. Vendor-Agnostic: MITRE ATT&CK is vendor-agnostic, meaning it can be applied across various security solutions and technologies. This flexibility allows organizations to integrate the framework into their existing security infrastructure.