Logo Threat Intelligence

MITRE ATT&CK Framework: All You Ever Wanted To Know

Threat Intelligence • May 04, 2023

Released in 2015, the MITRE ATT&CK framework identifies the various tactics and techniques attackers commonly use to perpetrate cyber attacks.
It models their behaviors and actions, so organisations can better understand and address their threat landscape. The framework is developed by MITRE, a not-for-profit organisation that assists the U.S. federal government with scientific research, and systems engineering. 
The original MITRE researchers aimed to improve threat detection through telemetry sensing and behavioural analysis. Their efforts led to the development of the MITRE ATT&CK framework.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework – sometimes known as a MITRE ATT&CK matrix – is based on real-world observations.
ATT&CK® stands for Adversarial Tactics, Techniques, and Common Knowledge. It categorises adversary actions, identifies the platforms they commonly target, and specifies ways to defend against them. 
It presents this useful information in a simple matrix format that’s easy to understand, making it useful for both offensive and defensive cybersecurity.
MITRE has developed three matrices:

  • Enterprise ATT&CK: Tactics and techniques focused on adversary behaviours inside the enterprise
  • PRE-ATT&CK: Attacker tactics and techniques used before an attack
  • Mobile ATT&CK: Adversarial tactics and techniques used to gain access to mobile devices

In each framework, the column headers outline the various phases in the attack chain, while the rows detail specific techniques used in each phase. 
Organisations can leverage one or more matrix to improve their cybersecurity awareness, identify gaps in cybersecurity defence, prioritise fixes, and improve their security posture.

What is ATT&CK?

ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. It is a framework that describes the tactics, techniques, and procedures (TTPs) used by cyber adversaries during different stages of a cyber attack.


The name ATT&CK reflects the framework's focus on describing the full range of techniques used by cyber adversaries to conduct attacks. The "&" symbol in the name represents the intersection of different tactics and techniques used by attackers, while the "CK" stands for Common Knowledge, indicating the goal of developing a common language and framework for describing cyber threats.


Let's break down each of these components:


  1. Adversarial: This refers to the fact that the framework is focused on the tactics and techniques used by cyber adversaries to conduct attacks. The framework is designed to help organizations better understand the mindset of attackers and anticipate their next moves.
  2. Tactics: These are the high-level goals of an attack, such as gaining access to a system or stealing sensitive data. The MITRE ATT&CK framework identifies 14 tactics, including initial access, execution, persistence, and exfiltration, among others.
  3. Techniques: These are the specific methods used by attackers to achieve their goals. The MITRE ATT&CK framework currently includes over 240 techniques across the 14 tactics, such as spearphishing, credential dumping, and lateral movement.
  4. Common Knowledge: This refers to the goal of creating a common language and framework for describing cyber threats. By using a standardized language, organizations can more easily share threat intelligence and collaborate on defense strategies.

The MITRE ATT&CK Matrix: Tactics and Techniques

The MITRE Enterprise ATT&CK framework models attacker behaviours with the help of two core components: Tactics and Techniques.  The tactics describe the why of attacks, while techniques describe the how.

MITRE ATT&CK Tactics

The matrix includes 14 tactics categorised according to the threat actor’s objectives:
  1. Reconnaissance
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lateral Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

Within each tactic, there are multiple techniques that describe the specific actions an adversary may take to achieve their objective.

MITRE ATT&CK Techniques

Today’s adversaries often use different attack techniques depending on their abilities, tools, and target system configuration. 
 This is why the MITRE ATT&CK framework includes multiple techniques under each tactic. The matrix also describes a method under each technique, as well as the systems and platforms it pertains to. 
It also highlights the adversary groups that use that technique, and suggests ways to mitigate these threats.
Currently, the MITRE ATT&CK Enterprise framework identifies 185 techniques and 367 sub-techniques.

Who Benefits From The Framework?

Most malicious behaviours recorded in the framework are categorized as APT, advanced persistent threats. These threats are faced by organizations of all sizes, from small businesses to large enterprises and on a daily basis. Numerous public and private organizations have adopted the MITRE ATT&CK framework to improve their defenses against cyber threats. Any organization that wants to improve their cybersecurity posture and better defend against cyber threats can benefit from using the framework.

MITRE ATT&CK vs Cyber Kill Chain

At The MITRE ATT&CK framework is one of the most popular frameworks for cyber threat detection and threat hunting. Another popular framework is the Cyber Kill Chain®. This framework is part of the Intelligence Driven Defense® model developed by Lockheed Martin to identify and prevent cyber intrusions.
Although the goal of Cyber Kill Chain is also to proactively detect threats and intrusions, it goes about it differently from MITRE ATT&CK. 
Instead of a matrix of tactics and techniques, it defines a sequence of seven steps that represent a certain type of activity in a cyber attack. These steps enable security teams to get better visibility into an attack, and take action to address it.
  1. Reconnaissance: Attackers identify targets and tactics for the attack;
  2. Weaponisation: They create a cyber weapon, i.e. malware, to exploit the vulnerable target;
  3. Delivery: They deliver and install the weapon to the target via email, compromised websites, removable drives, etc.;
  4. Exploitation: The malware code is triggered to exploit the target’s vulnerability;
  5. Installation: The malware installs an access point or “backdoor” for the intruder;
  6. Command & Control (C2): The malware gives the intruder access to the target system for remote manipulation;
  7. Actions on Objectives: Once the attacker gains persistent access to the target, they accomplish their goals, e.g. encrypt files for ransomware , exfiltrate data, etc.

Benefits of the MITRE ATT&CK Framework

Provides a Knowledge Base Of Adversary Behaviours Intelligence,MITRE ATT&CK provides a common, standardised “language” so security personnel can understand and even predict adversary behaviors. They can then take action to defend the enterprise, and prevent attack.
Helps with Risk Assessment Red teamers and cyber defenders can understand adversaries, classify attacks, and assess and strengthen their organisation’s risk posture.
Improve Post-compromise Detection The framework illustrates the actions an attacker may have taken to attack the organisation, so security teams can take immediate and relevant action to minimise the damage.
Supports Threat Hunting Threat hunters can understand the various adversary techniques, proactively hunt for threats, and gauge their environment’s visibility level against targeted attacks. 
Promotes Better Collaboration for Better Threat Mitigation Analysts and defenders can compare and contrast adversaries and threat groups, and the techniques used by each. They can also collaborate to find the best techniques to detect and mitigate these threats.

Use Cases of the MITRE ATT&CK Framework

Prioritise Detections The framework offers a blueprint that enables security teams to focus their detection efforts, and improve their cybersecurity posture based on the organisation’s unique environment.
Conduct a Security Gap Analysis Security personnel can define the highest-priority threats, and accordingly evaluate the strength of their security ecosystem.
Track Attackers Security teams can track the behaviours of adversaries that pose the biggest threat, and update their security plans accordingly.  MITRE ATT&CK is also useful to:
  • Strengthen cyber threat intelligence ;
  • Improve alert triage and investigations;
  • Create realistic scenarios and emulation plans for red team exercises;
  • Implement strong mitigation controls.

MITRE ATTA&CK For Vulnerability Management

The MITRE ATT&CK framework can be a valuable tool for improving traditional vulnerability management practices. Here are some specific ways that the framework can be used to enhance vulnerability management:


  1. Prioritizing Vulnerabilities: Mapping known vulnerabilities in an organization's environment to the techniques and tactics identified in the MITRE ATT&CK framework can provide insight into which vulnerabilities are most critical. This is because some vulnerabilities are more likely to be exploited than others, depending on the attacker's tactics and techniques. By understanding the likelihood and potential impact of an attack, security teams can prioritize their remediation efforts and focus on the vulnerabilities that pose the greatest risk. This helps to ensure that limited resources are allocated effectively and that the most important vulnerabilities are addressed first.
  2. Identifying Attack Paths: By mapping vulnerabilities to the techniques and tactics in the MITRE ATT&CK framework, security teams can better understand the potential attack paths that an attacker may take to exploit a vulnerability. This helps to identify where to focus their efforts on detecting and responding to an attack. For example, if a vulnerability is mapped to a technique commonly used by attackers to gain initial access, security teams may focus on detecting and blocking that technique to prevent an attacker from exploiting the vulnerability.
  3. Enhancing Threat Intelligence: Incorporating threat intelligence based on the MITRE ATT&CK framework into vulnerability management practices can provide valuable insights into the tactics and techniques used by attackers. This helps security teams anticipate and respond to emerging threats more effectively. By staying informed about the latest attack techniques, security teams can better understand which vulnerabilities are most likely to be targeted and prioritize their efforts accordingly.
  4. Improving Penetration Testing: The MITRE ATT&CK framework can be used to enhance penetration testing practices by simulating real-world attack scenarios. By mapping the penetration testing scenarios to the tactics and techniques in the framework, organizations can better understand their defenses against various attack paths. This helps to identify gaps in their defenses and prioritize improvements to their security posture.


How Does Evolve Use MITRE ATT&CK?

Evolve uses the MITRE ATT&CK framework as a foundation for its detection and response capabilities. The platform leverages the framework's comprehensive list of adversary techniques and tactics to identify and respond to threats across the entire cyber kill chain.


Specifically, Evolve uses the MITRE ATT&CK framework to map and analyze data across various security tools and sources, including endpoints, networks, and cloud environments. By correlating and analyzing data across multiple sources, the platform is able to detect and respond to threats more effectively.


Additionally, Evolve uses the MITRE ATT&CK framework to develop and maintain a library of custom detection rules and playbooks that align with the framework's tactics and techniques. This helps to ensure that the platform stays up-to-date with the latest attacker behaviors and techniques and can detect and respond to emerging threats more effectively.


By leveraging the MITRE ATT&CK framework, Evolve is able to provide a comprehensive and integrated approach to threat detection and response, helping organizations to identify and respond to threats more quickly and effectively.


To learn more about Evolve's threat detection and response platform, schedule a demo with our team today.

Conclusion

Today’s organisations need to secure their networks, systems and data from bad actors. For this, frameworks that model adversary behaviours are especially useful. 
The MITRE ATT&CK framework is one of the most popular frameworks since it offers a comprehensive, systematic and actionable way to understand attacker behaviours and techniques. 
It thus enables security teams to take proactive action to prevent attacks, and keep their assets safe from cyber threats.

IoT Penetration Testing

IoT Penetration Testing

By Anupama Mukherjee 02 May, 2024
Mastering IoT Penetration Testing: Uncover Vulnerabilities, Ensure Robust Security. Learn Proven Methods & Best Practices. Elevate Your IoT Device Protection Now
Cybersecurity Project Management

Cybersecurity Project Management

By Threat Intelligence 24 Apr, 2024
In this blog, we're exploring cybersecurity project management and the role it plays in securing a business.

Defense Industry Security Program (DISP): Practical Tips and Best Practices

By Threat Intelligence 19 Apr, 2024
Unlock the secrets to navigating the intricacies of the Defence Industry Security Program (DISP) with confidence. Our expert team offers invaluable insights and tailored support to help you meet DISP's rigorous security assessment requirements.
Threat Modeling

Elevating Security with Threat Modeling

By Threat Intelligence 12 Apr, 2024
In this blog post, we'll explore what threat modeling is all about, why it's important, and how it can prevent cyberattacks.
Share by: