MITRE ATT&CK: The Complete Guide

What Is the MITRE ATT&CK Framework?

MITRE ATT&CK® refers to MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge library and model for cyber adversary behavior that depicts the many stages of an adversary's attack lifecycle as well as the platforms they are known to target. The model's strategy and method abstractions give a standard taxonomy of individual adversary operations that both offensive and defensive cybersecurity teams can understand. It also assigns a suitable level of categorization to adversary conduct and particular techniques to protect against it.

• Video Introduction
• PDF Guide

What is MITRE ATT&CK?

MITRE ATT&CK is a free, comprehensive compendium of the tactics, methods, and procedures (TTPs) used by real-world attackers. This knowledge is not theoretical; rather, it is based on TTPs that threat actors have employed in actual assaults.

This framework is maintained by The MITRE Corporation, a non-profit organization with decades of experience that now serves industries, governments, and academics. The term "MITRE ATT&CK" combines the organization's name with the acronym for Adversarial Tactics, Techniques, and Common Knowledge.

MITRE ATT&CK intends to assist in developing separate threat models. It addresses a variety of areas, including industry, government, and cybersecurity services. MITRE advises on attack approaches for enemies' tactics, as well as methods for detecting and eliminating them. The MITRE ATT&CK knowledge base describes matrices, strategies, and procedures that are applicable to mobile, enterprise, and industrial control systems (ICS).

History of MITRE ATT&CK

The MITRE Corporation launched the ATT&CK project in 2013 to detect aggressive activity after you have been compromised. MITRE released the ATT&CK matrix public in 2015, which includes strategies and techniques targeting business systems, particularly Windows.

Over the next three years, the project extended to include macOS, Linux, and cloud platforms. In 2019, the collection was updated to include tactics and method metrics for Industrial Control Systems (ICS). MITRE also introduced ATT&CK for Mobile, which supports iOS and Android operating systems.

Today, the MITRE ATT&CK framework is evolving with new techniques and improvements to existing ones, all based on the most recent research and intelligence.

The behavioral model presented by ATT&CK contains the following core components:

• Tactics denoting short-term, tactical adversary goals during an attack (the columns);
• Techniques describing the means by which adversaries achieve tactical goals (the individual cells); and
• Documented adversary usage of techniques and other metadata (linked to techniques).

MITRE ATT&CK was developed in 2013 as a result of MITRE's Fort Meade Experiment (FMX), in which researchers imitated both attacker and defense behavior in order to improve threat identification after penetration via telemetry sensing and behavioral analysis. The researchers' primary question was, "How well are we doing at detecting documented adversary behavior?" To solve this challenge, the researchers developed ATT&CK, a method for categorizing adversary behavior.

MITRE ATT&CK now has three iterations:

• ATT&CK for Enterprise – Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
• ATT&CK for Mobile - Focuses on adversarial behavior on iOS and Android operating systems.
• ATT&CK for ICS - Focuses on describing the actions an adversary may take while operating within an ICS network.

MITRE ATT&CK is used worldwide across multiple disciplines including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.

What's in the MITRE ATT&CK Matrix?

The MITRE ATT&CK matrix lists a variety of strategies used by adversaries to achieve a certain goal. Each matrix includes three key components: tactics, techniques, and sub-techniques. The collection is arranged so that each method, technique, and sub-technique has its own id. These objectives are classified as tactics in the ATT&CK Matrix. The objectives are given in a linear fashion, beginning with reconnaissance and ending with exfiltration or "impact". In the broadest version of ATT&CK for Enterprise, which encompasses Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers, the following adversary strategies are classified:

Tactics

A tactic is the reasoning behind the methods or sub-techniques that an attacker employs. In other words, why will the attacker employ a certain tactic against the compromised system?  Here are a few instances:

• In the defense evasion tactic, the goal of the attacker is to somehow hide from being detected.
• In the credential access tactic, the adversaries’ goal is to steal credential information like usernames and passwords to gain access to systems. 

The business and mobile matrices provide 14 tactics, whereas the ICS matrix describes 12. Many methods apply to all three situations, including initial access, execution, lateral movement, and impact techniques.

Visually, the framework shows the number of methods under each tactic, and each technique shows the number of connected sub-techniques. As of this writing, the Enterprise matrix includes 14 overall tactics:

1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
2. Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
3. Initial Access: trying to get into your network, i.e., spear phishing
4. Execution: trying the run malicious code, i.e., running a remote access tool
5. Persistence: trying to maintain their foothold, i.e., changing configurations
6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
8. Credential Access: stealing accounts names and passwords, i.e., keylogging
9. Discovery: trying to figure out your environment, i.e., exploring what they can control
10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
13. Exfiltration: stealing data, i.e., transfer data to cloud account
14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware

Each tactic in the MITRE ATT&CK matrix contains adversary methods, which characterize the opponent's real activities. Some tactics feature sub-techniques that describe how an adversary executes a certain technique in greater detail.

Techniques

Techniques are the methods that opponents utilize to accomplish their tactic or purpose. So, techniques might be defined as how the enemy intends to carry out the approach.

For example, consider the scouting strategy. The opponents' purpose is to gather information about a specific target in order to prepare future strikes. To achieve this recon method, they employ tactics such as active scanning, vulnerability IP block scanning, and vulnerability scanning.

The MITRE ATT&CK framework offers an overview or definition of each approach. Following that, it gives examples of important procedures and real-world applications of the techniques. Each process example includes useful information, such as...

• A description of the procedure
• Techniques used
• Groups who use that software
• Campaigns

Furthermore, each technique gives lists of mitigation and detection techniques that users can use to their data components for detection. You can view further information, such as which platforms are vulnerable to the technique and who contributed to the knowledge.

Sub-Techniques

Some techniques feature multiple sub-techniques, whereas others don't.  For example, adversaries' phishing strategies can be classified into three sorts of attacks: spear phishing attachment, link, and service.

Each sub-technique page, like the main technique pages, describes procedure examples, mitigation, and detection approaches.

By referring to specific tactics, the user can obtain a thorough understanding of the various techniques and sub-techniques used, as well as mitigation and preventative strategies.

The complete ATT&CK Matrix for Enterprise from the MITRE ATT&CK navigator is shown below:

MITRE ATT&CK for Enterprise, 2021

What is different about the MITRE ATT&CK for Cloud Matrix?

The MITRE ATT&CK for Enterprise matrix has a part, the MITRE ATT&CK for Cloud matrix, which provides a subset of the tactics and procedures from the larger ATT&CK Enterprise matrix. The MITRE ATT&CK Cloud matrix differs from the rest of the Enterprise Matrix in that adversary behavior and methodologies employed in a cloud assault are not the same as attacks on Windows, macOS, Linux, or other enterprise systems.

MITRE ATT&CK tactics on Windows, macOS, Linux, and other systems often include the use of malware to gain access to a network owned and maintained by the target entity.

MITRE ATT&CK tactics in AWS, Azure, Office 365, and other analogous settings rarely involve malware because the target environment is owned and controlled by a third-party cloud service provider such as Microsoft or Amazon. Without the capacity to penetrate the victim's environment, the adversary will most likely use the CSP's native functionality to get access to the target victim's account, elevate privileges, move laterally, and exfiltrate data. The following example techniques demonstrate adversary behavior utilizing the ATT&CK for Cloud framework:

The whole ATT&CK for Cloud matrix is shown below, along with its subset of the ATT&CK for Enterprise matrix tactics and techniques:

MITRE ATT&CK for Cloud, 2021

 

MITRE ATT&CK for Containers, 2021

More Useful Info About MITRE ATT&CK

In addition to the three matrix components listed above, the MITRE ATT&CK provides the community with separate documentation on a range of topics.

Data sources

Data sources define the information that can be gathered from sensors or logs. The Data Sources paper provides a brief description of the data components that can be watched, gathered, and detected for each data source.

Enterprises, for example, can detect folder alterations and identify vulnerable areas by using mailbox audit logs from application log data sources.

Groups

Groups are collections of common names for which experts may use various terminology, such as threat or activity groups.  Different specialists may refer to the same group by different names — they are exhibiting the same behaviors, regardless of the nomenclature.

The MITRE ATT&CK team monitors overlaps between those names. Each group's documentation contains information such as a brief explanation, methodologies employed, and software. 

Software

program is a list of approaches that are either publicly known or that the program might employ. If a group is known to utilize a specific software, they are linked or "mapped" to it. It discusses the many software options available to threat actors, defense parties, and malware attackers.

Campaigns

The Campaigns page contains online activities that share a common goal and aim for specified aims. If these activities do not have a specific name, the team will assign a unique label. When separate people or reports have distinct names, the team labels them as "Associated Campaigns" on the page, hoping that researchers will be able to make connections.

They will also associate those campaigns with certain groups or software if public reports make those linkages. They also discuss any known techniques employed in a campaign and how they discovered this information.

MITRE ATT&CK vs. The Cyber Kill Chain

The Lockheed Martin Cyber Kill Chain® is another well-known methodology for analyzing enemy behavior during a cyber-attack. The Kill Chain model consists of the following stages, given in order:

1. Reconnaissance – Harvests email addresses, conference information, etc.
2. Weaponization – Couples exploit with backdoor into deliverable payload.
3. Delivery – Delivers weaponized bundle to the victim via email, web, USB, etc.
4. Exploitation – Exploits a vulnerability to execute code on a victim's system.
5. Installation – Installs malware on the asset.
6. Command & Control (C2) – Includes command channel for remote manipulation.
7. Actions on Objectives – Using 'Hands on Keyboards' access, intruders accomplish their original goals.

This graphic from Lockheed Martin provides additional information on their Cyber Kill Chain framework.

There are two key distinctions between MITRE ATT&CK and Cyber Kill Chain.

1. The MITRE ATT&CK framework provides detailed instructions on how to conduct each step using ATT&CK techniques and sub-techniques. MITRE ATT&CK is continuously updated with industry input to stay up with the latest tactics, therefore defenders should update their own practices and attack modeling often.
2. Second, the Cyber Kill Chain does not account for the many strategies and approaches used in a cloud-native attack, as explained above. The Cyber Kill Chain concept implies that an adversary will send a payload, such as malware, to the target environment; however, this strategy is far less relevant in the cloud.
   

Use Cases for the MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a valuable resource for enterprises looking to improve their cybersecurity posture. By providing a common catalog of attacker tactics and approaches, ATT&CK enables defenders to be proactive in their security efforts. This article investigates the different ways that businesses might use MITRE ATT&CK to build a stronger security posture.

Enhancing Security Posture

• Identify Security Gaps: MITRE ATT&CK serves as a benchmark for comparing the effectiveness of current security mechanisms to known attacker tactics and techniques. Mapping your defenses to the ATT&CK framework allows you to detect vulnerabilities and highlight areas for development. This enables a focused approach to security spending, ensuring resources are directed towards resolving the most significant risks.
• Emulate Adversaries and Conduct Red Teaming: Create simulations of real-world threats to gain insight into attacker behavior. ATT&CK can be used to construct adversary emulation scenarios and red team plans, allowing you to test the effectiveness of existing defenses and uncover holes before an actual attack takes place.
• Develop Behavioral Analytics: Simplify and organize suspicious activity by associating it with known attacker tendencies reported in ATT&CK. This improves threat detection and incident response capabilities by allowing defenders to recognize patterns associated with malicious activity.

Threat Intelligence and Research

• Gather Threat Intelligence: The framework is an invaluable resource for collecting threat intelligence. Organizations can stay current on adversaries' strategies by aligning their behaviors with the ATT&CK matrix. This not only promotes a deeper awareness of potential dangers, but also provides a common vocabulary for identifying and categorizing attacker activities, avoiding confusion and facilitating communication among security teams.
• Security Research: ATT&CK offers security researchers a standardized vocabulary for naming, describing, and categorizing adversary behaviors. This promotes collaboration and knowledge exchange in the security sector. Furthermore, researchers can use the framework to discover gaps in existing knowledge or areas that need further examination, leading to new research routes and advances in cybersecurity protection tactics.

Detection and Response

• Threat Hunting: The extensive knowledge base on attacker tactics, methods, and procedures (TTPs) in ATT&CK makes it excellent for threat hunting activities. Threat hunters can use the framework to guide their procedures, such as hypothesis generation, prioritization, data collecting, and documentation. This systematic method streamlines threat hunting efforts and increases the possibility of detecting hidden risks within your systems.
• SOC Maturity Assessment: Evaluate the effectiveness of your Security Operations Center (SOC) in detecting, assessing, and responding to breaches. Using ATT&CK as a benchmark, you can discover areas of improvement in your SOC's activities, ensuring they have the capability to address the tactics and approaches used by modern attackers.

Implementation and Integration

There are two basic ways to apply MITRE ATT&CK within an organization:

• Manual Mapping: This entails manually assessing security events and assigning them to appropriate tactics and procedures inside the ATT&CK architecture. While more time-consuming, this strategy can be advantageous for firms with fewer security resources.
• Integration with Security Tools: Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Cloud Access Security Broker (CASB) solutions can be combined with ATT&CK to automate the mapping of security events to attacker activities. This simplifies the procedure and provides a more complete picture of potential risks in your area.

Conclusion

In conclusion, the MITRE ATT&CK architecture enables businesses to adopt a proactive approach to the ever-changing threat landscape. By providing a common language for understanding adversary tactics and procedures, ATT&CK enables defenders to detect vulnerabilities, undertake threat hunting, and design successful security solutions. MITRE ATT&CK offers complete help for identifying and defending against advanced cyber attacks. Because enemies constantly develop their methods, this tool is essential for practicing proactive defense. It provides intelligent threat intelligence that assists you in developing resilience against new and emerging attackers, ensuring that your company remains ahead of the curve in the continuous war against cybercrime.

Stay Informed, Stay Safe!