MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provide a common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it.
The behavioral model presented by ATT&CK contains the following core components:
- Tactics denoting short-term, tactical adversary goals during an attack (the columns);
- Techniques describing the means by which adversaries achieve tactical goals (the individual cells); and
- Documented adversary usage of techniques and other metadata (linked to techniques)
MITRE ATT&CK was created in 2013 as a result of MITRE’s Fort Meade Experiment (FMX) where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis. The key question for the researchers was “How well are we doing at detecting documented adversary behavior?” To answer that question, the researchers developed ATT&CK, which was used as a tool to categorize adversary behavior.
MITRE ATT&CK now has three iterations:
ATT&CK for Enterprise – Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
ATT&CK for Mobile – Focuses on adversarial behavior on iOS and Android operating systems.
ATT&CK for ICS – Focuses on describing the actions an adversary may take while operating within an ICS network.
MITRE ATT&CK is used worldwide across multiple disciplines including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.
What is in the MITRE ATT&CK Matrix?
The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or “impact”. Looking at the broadest version of ATT&CK for Enterprise, which includes Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers, the following adversary tactics are categorized:
- Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
- Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
- Initial Access: trying to get into your network, i.e., spear phishing
- Execution: trying the run malicious code, i.e., running a remote access tool
- Persistence: trying to maintain their foothold, i.e., changing configurations
- Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
- Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
- Credential Access: stealing accounts names and passwords, i.e., keylogging
- Discovery: trying to figure out your environment, i.e., exploring what they can control
- Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
- Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
- Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
- Exfiltration: stealing data, i.e., transfer data to cloud account
- Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware
Within each tactic of the MITRE ATT&CK matrix there are adversary techniques, which describe the actual activity carried out by the adversary. Some techniques have sub-techniques that explain how an adversary carries out a specific technique in greater detail.
How Do You Use the MITRE ATT&CK Matrix?
The MITRE ATT&CK framework can help an organization in several ways. In general, the following are applicable benefits to adopting MITRE ATT&CK:
- Adversary Emulation: Assesses security by applying intelligence about an adversary and how they operate to emulate a threat. ATT&CK can be used to create adversary emulation scenarios to test and verify defenses.
- Red Teaming: Acts as an adversary to demonstrate the impact of a breach. ATT&CK can be used to create red team plans and organize operations.
- Behavioral Analytics Development: Links together suspicious activity to monitor adversary activity. ATT&CK can be used to simplify and organize patterns of suspicious activity deemed malicious.
- Defensive Gap Assessment: Determines what parts of the enterprise lack defenses and/or visibility. ATT&CK can be used to assess existing tools, or test new tools prior to purchasing, to determine security coverage and prioritize investment.
- SOC Maturity Assessment: Similar to Defensive Gap Assessment, ATT&CK can be used to determine how effective a security operations center (SOC) is at detecting, analyzing, and responding to breaches.
- Cyber Threat Intelligence Enrichment: Enhances information about threats and threat actors. ATT&CK allows defenders to assess whether they are able to defend against specific Advanced Persistent Threats (ATP) and common behaviors across multiple threat actors.
At Goliath, our teams and services utilize the MITRE ATT&CK framework helping you and your business determine the phases of a threat event, assess associated risk, and prioritize response.