Everything You Need to Know About MITRE ATT&CK Framework

Shanika W.

By Shanika W. . 23 April 2023

Cybersecurity Analyst

Miklos Zoltan

Fact-Checked this

The MITRE ATT&CK framework is a great place to start studying the latest attack tactics and techniques of cybersecurity. When planning and executing cybersecurity protections, it’s also a useful checklist.

In this article we will guide you through:

  • What is the MITRE ATT&CK Framework?
  • How did MITRE come to exist?
  • ATT&CK Matrices
  • What are the tactics of the ATT&CK Framework?
  • What are the techniques of the ATT&CK Framework?
  • What is Common Knowledge in ATT&CK Framework?
  • ComparIson of MITRE ATT&CK to Lockheed Martin’s Cyber Kill Chain?
  • What criteria does MITRE ATT&CK use to assess security products?
  • Best Practises of MITRE ATT&CK framework
  • Benefits of the MITRE ATT&CK framework
  • Challenges of the MITRE ATT&CK framework
  • Example use cases for the ATT&CK framework
  • MITRE ATT&CK Today
  • ATT&CK Resources and projects
Summary: This article coveres the MITRE ATT&CK framework, a comprehensive and publicly available knowledge library on adversarial tactics and strategies inspired by real-world observations.

The article provides an in-depth understanding of the framework’s origins, matrices, tactics, techniques, common knowledge, and its comparison to Lockheed Martin’s Cyber Kill Chain.

It also discusses the criteria MITRE ATT&CK uses to assess security products, best practices, benefits, challenges, example use cases, and resources related to the framework.

The framework is invaluable in helping companies plan and execute cybersecurity protections, and every organization should use it to improve their security posture.

MITRE Attacks

What is the MITRE ATT&CK Framework?

MITRE ATT&CK is an acronym for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE ATT&CK Framework is a publicly available knowledge library on adversarial tactics and strategies inspired by real-world observations.

You can access it from anywhere on the globe The purpose of the Mitre Att&ck Framework is to give you the knowledge of all the security attacks that happened in the past and tactics techniques used for them so you can measure whether your security defensive mechanism is good enough to prevent them or what new actions you should take to avoid possible attacks.

This framework aims to strengthen post-compromise adversary identification in businesses by displaying the activities an attacker could have performed. This framework address the following questions and areas.

  • How do attackers gain access?
  • How do they get around?
  • Raise consciousness of a company’s security status
  • Identify and prioritize defensive flaws in an organization depending on risk.

How did MITRE come to exist?

MITRE is a non for profit organization that advises the federal government on engineering and technological matters.

In 2013, the group created the framework to be used in a MITRE research project and called it after the information it collected(ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge).

MITRE ATT&CK was made freely available to the general public in 2015. However, it now assists security teams in a variety of industries.

ATT&CK Matrices

MITRE ATT&CK Matrix is a graphic representation of all existing tactics and techniques in an easy-to-follow manner. Mainly there are several different matrices as given below,

Pre-ATT&CK

This matrix concentrates on activities that occur before an assault and are mainly hidden from the institution’s view.

It assists security teams in understanding how attackers conduct an investigation, choose their entry point, and monitor and identify attacker actions outside the company network.

Windows

Techniques used to hack all versions of Windows OS.

macOS

Techniques used to hack macOS.

Linux

Techniques used to hack all variants of Linux, such as Ubuntu.

Mobile ATT&CK

This risk model describes how attackers can penetrate mobile devices using various tactics and techniques. “Network-based impacts” are assault methods that can be carried out without requiring device direct access.

Enterprise ATT&CK

This model mainly explains the actions taken by an attacker in the corporate environment.

It focuses primarily on conduct once a compromise has been reached. The Enterprise ATT&CK matrix combines the matrices of Windows, macOS, and Linux.

Moving forward on how ATT&CK matrix’s are used, individual techniques are shown below each column, with attack tactics displayed throughout the top.

An attacker does not have to deploy all eleven methods at the start of the matrix. Instead, the attacker will employ the fewest number of strategies possible to accomplish their goal, which is more effective and reduces the risk of being discovered.

As shown in the figure, an attack sequence in the Enterprise ATT&CK matrix would have at least one method per strategy, and a whole attack series would be formed by progressing from left to right (Initial Access to Command and Control).

What are the tactics of the ATT&CK Framework?

The first ‘T’ in ATT&CK stands for tactics which is the latest way of considering cyberattacks. Instead of looking into the results of an attack, tactics can recognize an ongoing attack.

Moreover, Tactics can be taken as the “why” of the attack technique. Mainly there are 14 attacks in this framework which are listed below:

  • Reconnaissance – the action of collecting information used to organize assaults
  • Resource Development – infrastructure building that can be used in attacks
  • Initial Access – primary attack vectors and efforts to break security
  • Execution – attempting to introduce malicious code and execution
  • Persistence – Using multiple strategies to sustain persistence on a compromised network.
  • Privilege Escalation – obtaining the necessary privileges and access permissions to conduct escalation function assaults
  • Defence Evasion – attackers utilize various techniques to avoid being discovered on the network.
  • Credential Access – method of observing and acquiring login data for systems that have not yet been thoroughly infiltrated (keylogging).
  • Discovery – infecting and controlling other systems on the network
  • Lateral Movement – hopping from one affected system to the next
  • Command & Control – connection with compromised computers through the internet from cybercrime systems
  • Collection – obtaining information that can be sold or used for future attack planning or blackmail.
  • Exfiltration – transferring data to cybercriminals’ databases to be resold
  • Impact – disrupting the functioning of the IT systems.

What are the techniques of the ATT&CK Framework?

Techniques are represented by the second “T” of ATT&CK. Each approach to a cyberattack consists of a collection of techniques utilized by hackers and threat entities.

Techniques reflect the “how,” which means how the attacker pulled out a tactic. One hundred eighty-five methods and 367 sub-techniques are currently identifiable in the framework.

Each technique describes how threat actors work, including the credentials needed, the platforms upon which technology is most typically used, and how to identify orders or behaviors related to the approach.

What is Common Knowledge in ATT&CK Framework?

ATT&CK ends with the letter “CK,” which refers to “common knowledge.” These are detailed statements of how an enemy intends to accomplish its goal.

Common knowledge is essentially the recording of procedures. Tactics(T), Techniques(T), and Procedures(P) are standard terms for people familiar inCyber Security. However, ‘CK’ is an acronym for “P.”

ComparIson of MITRE ATT&CK to Lockheed Martin’s Cyber Kill Chain?

When it comes to comparison, both these models define the actions taken by an attacker to accomplish their objective.

The primary way the ATT&CK matrix differs from Cyber Kill Chain is that it is a collection of techniques organized by tactics and does not suggest a precise sequence of operations.

However, Lockheed Martin’s Cyber Kill Chain has seven steps, whereas the Mitre Att&ck has ten steps, as shown below.

Lockheed Martin’s Cyber Kill Chain:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions on objectives

Mitre Att&ck

  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection and exfiltration
  • Command and control

What criteria does MITRE ATT&CK use to assess security products?

MITRE Engenuity is proficiently the red team(offensive security professionals) during the assessments because it cooperates with vendors.

The seller providing surveillance to MITRE Engenuity is the blue team(defensive security professionals).

The outcome is a “purple squad” that assists in the real-time testing security controls by simulating the strategy that attackers are expected to take in a real-world attack.

Best Practises of MITRE ATT&CK framework

  • Use the Groups list’s real-world applications and scenarios. There is no way of stopping unknown threats if you can’t even protect against recognized threats.
  • Using the ATT&CK matrices, identify the gaps in existing security and create strategies to fix them.
  • As a shared language to your security staff, communicate and exchange ATT&CK techniques.
  • Never believe that just because you can protect against a technique in one method means you won’t be harmed by it in another.

Benefits of the MITRE ATT&CK framework:

  • When compared to the ATT&CK tactics and techniques defensive controls apply to, defensive controls will have a clear significance.
  • When you map defenses to ATT&CK, you get a map of defensive gaps which threat hunters can use to discover missing attacker activity.
  • It can help identify defensive strengths and vulnerabilities, verify prevention and recognition controls, and expose configuration issues and other infrastructure issues.
  • Diverse services and applications can specialize in ATT&CK strategies and procedures, giving protection that is frequently missing cohesion.
  • Defenders can establish mutual understanding when communicating information regarding an assault, an individual or party, or defensive controls by employing ATT&CK techniques and tactics.
  • Red team, purple team, and penetration test operations could use ATT&CK to communicate with attackers and report receivers as well as between themselves during preparation, operation, and reporting.

Challenges of the MITRE ATT&CK framework

The great news is that the Mitre ATT&CK framework’s data permutations are pretty comprehensive. The sad fact is that it is pretty detailed.

It can be intimidating for someone in a company who is just getting started. There is a lot of data to handle, and many organizations haven’t automated much of it to correlate it to the data in their system and their security architecture.

Another challenge is not all behaviors that fit an ATT&CK strategy are malicious. For example, File Deletion is a mentioned technique in Defense Evasion that makes complete sense.

But how could you tell the difference between typical file deletions and a suspect’s attempt to avoid detection?

Similarly, we can see some ATT&CK techniques are harder to identify. Assuming you know where to look out, brute force attacks are pretty straightforward to see.

Despite if you are searching for it, exfiltration using an Alternative Protocol, such as a DNS tunnel, could be challenging to identify.

Example use cases for the ATT&CK framework:

MITRE ATT&CK can be used in a variety of ways by a security team, including:

  • Learning a shared language that can help you communicate with consultants and suppliers.
  • Perform a security breach analysis and develop a security improvement strategy.
  • Increase the effectiveness of cyber threat intelligence
  • Increase the speed with which alerts are triaged and investigated.
  • Make red team workouts and opponent simulations more realistic by creating more genuine settings.
  • Clear and concise communication to stakeholders.

MITRE ATT&CK Today

ATT&CK is among the most comprehensive and authoritative hacker tactics resources available. Cybersecurity firms are increasingly referring to attacking strategies as ATT&CK, and they’re using the MITRE ATT&CK models to create defenses and special software. MITRE updates ATT&CK regularly.

MITRE has recently published a software certification process. MITRE may certify software businesses depending on their capacity to track ATT&CK tactics.

ATT&CK Resources and projects

MITRE and other third-party developers use ATT&CK to assist the Red and Blue Teams with their pen-testing and defensive efforts.

  • Cascade – MITRE’s Blue Team automation toolkit
  • Caldera – MITRE’s emulation tool for automated attach techniques
  • Oilrig – Palo Alto’s Adversary Playbook built on the ATT&CK model.
  • Attack Navigator – web application to take notes and keep track of your ATT&CK status.
  • MITRE’s Cyber Analytics Repository – is a distinct project from ATT&CK that keeps track of specific strategies for detecting them.

Conclusion

The MITRE ATT&CK framework is a great place to start studying the latest attack tactics and techniques of cybersecurity. When planning and executing cybersecurity protections, it’s also a helpful checklist.

It is something that every company should do to improve their cloud presence. You never know when your company will be the next to be targeted by cybercriminals. It’s preferable to be safe rather than sorry.

Leave a Comment