What is the MITRE ATT&CK Framework? 14 Basic Tactics
MITRE calls its framework “a focused info base and model for cyber adversary conduct, representing the many segments of an adversary's attack lifecycle and the platforms they are known to target.”
The keywords include "phases" and "behavior." A strategic enemy will apply various measures in phases to exfiltrate data or establish long-term command and control. Each phase has a set of procedures, or behaviors.
Methods of negotiation influence the outcomes. Because of this, the objective is to implement a preliminary tactic with one or more tactics, then another strategy and accompanying techniques, and so on, until the opponent's goal is accomplished.
What Is the MITRE ATT&CK Framework?
It stands for the MITRE Adversarial Tactics, Techniques, and Common Knowledge document. Cyberattack conduct can be modelled with the use of the matrices available in this framework, which is a curated source. The framework meaning is typically displayed as a table, with columns denoting the tactics employed at various points in an attack's lifespan and rows denoting the procedures employed to accomplish those diplomacies. It keeps track of how often certain approaches are used and any other metadata that is related with them.
Its architecture was developed as a result of an experiment that played the role of both the attacker and the defender in order to better comprehend attack dynamics and augment post-compromise finding through telemetry sensing and behavioral analytics. This framework was developed to help professionals better understand the state of the industry's ability to recognize known forms of hostile activity.
History of the ATT&CK Framework
MITRE was founded as a non-profit with the goal of advising the federal government on technological and engineering matters. Adversarial Tactics, Techniques, and Common Knowledge (or ATT&CK for short) is the name of the group that developed the concept in 2013 for use in an MITRE research project.
Since its free public release in 2015, it has been used by privacy teams across industries to better protect their businesses from both established and emerging threats. Formerly only protecting Windows enterprise systems, it has now expanded to include Linux, mobile, macOS, and ICS.
Who Uses MITRE ATT&K And Why?
Several IT and privacy experts, from "red teamers" who assume the role of an attacker or competitor to "threat hunters" and "security invention growth engineers" to "threat intelligence teams" and "risk management specialists," all make use of ATT&CK matrices in their work.
With the MITRE ATT&CK paradigm as a guide, red teams can better comprehend the attack surfaces and susceptibilities of a company's systems and devices and develop better post-attack mitigation strategies. How the attackers got in, where they go while within the network, and how they avoid detection are all important details. With the help of this set of tools, businesses may better understand their security situation, locate and evaluate weak spots in their defenses, and rank the threats posed by those spots in order of severity.
Its style helps menace hunters comprehend the visibility of attacks targeted against their defenses, both at endpoints and around the network perimeter, and discover connections between the precise approaches attackers are utilizing against their systems.
Throughout the cyberattack lifecycle, it is used by developers and engineers of security platforms to assess the efficacy of their solutions, discover previously unknown holes, and simulate the behavior of their systems under assault.
4 Basic ATT&CK Matrices
Its system now consists of four main matrices. Both Pre-ATT&CK and ATT&CK for Enterprise focus on intrusions into corporate networks.
Many of the pre-attack methods and techniques used by bad actors, such as reconnaissance and resource creation, are done outside of the organization's visibility. Cyber-attackers may use publicly available information, relationships with other compromised businesses, or other techniques to get access. PRE-ATT&CK helps defenders track pre-attack activities beyond their network perimeter.
- Mobile ATT&CK
Both iOS and Android mobile devices can be compromised using the methods described in the mobile Mitre ATT&CK matrix. Building on NIST's Mobile Threat Catalogue, ATT&CK for Mobile now documents over a hundred techniques and a dozen distinct tactics that have been utilized to compromise mobile devices and further the goals of malicious actors. Network-based effects, which can be exploited without physical access to the device, are also documented in ATT&CK for Mobile.
- Enterprise ATT&CK
Cybercriminals planning to breach and act within a company's network can use the model provided by ATT&CK for Enterprise. The matrix contains platform-specific strategies and methods for a wide variety of environments, such as Windows, macOS, Linux, Azure Active Directory, Office 365, Google Workspace, SaaS, IaaS, Networks, and Containers. Since the PRE-ATT&CK matrix is likewise concerned with attempts to corrupt enterprise infrastructure, it was originally included in ATT&CK for Enterprise. The Enterprise framework directs security efforts towards the threats that pose the greatest danger to each firm.
- ICS ATT&CK
The MITRE ATT&CK certification for Industrial Control Systems (ICS) matrix, the latest in the ATT&CK family, is similar to Enterprise ATT&CK but focused towards industrial control systems including power grids, factories, mills, and other businesses that use networked machinery, devices, sensors, and networks.
Each matrix offers thorough practical specifications of each procedure, used for each approach through the adversative assault lifecycle, assets, and systems each method targets, mitigation and countermeasure approaches, detection analytics to reveal the plan, and real-world deployment.
The grid show Mitre ATT&CK tactics in a linear pattern, starting with reconnaissance and ending with exfiltration, ransomware, or other harmful action.
Tactics And Techniques
An MITRE ATT&CK evaluation's strategies provide an explanation of the evaluation's reasoning or its component sections. The aggressor's planned goal or the purpose for taking action is a stand-in for their offensive strategies. For instance, a foe might be interested in obtaining valid identification documents. These are some examples
Its techniques can be broken into groupings and each of it signifies a distinct set of threat modeling or steps that a hacker takes to achieve his goals.
Malware or threat actor organizations have been caught attempting to breach company networks using each of the MITRE ATT&CK techniques. As a kind of playbook or "how to," techniques give defenders a head starts on countering an oncoming onslaught. To what methods are hackers resorting to in order to breach your system? How are they able to stay under the radar? Is there any way you could characterise their journey across your subnet?
In addition, there exist sub-approaches, which are even more nuanced methods. While techniques denote overarching strategies employed by an enemy, sub-methods describe finer nuances of such strategies. For instance, the Phishing technique is broken down into three sub-techniques that explain in greater depth how cybercriminals use phishing emails to compromise computer networks.
The library of techniques in the ATT&CK Framework is ever-expanding and now includes over 150 techniques and 270 sub-techniques organized into the aforementioned 14 strategies.
What are the Procedures of the MITRE ATT&CK Framework?
How a method or sub-technique has been implemented in response to a given adversary's behavior is described in detail in the procedures. For instance, "APT1 is known to use credential dumping with Mimikatz". Which threat actor employs the technique, when the technique is applied, and which tool is used are all specified in the corresponding processes. Having this knowledge can be useful for adversary emulation replication of an occurrence, as well as detection of the instance itself. Some of the procedure examples given in the technique, however, are too broad to properly characterize adversarial emulation.
Benefits And Challenges of Using MITRE ATT&CK Framework
Pros of Using MITRE ATT&CK Framework
The fundamental advantage of the ATT&CK structure is that it helps businesses learn the habits of their cyber enemies and anticipate the methods they would use to break in, investigate, and steal information. By doing so, teams are able to see things from the viewpoint of the attacker, which can provide a deeper insight into their goals and strategies. A company's security can be bolstered by its employees' ability to anticipate an assault and respond swiftly to its repair provided they have a thorough awareness of the tactics and techniques that hackers use. The best defense is a strong attack, or so the old sports adage goes. In cyber security, knowing the offensive tactics can help protect your grid, endpoints, and users.
In addition, the frameworks can aid junior or newly hired security staff in today's work environment, which is plagued by a severe skills shortage in cybersecurity, by providing them with the familiarity and research tools they need to rapidly come up to speed on any given threat by drawing on the expertise of the many privacy professionals who have contributed to the MITRE ATT&CK framework matrices.
Problems of Using MITRE ATT&CK Framework
The complexity of the ATT&CK matrices has increased as their size and quantity have grown. Despite its comprehensiveness, the sheer volume of information presented by the framework's numerous possible permutations of strategies can be difficult to process.
To give just one example, the fourteen methods detailed in ATT&CK for Enterprise cover more than 400 distinct techniques or attack patterns. The number of possible outcomes is even higher due to the fact that many of these methods have their own specialized sub-methods. Many businesses, however, have not mechanized the process of charting all that data to their existing privacy infrastructure, even though it presents a daunting challenge.
Despite widespread adoption of the framework for associating network events with specific security solutions, a recent UC Berkeley survey found that fewer than half of respondents have actually automated the security policy shifts recommended by the structure.
Problems also arise when trying to correlate events from mobile devices and endpoints with those from the cloud and on-premises.
MITRE ATT&CK vs. Cyber Kill Chain
Another well-known methodology for analyzing the actions of a cyber-attacking opponent is Lockheed Martin's Cyber Kill Chain. In order, the following components make up the Kill Chain model:
- Reconnaissance - Collects data about conferences, email addresses, etc.
- Weaponization - Combines exploit and backdoor to create a deliverable payload.
- Distribution - Sends the infected person a bundled attack by electronic means (email, online, USB, etc.).
- Exploitation - The use of a vulnerability to execute code on a victim's machine.
- Malware installation: Sets up malicious software on the asset.
- Command and Control (C2) - A command channel for remote manipulation is included.
- Deeds on Intentions: Hackers who gain access using "Hands on Keyboards" complete their original objectives.
MITRE ATT&CK and Cyber Kill Chain diverge primarily in two ways.
- To begin, its framework provides a great deal of specificity on the execution of each stage via ATT&CK procedures and sub-techniques. So that defenders can stay up with the latest approaches, it receives regular updates based on input from the industry.
- Second, as we've seen, a cloud-native attack uses strategies and tactics that aren't taken into account by the Cyber Kill Chain. The Cyber Death Chain design is based on the idea that a threat actor will send malware or other payloads to the target environment, but this is much less of a concern in the cloud.
It can be utilized in a variety of settings. These are the most common applications.
- Adversary Emulation - ATT&CK can be utilized to generate adversary emulation scenarios for testing and validating defenses against popular adversary tactics.
- Red Teaming - ATT&CK can be employed to develop red team plans and organize operations in order to evade certain defensive measures that may be in place within a network.
- The Behavioral Analytics Development - ATT&CK framework can be used to build and evaluate behavioral analytics for spotting malicious activity in a given setting.
- Defense Gap Assessment - ATT&CK is a standard behavior-focused adversary model that may be used to examine tools, monitoring, and mitigations of existing defenses within an organization's enterprise.
- SOC Maturity Assessment - ATT&CK is one metric that can be used to gauge a SOC's effectiveness at detecting, analyzing, and responding to intrusions.
- Cyber Threat Intelligence Enrichment - ATT&CK is helpful for gaining insight into, and establishing assessments of, enemy groups from a behavioral approach that is instrument agnostic.
How to use Mitre ATT&CK?
All known strategies and techniques are arranged visually in this Matrix. You can see the several methods of attack across the top, and then scroll down to see the specifics of each one.
One approach per tactic is required for an attack classification to be considered "complete" in the Enterprise ATT&CK matrix, and the categorization is constructed from left to right, beginning with "Initial Access" (Command and Control). One strategy can be implemented using a variety of methods. In a spear phishing assault, for instance, a hacker may test out both an attached file and a linked website.
One need not employ all eleven strategies listed at the topmost of the matrix in order to mount an effective attack. In order to maximize efficiency and minimize the risk of being uncovered, a hacker will instead resort to the absolute minutest of methods necessary to accomplish their goal.
MITRE ATT&CK Framework Tools
This framework can be exploited with the help of the following tools and properties:
- ATT&CK Navigator
Freely adapt your security measures to the latest in ATT&CK methods with this handy online tool. Essentially, you can implement measures for both detection and prevention, and you can even show many levels of behavior analysis. It can be utilized directly in the browser for straightforward replicas and situations, or it can be transferred and installed locally for a more enduring answer.
- MITRE Cyber Analytics Repository (CAR)
MITRE has made available a database of analytics-related data. It offers a big dataset of hypotheses, data spheres that define the setting in which the inspections are being performed (host, network, etc.), citations to precise ATT&CK TTPs, and pseudocode demonstrating how the analytic can be implemented.
- Red Canary Atomic Red Team
Based on the MITRE ATT&CK Framework, this free software may simulate malicious activity. It's a small test suite that may be used by privacy teams to verify the efficacy of their safeguards. These trials are narrow in scope, relying on only a few other components, and are designed in a standard way so that automation structures can use them.
In short, it is a framework that helps cybersecurity professionals understand and organize data about cyber threats and attacks. It provides a common language and reference for describing and analyzing attacker tactics, techniques, and procedures (TTPs), and can benefit organizations improve their threat detection and response capabilities. By using it, organizations can enhance their cybersecurity posture and develop a better understanding of the threats they face.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.