What is the MITRE ATT&CK Framework?
The MITRE ATT&CK framework is a curated knowledge base of tactics and techniques and procedures (TTPs) designed to help classify attacks, identify attack objectives, and provide suggestions for threat and vulnerability detection and mitigation. It was developed in 2013 by MITRE Corporation, and is regularly updated.
Unlike other cyber security models, the MITRE ATT&CK framework takes the attacker’s perspective. This perspective helps cybersecurity practitioners understand how adversaries approach, prepare for, and execute cyber attacks. Traditionally, the MITRE ATT&CK framework has been used for threat detection. More recently its use has been extended to vulnerability management.
The MITRE ATT&CK framework uses real-world observations from cyber attacks to document common adversary behavior. As new vulnerabilities and attack methods surface, they are added to the framework. The MITRE ATT&CK framework continues to be quickly adopted by organizations worldwide as an industry standard for cataloging attacker behavior.
What Does ATT&CK Stand For?
ATT&CK is an acronym that stands for adversarial tactics, techniques, and common knowledge. The MITRE ATT&CK Framework provides a taxonomy and knowledge base of adversarial actions for every stage of a cyber attack.
What are ATT&CK tactics?
ATT&CK tactics describe the technical objectives (the “why”) an attacker is taking action. For example, the Enterprise ATT&CK matrix (learn more about matrices below) lists the following tactics:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
- Impact
- Resource Development
- Reconnaissance
Adversaries typically use multiple tactics in the course of a cyber attack. For example, they may wish to get into a network (initial access), run malicious code (execution) and steal account names or passwords (credential access).
What are ATT&CK techniques?
Techniques describe “how,” the many ways an adversary can achieve a tactical goal. For example, an attacker may look to gain initial access (the tactic) by using brute force (the technique) to steal account names or passwords. Sometimes techniques are further broken into sub-techniques. For example, the brute force technique can be broken into four sub-techniques: password guessing, password cracking, password spraying and credential stuffing.
What is Common Knowledge in the ATT&CK Framework?
The “CK” at the end of the ATT&CK acronym stands for common knowledge. Common knowledge documents attacker procedures. For example, a procedure could be a malware variant that an adversary uses to implement a particular technique or sub-technique. While techniques and sub-techniques categorize behavior, procedures describe the procedures being used to implement the attack.
What is a MITRE ATT&CK Matrix?
A MITRE ATT&CK Matrix contains a set of tactics and techniques used by adversaries to carry out an attack. There are currently four matrices that comprise the ATT&CK framework. The Enterprise ATT&CK Matrix is most commonly used by enterprises today. The Pre-ATT&CK and Enterprise ATT&CK matrices both describe how attacks are performed on enterprise infrastructure.
- Pre-ATT&CK: Many of the activities that adversaries take before compromising an enterprise are done outside of the organization’s network. These tactics and techniques are difficult to detect. The Pre-ATT&CK Matrix helps organizations better monitor and understand the activities that occur outside of their network.
- Enterprise ATT&CK: Adversaries can take many actions to compromise and execute their activities with an enterprise network. The Enterprise ATT&CK Matrix details the specific tactics and techniques for a broad range of platforms including Windows, macOS, Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, networks, and containers.
- Mobile ATT&CK: The Mobile ATT&CK Matrix describes the tactics and techniques that have been performed on mobile devices, notably iOS and Android devices. It also describes tactics and techniques that are used when access to the actual mobile device isn’t required.
- ICS ATT&CK: The most recent matrix added to the ATT&CK framework is the MITRE ATT&CK Matrix for Industrial Control Systems (ICS). It is similar to the Enterprise ATT&CK Matrix except that its focus is the industrial control systems that are used to manage power grids, factories, mills, etc.
Each of the matrices provides detailed descriptions of attacker tactics, techniques and common knowledge. They also outline the detection and mitigation approaches and examples of real-world usage.
When viewing the matrices, such as the Enterprise ATT&CK matrix above, the tactics are listed horizontally. The associated techniques and sub-techniques appear beneath each tactic. For example, under the initial access tactic you can find the phishing technique and its three sub-techniques – spear phishing attachment, spear phishing link and spear phishing via service. On the MITRE website, you can click on the tactics, techniques and sub-technique to get detailed information on each.
Who uses the MITRE ATT&CK Framework and what are its benefits?
The MITRE ATT&CK framework is used globally by organizations in all industries and across multiple cybersecurity disciplines including threat hunting, intrusion detection, threat intelligence, risk management and more. The wealth of information provided in each of the four matrices helps security practitioners detect the behaviors used by adversaries and analyze threats. It gives them a common language. And it allows them to make informed decisions about what tools and security defenses to deploy. Security practitioners can also use the MITRE ATT&CK Framework to improve cyber risk mitigation, assess their cyber risk and security readiness and effectively respond to all forms of threats.
How to use the MITRE ATT&CK Framework for vulnerability management?
The MITRE ATT&CK Framework can be used for vulnerability management, notably to prioritize which vulnerabilities to fix first. By mapping a common vulnerability and exposure (CVE) to TTPs, security practitioners can better assess the impact if that CVE were to be exploited. They can also take action to mitigate their risk and implement controls to improve their cyber security posture.
Security teams can also map TTPs to their CVEs and security controls to improve resource allocation and productivity by wasting less time remediating risks that matter less. Moreover, if they are able to use a risk-based vulnerability management solution that does this mapping automatically they will be able to accurately analyze vulnerability data and prioritize vulnerabilities in real time.
