Understanding the MITRE ATT&CK Framework
Reading time: 14 minutes
Before an organization can develop and maintain a successful and relevant threat detection and defense strategy, it must first gain a solid understanding of common adversary techniques. The organization needs to know the various activities that can pose a threat, and how to detect and mitigate them.
With the current threat landscape featuring innumerable volumes of attack tactics and techniques, it proves challenging, if not nearly impossible, for every organization to monitor, document and communicate each of them.
Cybersecurity frameworks provide a comprehensive plan of standards, guidelines and common language that can predict many of the challenges faced by organizations in protecting critical data and infrastructure in their efforts to better manage cybersecurity risks. Organizations commonly rely on these frameworks to alleviate guesswork, and provide a baseline structure that's further modified to meet the specific organization's needs and goals.
After delving into the NIST Cybersecurity Framework, we now turn to another cybersecurity framework often used as a foundation for organizations developing customized threat models.
MITRE has developed the ATT&CK framework, which systematically defines and organizes common behaviour observed to be carried out by malicious attackers in the wild. It provides a common language that can be used by security teams to communicate these activities.
The ATT&CK framework is globally recognized as an authority on understanding the behaviour models and techniques that adversaries use against organizations. It allows industry professionals a way to discuss, collaborate on and share intelligence regarding adversary methods and provides practical applications of detection, mitigation and common attributes.
- What is the MITRE ATT&CK framework?
- MITRE ATT&CK matrix
- How organizations can use MITRE ATT&CK
- MITRE ATT&CK vs. the Cyber Kill Chain
- Conclusion
What is the MITRE ATT&CK framework?
MITRE ATT&CK, an abbreviation of MITRE'S Adversarial Tactics, Techniques and Common Knowledge is a comprehensive knowledge base and framework for understanding and categorizing adversary behaviour based on real-work observations of various phases of their attack lifecycle.
Created in 2013 by the MITRE Corporation, a not-for-profit organization that works across government agencies and various industry and academic institutions, the framework is a globally available collection documenting malicious behaviors carried out by advanced persistent threat (APT) groups.
While information found in ATT&CK does represent APT behaviors, those malicious behaviors occur every day in organizations of all sizes. Consequently, various public and private sector organizations, no matter the size, have adopted the framework.
Importance of the MITRE ATT&CK framework
ATT&CK is regularly updated by MITRE experts, industry researchers and contributors, thus providing a relevant resource for organizations to create their own threat models and test in-place cybersecurity controls against threats in the current landscape.
The tactics, techniques and procedures (TTPs) documented in the framework provide a standardized way for threat hunters, red teams, security operations centers (SOCs), and defenders to understand the cybersecurity risks of known adversary actions and inform a more vigorous defense strategy.
To better grasp the importance of knowledge MITRE ATT&CK engages, let's turn to a concept developed by David Bianco called "Pyramid of Pain". Bianco argues that not all indicators of compromise (IoCs) are created equal.
Just as in ATT&CK, Pyramid of Pain takes the adversary's point of view, defining the pyramid with levels of pain the adversary will feel when they are denied a specific indicator.
Pyramid of Pain, by David Bianco
TTPs represent the apex of the pyramid—the highest pain level if denied to adversaries. When organizations detect and respond to threats at this level, it means they are operating based on adversary behaviors, rather than just their tools or parts of their attack sources. The thing is, tools can be replaced with other existing or newly created tools, but responding directly to adversary TTPs forces them to take the toughest action they can in order to adapt—change all their behaviour and tactics—and quickly.
MITRE ATT&CK matrices
Attackers, however, exhibit and utilize different TTPs based on their target. This is why MITRE provides 3 separate matrices to address distinct attack environments:
- Enterprise ATT&CK is a matrix that addresses Windows, macOS, Linux, cloud (Azure AD, Office 365, Google Workspace, SaaS, IaaS), network and container environments. It also includes "PRE" that contains information on adversary preparatory techniques.
- Mobile ATT&CK covers adversarial tactics and techniques used to access mobile devices without device access. It covers information related to Android and iOS platforms.
- ICS ATT&CK is a knowledge base that covers actions an adversary might take when in an environment of industrial control systems (ICS).
Although these matrices share some common tactics, each features specific techniques that are dependent on the environment their adversaries operate in. In this post, we'll focus on the Enterprise Matrix.
MITRE ATT&CK matrix
Elements of the model presented by ATT&CK are tactics, techniques and procedures, or TTPs. Tactics, here, answer the question of what objective the attacker wanted to achieve. Techniques (and sub-techniques) present the "how" of an attack in practice and how the objectives (tactics) are accomplished. As for procedures (or "common knowledge" if going by the "CK" in "ATT&CK"), MITRE ATT&CK matrix addresses specific applications of techniques threat actors and groups have used to reach an objective.
The framework also includes detection and mitigation suggestions as well as software used in attacks—including those intended for malicious purposes by adversaries (malware) and tools that are used by offensive and defensive security professionals and malicious actors alike (commonly, red team tools such as Mimikatz, Metasploit, etc.).
The MITRE ATT&CK matrix also has different sections that each contain information on various platforms such as Windows, macOS, Linux, Cloud, Network and Containers, as well as a "PRE" sub-section addressing activities occurring pre-attack. The most distinct sub-section in the Enterprise Matrix is the Cloud Matrix, which itself offers information for different platforms including Azure AD, Google Workspace, Office 365, SaaS and IaaS. Adversary behaviour and techniques used in cloud attacks are not similar and don't follow the same scenarios as attacks on other platforms.
MITRE ATT&CK tactics
As mentioned, MITRE ATT&CK tactics are the adversary's technical goals (as enumerating every attackers' high-level goal wouldn't be possible) and objectives they hope to achieve with an attack technique. Each objective contains the specific techniques that attackers have been observed to use themselves.
The tactics are presented in a linear fashion, starting from the intel gathering stage all the way to exfiltration and impact, but need not be used in that order—in fact, they don't propose a specific order or activities.
MITRE currently recognizes 14 different attack tactics:
-
Reconnaissance: The initial phase of attempting to exploit a target by obtaining as much information about the target as possible. This tactic enables attackers to discover crucial details about a target network, such as system vulnerabilities and potential attack vectors.
-
Resource development: An attack tactic in which adversaries establish resources to carry out their activities, such as acquiring needed infrastructure, developing capabilities and compromising accounts and infrastructure.
-
Initial access: Addresses the various entry vectors attackers used to gain initial foothold within a network. Examples include spear phishing, exploiting public-facing applications, supply chain compromise and the like.
-
Execution: Consists of techniques that have a goal of running adversary-controlled malicious code or remote access tools on the target system. It's often paired with techniques from other tactics to achieve goals on a wider scale.
-
Persistence: Includes techniques adversaries use to attempt to keep access to target systems despite activities that can potentially cut off their access (such as restarts and credential changes).
-
Privilege escalation: Privilege escalation includes the techniques and activities adversaries use to gain higher-level permissions and access on a system or a network. Techniques they use to achieve this objective include exploiting system misconfigurations and vulnerabilities.
-
Defense evasion: This is the one objective with the most distinct techniques used by attackers to avoid detection throughout their compromise. This includes the disabling of security controls and obfuscating data.
-
Credential access: Because legitimate credentials give adversaries access to more systems and makes them harder to detect, this objective is the stealing of credentials, using techniques such as brute force attacks, keylogging and credential dumping.
-
Discovery: Describes techniques adversaries use to gain knowledge about an internal network, in order to observe the environment and decide the next step of their compromise.
-
Lateral movement: Involves the process of moving from one compromised system on a network to another, as a means of gaining access to more information and areas of a network not yet reached.
-
Collection: Includes techniques adversaries use to collect information and sources of information relevant to achieving their objectives. Common information sources include browsers, audio, video and email, and a common technique to achieve it is a man-in-the-middle attack.
-
Command and control: The stage in which adversaries try to communicate with systems under their control on the target network. Relevant techniques include data obfuscation, protocol tunneling and traffic signaling.
-
Exfiltration: Almost at the end of cycle, exfiltration includes the techniques adversaries use to steal data from the target network while avoiding detection with compression and encryption. One common technique for exfiltrating data from a network is transferring it over a command and control channel.
-
Impact: The techniques used by adversaries to follow through on reaching their final goal, such as disrupting availability or compromising integrity of sensitive data and the target's operations.
MITRE ATT&CK techniques
Each of the 14 tactics in the MITRE ATT&CK matrix includes a wide array of techniques that are observed being used by threat actors in compromising public and private sector networks. Techniques represent how adversaries carry out a tactic and reach an objective in the real world.
While there are only 14 tactics at the time of this writing, there are over 200 techniques—215 to be exact. Each technique is further explained in detail with sub-techniques that amount to nearly 500 in practice.
Each technique in the MITRE ATT&CK framework provides specific information:
- ID: An identifier presented in the format "Txxx": for example, phishing is T1566 and sandbox evasion is T1497.
- Sub-techniques: Refers to the more specific techniques, or distinct ways in which a technique is carried out by an adversary.
- Tactic: The objective of the technique.
- Platforms: Different platforms (Windows, Linux, macOS, cloud, etc.) to which the technique is applicable.
- Data sources: Sources for information that can identify the technique, usually collected by a logging system.
- Procedures: Specific ways in which threat groups used the technique to reach their objective.
- Mitigation: Mitigation and defense strategies for the technique.
- Detection: Methods for detecting adversaries on a network and indicators of compromise (IoC).
Adversaries often use a number of techniques to reach their overall objective, and a single technique can be used to achieve multiple goals. For example, man-in-the-middle attacks are used for both collection and credential access, and sandbox evasion is used for evasion and discovery objectives.
How organizations can use MITRE ATT&CK
Throughout organizations in both the private and public sectors, the everyday activities of various teams benefit from applying ATT&CK's taxonomy. Red teams, blue teams, purple teams, security operations center (SOC) analysts, threat hunters, incident responders and many other security professionals rely on the MITRE ATT&CK framework.
The framework empowers adversary emulation, improves threat hunting, enriches cyber threat intelligence feeds in SOCs, provides data-driven decisions for cybersecurity strategies and is commonly integrated with security tools such as endpoint detection and response (EDR) and security information and event management (SIEM).
The MITRE ATT&CK framework shines brightest when organizations apply it to:
Cyber threat intelligence
The main objective of cyber threat intelligence is to enable organizations with an overview of what's happening outside their network, improving their visibility over cyber threats for effective threat detection and response. They can then leverage IoCs from various sources to map adversary TTPs and predict their behaviour during the attack, before further system damage occurs.
In order to act proactively, rather than reactively, using threat intelligence to achieve a threat-informed defense strategy is crucial. Enriching it with the MITRE ATT&CK framework allows security teams to obtain the information they'll need to detect future attacks before they strike.
Threat hunting
Another area where MITRE ATT&CK helps as a proactive security measure is threat hunting. Threat hunting aids organizations in identifying threats even where only limited intelligence is available. ATT&CK taxonomy allows for collecting and filtering information based on knowledge of adversary TTPs, in order to efficiently detect malicious activity.
With ATT&CK, security professionals can leverage empirical-driven use cases to detect active or residual adversarial activity on a network. The framework helps facilitate a hunting process that uncovers particulars that can be used to build custom detection metrics.
Risk management
Risk management allows organization and business leaders to make better-informed decisions for preventing and mitigating security risks based on their probability and outcome, by implementing policies, procedures and practices to manage cybersecurity risk.
By using knowledge and data produced by MITRE ATT&CK, organizations can measure their existing capabilities to justify training and investments based on detected defense coverage gaps.
Testing regulatory compliance controls
On an ongoing basis, MITRE ATT&CK can help organizations conduct tests on their security controls and measures, and map them to characteristics and techniques used in attacks, in order to assess compliance with regulatory requirements.
Commercial security solutions evaluation
MITRE has been using the ATT&CK framework to evaluate the performance of various security products since 2018. MITRE ATT&CK Evaluations are yearly releases of MITRE's assessment of various vendors, regarding their ability to detect and respond to real-life threat actors and groups within the context of the ATT&CK knowledge base featuring different threat actors each year. This helps organizations assess their security products based on real-life cyber attacks and consumer transparency, to know what they're investing in, how efficient the platform is, and the metrics they need to compare it with others in the market.
Adversary emulation and red teaming
Because it shares an adversary's point of view in the cyber attack process, the clearest, most common use case for ATT&CK is adversary emulation and organization of red team operations. Using the intelligence provided by TTPs from ATT&CK red teams can create relevant adversary emulations for testing and verifying an organization's defenses, as well as to demonstrate the impact of a cyber attack and various adversary techniques.
Determining defense gaps
The ATT&CK framework is updated when there are significant impacts to the threat landscape, usually quarterly. This allows organizations to rely on the framework to assess their defenses, tools and visibility. And by assessing all these elements of an organization's cybersecurity posture, ATT&CK provides the ability to identify any gaps, so appropriate measures and tools should be implemented.
MITRE ATT&CK vs. the Cyber Kill Chain
The Lockheed-Martin corporation extended a military concept of a kill chain and applied it to cybersecurity, releasing an intrusion kill chain framework in 2011. It was intended to represent a well-defined sequence of cyber attack phases, to be used by organizations to better understand adversary behaviour during cyber attacks and help them defend their networks.
Claiming that attacks occur in phases, and can be interrupted with controls at each space, the now well known "Cyber Kill Chain" is adopted across industry organizations to define stages of cyber attacks as well as in red teams for such stages in their own activities.
The Cyber Kill Chain framework contains fewer stages than MITRE ATT&CK, and is represented in a sequence:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and control
- Actions on objectives
The primary and most apparent difference between the MITRE ATT&CK framework and the Cyber Kill Chain is the detailed nature of ATT&CK and each stage of the proposed model. Secondly, and as mentioned, MITRE ATT&CK provides a model for documenting the objectives and techniques used throughout the different stages of a cyber attack that can be combined and used at different times during the compromise (or red team operations).
Conversely, red teams and adversaries in the Cyber Kill Chain move directly from the first reconnaissance stage to delivery and the overall goal, in that exact order, to better identify and stop adversaries at each specific stage.
Additionally, the relevant, constantly updated and detailed documentation ATT&CK offers also sets it apart from Cyber Kill Chain and other models used to track and understand characteristics of intrusions by cyber adversaries. Most industry professionals use MITRE ATT&CK and its terminology today. Commercial security vendors use its terminology in their solutions as well as for product evaluations, and organizations use it for defense testing and standardized conversations.
Conclusion
The reason behind ATT&CK's rapid and widespread adoption by the cybersecurity community is its ability to index every relevant tidbit of a cyber intrusion, from both the offensive and defensive sides. ATT&CK includes information about threat groups, all of their TTPs, procedures and real-world examples, as well as mitigation and software references. It can be used with equal efficiency by red teams and blue teams with various mapped attack scenarios, and other resources such as MITRE ATT&CK Evaluations aid organizations and vendors for product assessment.
While cybersecurity frameworks are viewed as theoretical models, MITRE ATT&CK goes one step further as a practical showcase of cyber intrusions and adversary behaviour. After all, knowing and being able to predict your enemy's behaviour is the best way to uncover their weaknesses, and ultimately stop them.
