All You Need to Know About MITRE ATT&CK Framework

By Shanika W. . 4 June 2024

Cybersecurity Analyst

Fact-Checked this

The MITRE ATT&CK framework is a great place to start studying the latest attack tactics and techniques of cybersecurity. When planning and executing cybersecurity protections, it’s also a useful checklist.

In this article we will guide you through:

What is the MITRE ATT&CK Framework?
How did MITRE come to exist?
ATT&CK Matrices
What are the tactics of the ATT&CK Framework?
What are the techniques of the ATT&CK Framework?
What is Common Knowledge in ATT&CK Framework?
ComparIson of MITRE ATT&CK to Lockheed Martin’s Cyber Kill Chain?
What criteria does MITRE ATT&CK use to assess security products?
Best Practises of MITRE ATT&CK framework
Benefits of the MITRE ATT&CK framework
Challenges of the MITRE ATT&CK framework
Example use cases for the ATT&CK framework
MITRE ATT&CK Today
ATT&CK Resources and projects

Summary: This article covers the MITRE ATT&CK framework, a comprehensive and publicly available knowledge base of adversarial tactics and strategies inspired by real-world observations.

The article provides an in-depth look at the framework’s origins, matrices, tactics, techniques, and common knowledge, and compares it to Lockheed Martin’s Cyber Kill Chain.

It also explores the criteria MITRE ATT&CK uses to evaluate security products, best practices, benefits, challenges, example use cases, and resources related to the framework.

The MITRE ATT&CK framework is invaluable for helping companies plan and implement cybersecurity protections, and every organization should use it to enhance their security posture.

MITRE Attacks

What is the MITRE ATT&CK Framework?

MITRE ATT&CK is an acronym for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE ATT&CK Framework is a publicly available knowledge library on adversarial tactics and strategies inspired by real-world observations.

You can access it from anywhere on the globe The purpose of the Mitre Att&ck Framework is to give you the knowledge of all the security attacks that happened in the past and tactics techniques used for them so you can measure whether your security defensive mechanism is good enough to prevent them or what new actions you should take to avoid possible attacks.

This framework aims to strengthen post-compromise adversary identification in businesses by displaying the activities an attacker could have performed. This framework address the following questions and areas.

How do attackers gain access?
How do they get around?
Raise consciousness of a company’s security status
Identify and prioritize defensive flaws in an organization depending on risk.

How did MITRE come to exist?

MITRE is a non for profit organization that advises the federal government on engineering and technological matters.

In 2013, the group created the framework to be used in a MITRE research project and called it after the information it collected(ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge).

MITRE ATT&CK was made freely available to the general public in 2015. However, it now assists security teams in a variety of industries.

ATT&CK Matrices

MITRE ATT&CK Matrix is a graphic representation of all existing tactics and techniques in an easy-to-follow manner. Mainly there are several different matrices as given below,

Pre-ATT&CK

This matrix concentrates on activities that occur before an assault and are mainly hidden from the institution’s view.

It assists security teams in understanding how attackers conduct an investigation, choose their entry point, and monitor and identify attacker actions outside the company network.

Windows

Techniques used to hack all versions of Windows OS.

macOS

Techniques used to hack macOS.

Linux

Techniques used to hack all variants of Linux, such as Ubuntu.

Mobile ATT&CK

This risk model describes how attackers can penetrate mobile devices using various tactics and techniques. “Network-based impacts” are assault methods that can be carried out without requiring device direct access.

Enterprise ATT&CK

This model mainly explains the actions taken by an attacker in the corporate environment.

It focuses primarily on conduct once a compromise has been reached. The Enterprise ATT&CK matrix combines the matrices of Windows, macOS, and Linux.

Moving forward on how ATT&CK matrix’s are used, individual techniques are shown below each column, with attack tactics displayed throughout the top.

An attacker does not have to deploy all eleven methods at the start of the matrix. Instead, the attacker will employ the fewest number of strategies possible to accomplish their goal, which is more effective and reduces the risk of being discovered.

As shown in the figure, an attack sequence in the Enterprise ATT&CK matrix would have at least one method per strategy, and a whole attack series would be formed by progressing from left to right (Initial Access to Command and Control).

What are the tactics of the ATT&CK Framework?

The first ‘T’ in ATT&CK stands for tactics which is the latest way of considering cyberattacks. Instead of looking into the results of an attack, tactics can recognize an ongoing attack.

Moreover, Tactics can be taken as the “why” of the attack technique. Mainly there are 14 attacks in this framework which are listed below:

Reconnaissance – the action of collecting information used to organize assaults
Resource Development – infrastructure building that can be used in attacks
Initial Access – primary attack vectors and efforts to break security
Execution – attempting to introduce malicious code and execution
Persistence – Using multiple strategies to sustain persistence on a compromised network.
Privilege Escalation – obtaining the necessary privileges and access permissions to conduct escalation function assaults
Defence Evasion – attackers utilize various techniques to avoid being discovered on the network.
Credential Access – method of observing and acquiring login data for systems that have not yet been thoroughly infiltrated (keylogging).
Discovery – infecting and controlling other systems on the network
Lateral Movement – hopping from one affected system to the next
Command & Control – connection with compromised computers through the internet from cybercrime systems
Collection – obtaining information that can be sold or used for future attack planning or blackmail.
Exfiltration – transferring data to cybercriminals’ databases to be resold
Impact – disrupting the functioning of the IT systems.

What are the techniques of the ATT&CK Framework?

Techniques are represented by the second “T” of ATT&CK. Each approach to a cyberattack consists of a collection of techniques utilized by hackers and threat entities.

Techniques reflect the “how,” which means how the attacker pulled out a tactic. One hundred eighty-five methods and 367 sub-techniques are currently identifiable in the framework.

Each technique describes how threat actors work, including the credentials needed, the platforms upon which technology is most typically used, and how to identify orders or behaviors related to the approach.

What is Common Knowledge in ATT&CK Framework?

ATT&CK ends with the letter “CK,” which refers to “common knowledge.” These are detailed statements of how an enemy intends to accomplish its goal.

Common knowledge is essentially the recording of procedures. Tactics(T), Techniques(T), and Procedures(P) are standard terms for people familiar inCyber Security. However, ‘CK’ is an acronym for “P.”

ComparIson of MITRE ATT&CK to Lockheed Martin’s Cyber Kill Chain?

When it comes to comparison, both these models define the actions taken by an attacker to accomplish their objective.

The primary way the ATT&CK matrix differs from Cyber Kill Chain is that it is a collection of techniques organized by tactics and does not suggest a precise sequence of operations.

However, Lockheed Martin’s Cyber Kill Chain has seven steps, whereas the Mitre Att&ck has ten steps, as shown below.

Lockheed Martin’s Cyber Kill Chain:

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on objectives

Mitre Att&ck

Initial access
Execution
Persistence
Privilege escalation
Defense evasion
Credential access
Discovery
Lateral movement
Collection and exfiltration
Command and control

What criteria does MITRE ATT&CK use to assess security products?

MITRE Engenuity is proficiently the red team(offensive security professionals) during the assessments because it cooperates with vendors.

The seller providing surveillance to MITRE Engenuity is the blue team(defensive security professionals).

The outcome is a “purple squad” that assists in the real-time testing security controls by simulating the strategy that attackers are expected to take in a real-world attack.

Best Practises of MITRE ATT&CK framework

Use the Groups list’s real-world applications and scenarios. There is no way of stopping unknown threats if you can’t even protect against recognized threats.
Using the ATT&CK matrices, identify the gaps in existing security and create strategies to fix them.
As a shared language to your security staff, communicate and exchange ATT&CK techniques.
Never believe that just because you can protect against a technique in one method means you won’t be harmed by it in another.

Benefits of the MITRE ATT&CK framework:

When compared to the ATT&CK tactics and techniques defensive controls apply to, defensive controls will have a clear significance.
When you map defenses to ATT&CK, you get a map of defensive gaps which threat hunters can use to discover missing attacker activity.
It can help identify defensive strengths and vulnerabilities, verify prevention and recognition controls, and expose configuration issues and other infrastructure issues.
Diverse services and applications can specialize in ATT&CK strategies and procedures, giving protection that is frequently missing cohesion.
Defenders can establish mutual understanding when communicating information regarding an assault, an individual or party, or defensive controls by employing ATT&CK techniques and tactics.
Red team, purple team, and penetration test operations could use ATT&CK to communicate with attackers and report receivers as well as between themselves during preparation, operation, and reporting.

Challenges of the MITRE ATT&CK framework

The great news is that the Mitre ATT&CK framework’s data permutations are pretty comprehensive. The sad fact is that it is pretty detailed.

It can be intimidating for someone in a company who is just getting started. There is a lot of data to handle, and many organizations haven’t automated much of it to correlate it to the data in their system and their security architecture.

Another challenge is not all behaviors that fit an ATT&CK strategy are malicious. For example, File Deletion is a mentioned technique in Defense Evasion that makes complete sense.

But how could you tell the difference between typical file deletions and a suspect’s attempt to avoid detection?

Similarly, we can see some ATT&CK techniques are harder to identify. Assuming you know where to look out, brute force attacks are pretty straightforward to see.

Despite if you are searching for it, exfiltration using an Alternative Protocol, such as a DNS tunnel, could be challenging to identify.

Example use cases for the ATT&CK framework:

MITRE ATT&CK can be used in a variety of ways by a security team, including:

Learning a shared language that can help you communicate with consultants and suppliers.
Perform a security breach analysis and develop a security improvement strategy.
Increase the effectiveness of cyber threat intelligence
Increase the speed with which alerts are triaged and investigated.
Make red team workouts and opponent simulations more realistic by creating more genuine settings.
Clear and concise communication to stakeholders.

MITRE ATT&CK Today

ATT&CK is among the most comprehensive and authoritative hacker tactics resources available. Cybersecurity firms are increasingly referring to attacking strategies as ATT&CK, and they’re using the MITRE ATT&CK models to create defenses and special software. MITRE updates ATT&CK regularly.

MITRE has recently published a software certification process. MITRE may certify software businesses depending on their capacity to track ATT&CK tactics.

ATT&CK Resources and projects

MITRE and other third-party developers use ATT&CK to assist the Red and Blue Teams with their pen-testing and defensive efforts.

Cascade – MITRE’s Blue Team automation toolkit
Caldera – MITRE’s emulation tool for automated attach techniques
Oilrig – Palo Alto’s Adversary Playbook built on the ATT&CK model.
Attack Navigator – web application to take notes and keep track of your ATT&CK status.
MITRE’s Cyber Analytics Repository – is a distinct project from ATT&CK that keeps track of specific strategies for detecting them.

Conclusion

It is something that every company should do to improve their cloud presence. You never know when your company will be the next to be targeted by cybercriminals. It’s preferable to be safe rather than sorry.

Shanika Wickramasinghe is a software engineer by profession. She works for WSO2, one of the leading open-source software companies in the world. One of the biggest projects she has worked on is building the WSO2 identity server which has helped her gain insight on security issues. She is keen to share her knowledge and considers writing as the best medium to do so. Cybersecurity is one of her favorite topics to write about.

Being a graduate in Information Technology, she has gained expertise in Cybersecurity, Python, and Web Development. She is passionate about everything she does, but apart from her busy schedule she always finds time to travel and enjoy nature.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.

Everything You Need to Know About MITRE ATT&CK Framework