The MITRE ATT&ACK framework is a free, globally-accessible resource that can help guide organizations through assumed security breach incidents and it can shift the organizational culture around risk management.
The MITRE ATT&CK
framework is based on documented knowledge around:
- Adversary/attacker behaviors
- Threat models
- Techniques
- Mitigation tactics
The idea is that by
understanding the myriad ways that attackers actually attack, organizations can
better prepare for the risks.
In this article, we will
discuss what the MITRE ATT&CK Framework is and how the framework can
support your security initiatives.
What
is the MITRE ATT&CK framework?
MITRE ATT&CK refers to a group of tactics organized
in a matrix, outlining various techniques that threat hunters, defenders, and
red teamers use to assess the risk to an organization and classify attacks.
Threat hunters identify, assess, and address threats, and red teamers act like
threat actors to challenge the IT security system.
MITRE ATT&CK was developed by the non-profit organization MITRE in 2013 as a community-led initiative. Its name derives from the acronym for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).
The
concept using an end-to-end cyberattack taxonomy as a reference to gain
intruder perspective is not new. (The Lockheed Martin Cyber Kill Chain is another popular framework to model
and understand attacker behavior.)
Previously,
such extensive information was only available in two ways:
- Through expert cybersecurity incident responders with vast experience.
- As classified documentation in large enterprises regularly addressing Advanced Persistent Threats (APTs) with a dedicated, internal security workforce.
But
the ATT&CK framework is unique for the way it drills down into the various
attack techniques and procedures used in specific examples, suggesting
appropriate mitigation strategies and standardizing language. So, the value
proposition of using the MITRE ATT&CK framework has three key points:
1. In-depth
real-life examples of relevant and appropriate adversary behaviors
2. Environment-specific
attack techniques and methods
3. Standardized
language for various attacker methodologies
The framework enables visibility and access, enabling cybersecurity personnel to identify and react to a variety of cybersecurity risks with the right risk management approach. The ATT&CK framework covers several cybersecurity disciplines, including:
- Detection
- Intelligence
- Containment
- Risk management
- Security engineering
Who can user the ATT&CK framework?
In terms of who uses this framework, the knowledge can help guide any organization, be it private, non-profit, or government.
The MITRE ATT&CK framework has supports for both mobile and enterprise environments. The true separation, though, is by operating system. The current supported operating systems are:
Enterprise: PRE, Windows, macOS, Linux,
Cloud & Network
Mobile: Android & iOS
Other
operating systems, including z/OS, aren’t available but may be added in the
future.
The ATT&CK Matrix for Enterprise
The ATT&CK Matrix categorizes various tactics that
adversaries use across different stages of the attack. Think of the matrix as a
reference spreadsheet that describes how these techniques can accomplish a
specific task or goal across the various stages of an attack.
What
follows are the 14 categories of enterprise tactics across the attack
lifecycle. We’ve included a few examples, though the full matrix categories
offer comprehensive techniques.
Reconnaissance
The first step of the
attacker lifecycle is collecting information to facilitate targeting. Example
techniques the attackers might use here include:
- Active scanning
- Phishing
- Gathering victim-related information
Resource Development
In the resource
development phase, the adversary establishes resources and capabilities
necessary to execute a cyberattack. Some techniques here include:
- Acquiring and/or compromising infrastructure
- Compromising or establishing accounts
- Developing capabilities
This stage is about the adversary’s initial attempts to access an IT network. Common techniques to gain foothold within the network, such as:
- Drive-by compromise
- Spearphishing
- Exploiting external remote services and weak passwords
In the execution
phase, adversaries run malicious code on the target network. They may do this
by compromising built-in scripting environments and interpreters to run custom
code for network exploration, stealing data and credentials.
Common target
interpreters include:
- PowerShell, Windows Command Shell and Unix Shell
- Python and JavaScript installations
Once a code script is
executed, the adversaries can prevent defensive actions (from your
organization) that would interrupt the attack lifecycle. These interruptions
may be caused by system restarts, credential changes, and configuration resets.
Adversaries persist
using techniques such as:
- Manipulating accounts
- Modifying SSH authentication keys, authentication packages, services, and registry weaknesses
- Sudo caching
- Bypassing user access controls
- Port monitoring
- Abuse elevation control mechanism
- Elevated execution
- Token impersonation
- Accounts discovery
- Infrastructure and cloud service discovery
- Network sniffing.
- Policy and permission groups discovery
- Internal spearphishing
- Remote service exploitation
- SSH hijacking
- Existing application layer protocols
- Data encoding
- Data obfuscation
- Multi-stage channels
- Automated exfiltration
- Exfiltration over web services or physical medium
- Account access removal
- Data destruction
- Data encryption and manipulation
- Disk wipes
- Denial of Service attacks on the network
- Resource hijacking
MITRE ATT&CK Techniques
Today’s adversaries often use different attack techniques depending on their abilities, tools, and target system configuration.
This is why the
MITRE ATT&CK framework includes multiple techniques under each tactic. The
matrix also describes a method under each technique, as well as the systems and
platforms it pertains to.
It also
highlights the adversary groups that use that technique, and suggests ways to
mitigate these threats.
Currently, the
MITRE ATT&CK Enterprise framework identifies 185 techniques and 367
sub-techniques.
MITRE ATT&CK vs Cyber Kill Chain
At The MITRE
ATT&CK framework is one of the most popular frameworks for cyber threat
detection and threat hunting. Another popular framework is the Cyber Kill
Chain®. This framework is part of the Intelligence Driven Defense® model
developed by Lockheed Martin to identify and prevent cyber intrusions.
Although the
goal of Cyber Kill Chain is also to proactively detect threats and intrusions,
it goes about it differently from MITRE ATT&CK.
Instead of a
matrix of tactics and techniques, it defines a sequence of seven steps that
represent a certain type of activity in a cyber-attack. These steps enable
security teams to get better visibility into an attack, and take action to
address it.
Reconnaissance: Attackers identify targets and tactics
for the attack;
Weaponisation: They create a cyber weapon, i.e.,
malware, to exploit the vulnerable target;
Delivery: They deliver and install the weapon to
the target via email, compromised websites, removable drives, etc.;
Exploitation: The malware code is triggered to
exploit the target’s vulnerability;
Installation: The malware installs an access point
or “backdoor” for the intruder;
Command
& Control (C2): The
malware gives the intruder access to the target system for remote manipulation;
Actions on
Objectives: Once the attacker gains persistent access to the target, they
accomplish their goals, e.g., encrypt files for ransomware, exfiltrate data,
etc.
Benefits of the MITRE ATT&CK Framework
Provides a Knowledge Base of Adversary Behaviors
Intelligence, MITRE ATT&CK provides a common, standardized “language” so security personnel can understand and even predict adversary behaviors. They can then take action to defend the enterprise, and prevent attack.
Helps with Risk Assessment
Red teamers and cyber defenders can understand adversaries, classify attacks, and assess and strengthen their organization’s risk posture.
Improve Post-compromise Detection
The framework illustrates the actions an attacker may have taken to attack the organization, so security teams can take immediate and relevant action to minimize the damage.
Supports Threat Hunting
Threat hunters can understand the various adversary techniques, proactively hunt for threats, and gauge their environment’s visibility level against targeted attacks.
Promotes Better Collaboration for Better Threat Mitigation
Analysts and defenders can compare and contrast adversaries and threat groups, and the techniques used by each. They can also collaborate to find the best techniques to detect and mitigate these threats.
Use Cases of the MITRE ATT&CK Framework
Prioritize
Detections
The framework
offers a blueprint that enables security teams to focus their detection
efforts, and improve their cybersecurity posture based on the organization’s
unique environment.
Conduct a
Security Gap Analysis
Security
personnel can define the highest-priority threats, and accordingly evaluate the
strength of their security ecosystem.
Track
Attackers
Security teams
can track the behaviors of adversaries that pose the biggest threat, and update
their security plans accordingly.
MITRE ATT&CK is also useful to:
- Strengthen cyber threat intelligence;
- Improve alert triage and investigations;
- Create realistic scenarios and emulation plans for red team exercises;
- Implement strong mitigation controls.
Conclusion
Today’s organizations
need to secure their networks, systems and data from bad actors. For this,
frameworks that model adversary behaviors are especially useful.
The MITRE
ATT&CK framework is one of the most popular frameworks since it offers a
comprehensive, systematic and actionable way to understand attacker behaviors
and techniques.
It thus enables
security teams to take proactive action to prevent attacks, and keep their
assets safe from cyber threats.