Why ADS
Executive Team
Careers
Certifications
Application Security
Cloud Security
Cybersecurity
Data Security
Endpoint Security
Professional Security Services
Network Security
Perimeter Security
Staff Augmentation
Training
Blog
You can’t spend too long working in cybersecurity without hearing about the MITRE ATT&CK framework. First released in 2013, made freely available to the public in 2015, and biannually updated since then, the MITRE ATT&CK framework is essential for many organizations’ security posture. Let’s look at what ATT&CK is and how to utilize it.
What is the MITRE ATT&CK framework?
Short for “Adversarial Tactics, Techniques, and Common Knowledge,” ATT&CK is a knowledge base that collects, documents, and breaks down the typical steps and exploits that threat actors employ when trying to compromise an enterprise’s network and devices. The information in ATT&CK is updated, managed, and organized by MITRE and is freely open to use by any organization or individual. First published in 2013, the framework has been updated biannually since then.
Because of this longevity and accessibility, ATT&CK has become a standard in cybersecurity for understanding and communicating how threat actors behave. Because MITRE built the framework based on actual behavior observed by threat actors in the real world, it is also an essential source of threat intelligence.
How is the MITRE Attack Framework Organized
The Framework is structured around the Tactics and Techniques used by threat actors. In its current iteration, there are 14 overall tactics. The tactics represent the “why,” outlining the adversary’s objectives or goals during an attack. These are the overarching strategies used to achieve a specific aim. Each tactic has a series of associated techniques (and sometimes sub-techniques) used to categorize what threat actors do to execute their tactics. For example, one of the tactics in ATT&CK is achieving “initial access.” One of the techniques threat actors use to gain access is Phishing.
With this organizational framework, ATT&CK collects detailed information about the “procedures” used by threat actors and matches them with the appropriate techniques. Similarly, it also includes information about detection methods and possible mitigations that organizations can employ to protect against these threat acts. This enables organizations to anticipate and counteract attacks more effectively by understanding the methods of attack and the motivations and goals behind them.
Core Tactics of the MITRE ATT&CK Framework
Reconnaissance – 10 techniques
Reconnaissance is the technique threat actors use to gain information about a target environment. This includes active scanning methods, passive information gathering, and social engineering to gather information. Reconnaissance provides adversaries with the information needed to launch an attack.
Resource Development – 8 techniques
Resource Development describes the techniques used to create the capability to launch an attack. This can include establishing VPN servers to use legitimate or anonymous IP addresses, developing botnets of compromised devices, or compromising email or social media accounts for phishing attempts, for example.
Initial Access – 10 techniques
Initial access describes how threat actors get a foot in the door of their target environment. Frequent techniques used to establish initial access include phishing, supply chain attacks, or leveraging compromised passwords to access user accounts.
Execution – 14 techniques
Execution is focused on a threat actor gaining the ability to execute code on a target system. This can include code execution following an initial compromise or remote code execution. Execution techniques often target vulnerabilities in configuring critical systems like Windows Command Shell, UnixShell, or similar programs.
Persistence – 20 techniques
Persistence techniques describe how threat actors attempt to retain access to systems in the event of downtimes, credential resets, or reboots. Boot or login scripts may be used to regain access when a device restarts automatically, or new accounts are created. By establishing persistence, threat actors have more “dwell time” on a system to carry out their attack.
Privilege Escalation – 14 techniques
Privilege Escalation is the set of techniques adversaries use to gain more control and ability to act in a network. For example, when gaining initial access by breaching a user account, they may seek access to admin or other user accounts with elevated privileges. Techniques that give the compromised accounts higher permissions are also commonly pursued.
Defense Evasion – 13 techniques
The techniques in Defense Evasion cover how adversaries avoid detection by their targets. By remaining undetected, threat actors have more time and ability to carry out their attack or find the most vulnerable or lucrative targets within their target environment. Log manipulation or disabling is commonly used by adversaries to cover their footprints.
Credential Access – 17 techniques
Credential Access describes how threat actors steal or compromise accounts and access credentials. Adversaries use credential access to facilitate other tactics, such as initial access, privilege escalation, or lateral movement.
Discovery – 12 techniques
Discovery describes how threat actors explore a system they have compromised to learn how to gain further access and identify targets of their breach. It is distinct from ‘Reconnaissance,’ which describes how adversaries gain information from the outside, with a focus on information gathering after the initial breach.
Lateral Movement – 9 techniques
Lateral Movement techniques are how adversaries gain control of other devices or sections of the network after an initial breach. Most cyberattacks need some degree of lateral movement to be able to access critical information or systems. Remote access and remote service tools are
Collection – 17 techniques
Collection allows threat actors to gather data that they are targeting. Often, collection will lead to exfiltration, but it may simply be encrypted in some cases, such as traditional ransomware attacks. Collection differs from Discovery in focusing on the target data itself, not the environment.
Command and Control – 17 techniques
Command and Control techniques describe how threat actors communicate with their target system and exert control over devices and programs on the network. Command and Control techniques also often include considerations for Defense Evasion and to enable lateral movement.
Exfiltration – 9 techniques
Exfiltration techniques are how threat actors steal the data they are targeting. Along with Impact, it is one of the ultimate goals of a cyberattack that other tactics lead towards. Exfiltration often requires compression or encryption of sensitive data to evade DLP controls or other security systems and can occur over various channels.
Impact – 14 techniques
Impact describes the other ultimate goal of a cyberattack, where the goal is not to steal data but to disrupt or destroy the system. This can include encryption or deletion of data, outright financial theft, or overwhelming/disabling vital devices.
Using the MITRE ATT&CK framework
The MITRE ATT&CK framework is more than just a repository of cyber threat behaviors; it enhances organizational security in several key areas. Here’s how to leverage it effectively:
Detection: By mapping your security detection and alerting mechanisms to the techniques outlined in the ATT&CK framework, you can identify gaps in your defenses and prioritize improvements. This alignment ensures you’re prepared to detect and respond to adversaries’ tactics against you.
Threat Intelligence: ATT&CK’s comprehensive database serves as a foundation for threat intelligence, helping you understand the tactics, techniques, and procedures used by threat actors. ATT&CK also includes information about threat groups and how they typically combine different attack techniques and procedures. This allows you to identify likely follow-up actions after identifying unauthorized behavior, enabling you to anticipate threats and tailor your defenses to your organization’s specific threat.
Red Teaming and Pen Testing: The framework informs your red teaming exercises and penetration tests. By simulating attacks based on real-world patterns, you can evaluate your defenses realistically and identify vulnerabilities before threat actors can exploit them.
Security Assessments: The framework provides a structured way to assess your security posture against a wide range of known attacker behaviors. This can guide your security assessments, helping ensure comprehensive coverage of potential vulnerabilities.
What Not to Do:
Avoid chasing 100% coverage of every technique in the framework. Given cyber threats’ vast and varied nature, it’s impractical to guard against every possible attack vector. Instead, prioritize based on your specific risk profile and resource constraints.
Do not rely solely on the framework. While it’s a powerful tool, it is built on actual adversary behavior that has been observed and documented. Threat actors are constantly innovating, so a security strategy that uses ATT&CK as a checklist rather than a guide to a holistic security approach will find themselves vulnerable to new and evolving threat tactics.
Conclusion:
The MITRE ATT&CK framework enhances detection and threat intelligence and guides security assessments and red team exercises. Its real value lies in its application: informing a dynamic security strategy rather than serving as a static checklist.
Effectively Implementing such a comprehensive knowledge base demands expertise and a nuanced approach.
If integrating the MITRE ATT&CK framework into your security strategy seems daunting, Atlantic Data Security is here to assist. Our experts are adept at simplifying cybersecurity complexity into actionable strategy. Talk to an advisor today.