You can’t spend too long working in the cyber security space without hearing about the MITRE ATT&CK framework. First released in 2013, made freely available to the public in 2015, and biannually updated since then, the MITRE ATT&CK framework is an essential tool for many organizations’ security postures.
Let us take a closer look as we break down what ATT&CK is and how to utilize it.
Short for Adversarial Tactics, Techniques, and Common Knowledge, ATT&CK is a knowledge base the collects, documents, and breaks down the common steps and exploits that threat actors employ when trying to compromise an enterprise’s network and devices. This information is grouped and categorized according to Tactics, Techniques, and Procedures.
The ATT&CK Framework recognizes 14 distinct Tactics such as Reconnaissance, Privilege Escalation, and Defense Evasion.
Tactics represent the high-level description of the goals behind the actions taken by threat actors. In pursuit of their ultimate, strategic goal, threat actors will seek to advance their attack through accomplishing one or more of these tactical goals over time.
Threat actors pursue their tactics through techniques. For example, while pursuing reconnaissance, threat actors may deploy actions described by the “Active Scanning” or “Phishing for information technique.” To break down broad techniques, MITRE typically describes a series of more specific and detailed sub-techniques.
While Tactics and techniques provide a taxonomy for describing and categorizing common adversarial actions, the ATT&CK framework also collects and documents procedures. Classified according to their best-matching techniques, Procedures describe actions taken by threat actors that have been observed in the real world. This generally includes information about groups that have been seen to perform these procedures and information about the tools and software that these groups have been seen to use to carry out their actions.
MITRE’s ATT&CK framework includes lots of information but how can it be useful to an organization or infosec professional? MITRE’s 2020 “MITRE ATT&CK: Design and Philosophy” white paper describes its core use cases. First, its documentation of the behavior of known threat actors provides a useful tool for carrying out relevant and realistic penetration tests, that emulate how real-world bad actors may try to attack your organization. Additionally, it is also a useful benchmark for carrying out security assessments for an organization. By breaking down techniques, and their corresponding mitigations, ATT&CK provides a specific and detailed framework for understanding an organization’s security readiness and gaps.
The MITRE ATT&CK framework is a very powerful tool in preparing an organization for the realities of today’s threat landscape.It is inevitably also rather complex. Each organization will need to determine for itself what degree of security counts as proper ATT&CK coverage for them. Since threat actors are constantly innovating, and ATT&CK serves to document known behavior, it is impossible to eliminate all risks. But, we can at least prevent threat actors from repeating moves from their old playbook against us.
As we prepare to look back at the lessons from 2021, now would be a great time to sit with Atlantic Data Security’s bench of security experts to evaluate your security readiness. Get started today!