What is the MITRE ATT&CK framework?

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was designed for a simple reason: to solve problems for a safer world. This framework is available for free to anyone that wants to level up their cybersecurity. Your organization can use the MITRE ATT&CK framework to understand how cybercriminals operate. From here, you can prepare for cyberattacks and limit your risk of data breaches.

About the MITRE ATT&CK Framework

MITRE, a nonprofit organization that manages federally funded research and development centers for U.S. government agencies, developed the MITRE ATT&CK framework in 2013. The framework was originally developed for a research project. It got its name based on the data collected, which relates to Adversarial Tactics, Techniques, and Common Knowledge, or ATT&CK.

During the research project, researchers used emulated cybercrime and how organizations respond to it. They also focused on how well they were doing to track cybercriminals. This prompted the development of ATT&CK to categorize the behaviors of cybercriminals.

In 2015, MITRE ATT&CK was released to the public for free. Today, the framework helps organizations protect against current and emerging threats. Three matrices based on the framework are available:

  • ATT&CK for Enterprise: Focuses on cybercrime behaviors across Windows, Mac, Linux, and cloud environments.
  • ATT&CK for Mobile: Focuses on cybercrime behaviors on Android and iOS devices.
  • ATT&CK for Industrial Control Systems (ICS): Focuses on the actions a cybercriminal may take to damage an ICS network.

Why was the MITRE ATT&CK Framework Created?

Initially, MITRE wanted to create a list of known adversary tactics and techniques that criminals used during cyberattacks. This list would be available to organizations around the world and provide them with details about cyberattack stages and sequences.

ATT&CK helps organizations understand cybersecurity tactics, techniques, and procedures (TTPs). It categorizes cyber-adversary behaviors, to the point where organizations can understand the how and why of a cyberattack. With this information, organizations can take the necessary steps to protect against cybercrime. 

The MITRE ATT&CK framework utilizes publicly available threat intelligence and incident reports and research on new cyberattack techniques from cybersecurity analysts and threat hunters. This framework applies to:

  • Enterprise IT systems covering Windows, macOS, and Linux
  • Network infrastructure devices
  • Container technologies
  • Infrastructure-as-a-service (IaaS)
  • Software-as-a-service (SaaS)
  • Microsoft Office 365
  • Microsoft Azure Active Directory (AD)
  • Google Workspace
  • Mobile devices covering Android and iOS

Benefits of Using the MITRE ATT&CK Framework

MITRE ATT&CK helps you understand how cybercriminals work and the steps they'll take to access your organization's data and systems. It also provides insights into the "why" behind a cyberattack. With these insights, you can approach cybersecurity from a cyber-adversary's point of view, which can help you find new ways to bolster your cyber protection.

Additionally, ATT&CK helps you prioritize the most relevant threats to your organization and figure out the best ways to combat them. This can help you choose the right security tools and get the most value out of your security investments.

Challenges of Using the MITRE ATT&CK Framework

Limited time and resources can hamper your organization's ability to use the MITRE ATT&CK framework. It takes time to learn the ins and outs of the framework and incorporate it into day-to-day cybersecurity operations. You may need training to learn how to navigate ATT&CK's matrices. Or, you can partner with a managed security service provider (MSSP) that can get you up to speed on ATT&CK.

ATT&CK's matrices are constantly expanding, too. Going through these data and getting actionable insights from it can be difficult. The sheer volume of security data within these matrices can also be overwhelming.

MITRE ATT&CK Framework Use Cases

Threat Hunting

With ATT&CK, you can learn about the relationships between techniques that cybercriminals are using to attack your organization. This gives you insights into attacks targeting your endpoints and networks.

Red Teaming

ATT&CK helps you discover vulnerabilities across your devices and systems. You can understand how cybercriminals access your devices and systems, move across your networks, and how they are evading detection.

Blue Teaming

ATT&CK provides insights into the different aspects of a cyberattack. Once you have these insights, you can identify and address security gaps. Plus, ATT&CK offers remediation guidance and controls to help you fight back against cybercriminal techniques.

Security Product Development and Engineering

Security developers and engineers use ATT&CK to test the effectiveness of their products. The framework helps these developers and engineers understand how their products will perform during a cyberattack. It also allows security developers and engineers to find and address product issues.

Threat Intelligence

You can utilize ATT&CK to generate threat intelligence, track security trends, and find ways to manage risk.

Cybersecurity Strategy Development

ATT&CK shows you what cybercrime techniques put your organization, its employees, and its customers at risk. You can use the framework to understand your security risks and what tools you can use to level up your cyber protection.

Security Alert Triaging and Investigation

Thanks to ATT&CK, you can learn about security issues that plague your organization. You can then take steps to improve the way your organization responds to security alerts. This can help you reduce your mean time to detect (MTTD) and mean time to respond (MTTR) to these alerts.

MITRE ATT&CK Tactics

A tactic focuses on the "why" behind a MITRE ATT&CK technique or sub-technique. ATT&CK organizes groups of common techniques and sub-techniques into tactics, which are used to describe the reason why a cybercriminal initiates a technique or sub-technique in the first place.

For example, a cybercriminal may try to infiltrate an organization's network. Per ATT&CK, this tactic is referred to as "Initial Access."

As of July 26, 2023, ATT&CK contains 14 tactics in its Enterprise matrix. 

MITRE ATT&CK Techniques

A technique refers to the way a cybercriminal attempts to achieve their goal. For instance, a cybercriminal may duplicate, then impersonate another user's existing token to escalate privileges and bypass access controls. According to MITRE ATT&CK, this technique is referred to as "Access Token Manipulation."

ATT&CK lists hundreds of techniques and sub-techniques used by cybercriminals. These vary based on a cybercriminal's skill set, target, and other factors.

For each technique listed, ATT&CK includes:

  • A description of the method;
  • Systems and platforms linked to it;
  • Adversary groups that are known to use it;
  • Ways to mitigate attacks linked to this technique; and
  • References for how to use it in the real world. 

MITRE ATT&CK Sub-Techniques

A sub-technique goes one step further to describe how a cybercriminal initiates an attack. As of July 26, 2023, ATT&CK has 196 techniques and 411 sub-techniques listed in its Enterprise matrix.

Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, a cybercriminal may use the sub-technique dumping credentials to access Local Security Authority (LSA) Secrets.

MITRE ATT&CK Procedures

Procedures are listed within the MITRE ATT&CK framework. They serve as step-by-step descriptions that explain how a cybercriminal will try to accomplish their objective.

Framework Common Knowledge (CK) 

Common knowledge (CK) refers to the documented tactics and techniques used by cyber-adversaries.

MITRE ATT&CK Matrix

The MITRE ATT&CK matrix consists of techniques that cybercriminals use to accomplish objectives. Enterprise, Mobile, and ICS matrices are available, and each has its own tactics and techniques listed.

MITRE ATT&CK vs Cyber Kill Chain

Along with the MITRE ATT&CK framework, many organizations use the Lockheed Martin Cyber Kill Chain to understand cyber-adversary behaviors that lead to cyberattacks and data breaches. ATT&CK and the Cyber Kill Chain are not identical. However, organizations can use ATT&CK and the Cyber Kill Chain in conjunction with one another as they search for ways to optimize their security posture.

ATT&CK lists TTPs used by cybercriminals. It provides TTPs in matrices.

Comparatively, the Cyber Kill Chain describes the structure of a cyberattack. It includes seven steps:

1. Reconnaissance

A cybercriminal conducts research and tries to gather as much information as possible about a potential target.

2. Weaponization

The cyber-adversary combines an exploit with a backdoor to create a deliverable payload.

3. Delivery

The criminal delivers the weaponized bundle via email, web, etc.

4. Exploitation

The criminal exploits a vulnerability to execute a malicious code on a victim's system.

5. Installation

The criminal installs malware on the victim's system.

6. Command and Control (C2)

The criminal remotely controls the victim's system.

7. Actions on Objectives

The criminal has "hands-on-keyboard" access to the victim's system and can now act on their objectives.

Which Is Better: MITRE ATT&CK or the Cyber Kill Chain?

MITRE ATT&CK isn't better than the Cyber Kill Chain, and vice versa.

ATT&CK is widely adopted by organizations of all sizes and across all industries. This is due in large part to the fact that ATT&CK includes information about cyberattacks from both the perspectives of both the cyber-adversary and cyber-defender. ATT&CK also has attack scenarios that red teams can replicate and blue teams can test.

The Cyber Kill Chain helps you identify and prevent cyber intrusions. It gives you insights into the steps that cybercriminals must complete to launch a successful attack. By doing so, it provides you with visibility into cyberattacks and the TTPs used by cybercriminals.

MITRE ATT&CK Framework Tools and Resources

Caldera

Caldera is an open-source security framework based on MITRE ATT&CK. It lets you emulate cyberattacks and automate security responses to them.

MITRE ATT&CK Navigator

ATT&CK Navigator lets you map your security controls to ATT&CK techniques and add detective controls, preventive controls, and display layers of observed cybercriminal behaviors.

MITRE Cyber Analytics Repository (CAR)

The MITRE Cyber Analytics Repository is an analytics knowledge base that contains hypotheses, information domains that show the context of analytics, references to ATT&CK TTPs, and pseudocode that indicate how analytics can be utilized.

MITRE ATT&CK Workbench

ATT&CK Workbench is an open-source tool that lets you manage and extend your own local version of ATT&CK and keep it in sync with MITRE's knowledge base. With Workbench, you can explore, create, annotate, and share extensions of the ATT&CK knowledge base.

MITRE Engenuity™ ATT&CK Evaluations

The MITRE Engenuity™ ATT&CK Evaluations program promotes the use of cybersecurity solutions based on the MITRE ATT&CK framework. It allows cybersecurity solution providers to get their offerings evaluated by MITRE experts. Each evaluation provides insights into how well a cybersecurity solution detects and protects against cyber-adversaries based on the ATT&CK knowledge base.

MITRE Engenuity™ recently released the results from their first-ever ATT&CK® Evaluation for Security Services Providers. The evaluations highlighted results across 15 security services providers, assessing their capabilities in detecting, analyzing, and describing adversary behavior. To learn more, please visit news.sophos.com.

 

Related security topic: What is mobile device management (MDM)?