The MITRE Corporation, founded in 1958, is a non-profit company that provides engineering and technical advice on advanced technology issues such as cybersecurity to make the world better. MITRE pioneered innovative technologies like GPS, the ATT&CK® knowledge base, and the commercial airline Traffic Collision Avoidance System.
MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). ATT&CK is primarily a knowledge base of adversarial techniques, a breakdown, and classification of offensively oriented actions that can be used against platforms. The MITRE ATT&CK Framework, founded in 2013, has identified hundreds of different techniques adversaries use to execute cyberattacks. It explains the various phases of an attack and the platforms or systems that could be or are prone to attacks by threat actors.
ATT&CK Approach
Instead of focusing on security controls, ATT&CK focuses on attackers’ behaviors and provides mitigation for each attack so that the enterprise can prepare for them.
ATT&CK structure
MITRE organizes its observations about attack behaviors into tables called Matrices. Each Matrix addresses common cybersecurity tactics, techniques, sub-techniques, and mitigations for various operating environments like operating systems, mobile devices, cloud platforms, or industrial control systems.
TTPs
MITRE ATT&CK Framework has three main components (Tactics, Techniques, and procedures (TTPs))
- Tactics: describes the tactical goals, like getting inside your network or stealing credentials. (Represent the \”why\”)
- Techniques: show how the ways or methods the threat actor uses to achieve the tactical goals. (Represent the “how”)
- Procedures: describe highly detailed documents of the tools and actions of specific attacker groups.
Mitigations
ATT&CK Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
ATT&CK Matrix
- Enterprise: The Matrix contains information for defenders of Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers.
- Mobile: The 2 Matrices cover techniques involving device access and network-based effects that adversaries can use without device access. The Matrix contains information for Android and iOS.
- ICS: The Matrix contains information for defenders of industrial control systems (ICS).
ATT&CK Tactics
The enterprise matrix describes how an attacker could operate within an enterprise network:
| Name | Description |
|---|---|
| Reconnaissance | Gather the information they can use to plan future operations |
| Resource Development | Establish resources they can use to support operations. |
| Initial Access | Get into your network |
| Execution | Run malicious code |
| Persistence | Maintain their foothold |
| Privilege Escalation | Gain higher-level permissions |
| Defense Evasion | Avoid being detected |
| Credential Access | Steal account names and passwords |
| Discovery | Figure out your environment |
| Lateral Movement | Move through your environment |
| Collection | Gather data of interest to their goal |
| Command and Control | Ccommunicate with compromised systems to control them |
| Exfiltration | Steal data |
| Impact | Manipulate, interrupt, or destroy your systems and data |
