Effective protection against cyber threats requires a thorough knowledge and understanding of the techniques used by attackers. This is precisely what the MITRE ATT&CK® framework is all about: a knowledge base of the various known attack techniques used during a cyber attack.
Today, the ATTA&CK® MITRE Framework plays a central role in cybersecurity, enabling security teams to better understand and prepare for threats.
What is the MITRE ATT&CK® Framework?
MITRE ATT&CK® framework: definition
Described as a "framework", "repository" or "matrix", MITRE ATTA&CK® is a knowledge base of known attack techniques. The framework is fed by attacks observed in the real world.
More than 200 attack techniques have been documented to date, and are freely accessible at attack.mitre.org. This knowledge base is managed by MITRE, a non-profit organization, and enriched by an active community.
History and development of the MITRE ATT&CK® frame
ATT&CK® stands for "Adversarial Tactics, Techniques and Common Knowledge". The matrix contains details of the tactics, techniques and procedures (TTPs) used by adversaries during a computer attack. The MITRE ATT&CK® knowledge base has been maintained since 2013 and has been freely accessible online since 2015.
MITRE ATT&CK® initially focused on threats to Windows systems. It has since been extended to Linux, macOS, mobile environments and industrial control systems. The knowledge base is updated regularly.
Different versions are available online:
- MITRE ATT&CK® For Enterprise (including PRE-ATT&CK®tactics and techniques)
- MITRE ATT&CK® for Mobile
- MITRE ATT&CK® for ICS (for industrial control systems)
What are the components of the MITRE ATT&CK® matrix?
Tactics listed in the MITRE ATT&CK® matrix
The MITRE ATT&CK® framework breaks down the various stages (called "tactics") of a computer attack. The "enterprise" matrix of the MITRE ATT&CK® framework currently lists 14 different tactics/steps and over 200 offensive techniques.
The course of a computer attack is broken down from the preparation of the intrusion into the information system to the success of the attack and its impact:
- Recognition
- Resource development
- Initial access
- Execution
- Persistence
- Escalation of privileges
- Escape
- Login access
- Discovery
- Lateral displacement
- Collection
- Control and monitoring
- Exfiltration
- Impact
Each tactic represents an objective that the attacker is seeking to achieve within the information system (gathering information, exfiltrating data, etc.) and groups together several techniques.
Description of the techniques used by malicious groups
One of the strengths of the MITRE ATT&CK® framework is that it describes and documents the techniques and methods used by groups of adversaries.
The "Initial Access" tactic for example, includes 10 techniques:
- Content Injection
- Drive-by Compromise
- Exploit Public-Facing Application
- External Remote Services
- Hardware Additions
- Phishing
- Replication Through Removable Media
- Supply Chain Compromise
- Trusted Relationshop
- Valid Accounts
Each of the framework's techniques is described in detail, illustrated with case studies (including the name of the malware used, for example) and accompanied by detection and remediation mechanisms.
How do I implement the MITRE ATT&CK® framework?
MITRE ATT&CK®, an "agnostic" framework
The MITRE ATT&CK® framework is not linked to any security product or solution. It is designed to be used with any security tool (e.g. vulnerability scanning) or platform that enables the integration of the tactics and techniques listed. It supports and enhances existing security strategies. Some vendors integrate the matrix into their cybersecurity solutions.
Combined with information system mapping, the MITRE ATT&CK® framework helps organizations to better visualize the vulnerabilities of their IS and, above all, to prioritize their treatment with regard to the behaviors already identified among malicious groups. Comparing their IS protection systems with the attack patterns documented within the matrix helps security teams to identify weak points in their security strategy and remedy them through proactive action.
The attack.mitre.org website lists numerous free resources enabling organizations to freely reuse the database according to their specific needs. Consultants and security solution providers can also help teams implement customized solutions.
Different approaches for different security teams
The MITRE ATT&CK® matrix can be used in a variety of application scenarios, depending on the specific needs of each organization, as well as the size and structure of its teams. Used by SOC teams to bridge the gap between operational reality and the CISO, by BlueTeam teams as part of their exercises, and by analysts, the MITRE ATT&CK® framework simplifies communication between the various teams involved in risk management.
While smaller teams focus on researching attack behavior observed in groups of adversaries, larger teams will be able to map more information - both internal and external - using the framework.
How to use MITRE ATT&CK® for risk analysis, threat detection and prevention?
Cyber threat watch
MITRE ATT&CK® is used for Cyber Threat Intelligence. Security teams can use this framework to develop a threat model describing the potential attacks to which their IS is exposed, and identify the measures they need to put in place to protect themselves.
By enabling the characterization and analysis of adversary groups and malware, the MITRE ATT&CK® framework helps to draw threat profiles. Analysts gain a better understanding of the methods, capabilities, motivations and objectives of threat actor profiles, based on concrete examples and analyses of their past activities.
Threat detection and prevention
From a threat detection point of view, the MITRE ATT&CK® framework helps organizations to assess whether their detection capabilities are aligned with the tactics and techniques identified by the matrix. Similarly, in terms of prevention, it can be used to check the effectiveness of preventive measures designed to counter the behaviors identified in malicious groups.
Threat exposure and vulnerability management
By collecting security data on a given perimeter (CVEs, for example) and using the MITRE ATT&CK® framework, analysts can trace a "kill chain". This attack chain is a realistic attack path that could potentially lead to a cyber attack.
It measures exposure to documented threats. By cross-referencing an information system's vulnerabilities with its exposure to an existing threat database, the aim is to check whether its information system is exposed to real attack mechanisms. Linking vulnerabilities to attack paths likely to exploit them helps prioritize vulnerability treatment.
Attack scenarios and simulations
The MITRE ATT&CK® matrix helps RedTeam teams to build realistic attack scenarios simulating tactics and techniques observed in real-life situations. These teams can thus better identify the weaknesses and gaps in their security systems, and improve their defenses accordingly.
As for incident response teams, they can use the framework to more quickly identify the tactics and techniques used by the cybercriminal group. The aim is to prioritize incident response actions and build a more effective incident response plan.
Framework MITRE ATT&CK®: key points to remember
A threat modeling and analysis tool, the MITRE ATT&CK® framwork details the main stages of a computer attack (tactics) and the attack techniques used by malicious actors, from the adversary's point of view. This information is documented, updated and shared free of charge.
Organizations have every interest in integrating this framework into their security strategies and policies, to stay one step ahead of threats and improve their defenses. Effective implementation of the framework by their teams will help them to better understand the modus operandi of malicious actors. By cross-referencing cybercriminals' techniques with their own vulnerabilities, security teams can improve and fine-tune their defense strategies against advanced threats.
OverSOC helps you gain visibility of threats and prioritize vulnerabilities in your information system. Contact us.