MITRE Corporation has developed the ATT&CK knowledge base as a curated knowledge repository of cyber adversary behavior to assist red teams, defenders, and threat hunters to classify attacks, identify attack attribution, and assess risk.
Finding and blocking every technique defined by the ATT&CK matrix can be challenging for security teams, while this framework also defines subtechniques which detail specific behaviors of adversaries.
Tactics
The MITRE ATT&CK Framework is an online EDR, publicly accessible knowledge base of adversary tactics and techniques. Based on real-world observations of attacks, its matrix displays are organized according to attack phases (from initial system access through data theft or machine control), target platforms like enterprises, mobile phones, cloud networks, networks for industrial control systems (ICSs) as well as specific attack types and methods like reconnaissance, evasion/perseverance techniques lateral movement strategies as well as data exfiltration.
Lockheed Martin's Cyber Kill Chain differs significantly in that it describes an attack as a sequence of events, while ATT&CK emphasizes how attackers achieve their objectives within your organization. Understanding which steps adversaries will take can provide valuable insight into which defenses they'll evade.
Security teams can utilize ATT&CK for various purposes, such as planning and conducting red team or penetration test activities, creating a unified vocabulary to communicate about threats across teams, and evaluating depth of detection using Telemetry levels necessary for full coverage.
Organizations using ATT&CK can identify gaps in their defenses and develop solutions to close those gaps. Furthermore, organizations can take a risk-based approach to understanding their vulnerability posture by calculating the consequences of successful attacks against each target and then enhance threat intelligence capabilities by making sure their tools and teams capture all pertinent information during every attack phase.
However, while security teams typically follow their natural impulse of implementing detection and prevention controls for every technique in an ATT&CK matrix, doing so without considering certain caveats can be potentially hazardous. Since an ATT&CK Framework serves as knowledge repository of potential attacks there may be multiple methods used by attackers and therefore just because an attack technique appears in a matrix doesn't mean your security tools are currently detecting or blocking it.
The ATT&CK Framework can also be utilized to support adversary emulation, which allows red teamers to simulate real-world attacks and give feedback on defenders' effectiveness. Furthermore, its functionality also enables it to identify weaknesses in security products while helping developers and engineers increase product capabilities.
Techniques
The ATT&CK Framework provides a standardized method of communicating threat intelligence between threat hunters, red teams, and security operations centers (SOCs), as well as understanding an attack's life cycle - ultimately helping organizations develop more effective defense strategies and prioritize mitigations based on risk.
MITRE Corporation, a non-for-profit that works across government agencies and industry, developed the ATT&CK framework in order to document malicious behaviors used by advanced persistent threat (APT) groups operating in enterprise environments. The online collection of TTP matrixes covers every aspect of an attack - initial compromise, persistence, lateral movement and data exfiltration are just a few areas it covers.
Although originally developed as part of an endpoint telemetry and analytics research project, ATT&CK can also be used to better understand adversary behavior more generally. Furthermore, it can evaluate security tools' abilities to detect different stages of an attack, and identify any gaps in an organization's security posture.
Each matrix covers various attack phases and stages, from intel gathering through system destruction. Furthermore, they document what tools attackers utilize in each phase, along with indicators of compromise recognition strategies and mitigation approaches.
MITRE states that a tactic describes an objective while technique refers to how an attacker might achieve that goal. A sub-technique refers to any step in an attack's plan that furthers one particular technique - for instance creating a phishing link or spear phishing attachment. ATT&CK lists 188 tactics and 379 sub-techniques specifically targeting enterprise environments.
While ATT&CK provides a standard classification system for attacker techniques, it does not rank or score security products. Instead, MITRE Ingenuity's evaluations offer raw results to provide an overview of each vendor's defensive capabilities against specific attacks - essential information when choosing security solutions to implement. To gain further insight, download SentinelOne-Carbanak and Fin7 Evaluations by MITRE Engenuity from here.
Common Knowledge
Threat models provide a detailed picture of how attackers can attack and the effects they will have on their targets. It's essential to distinguish between threat models and attack diagrams as one only shows individual steps while the latter covers an attack from its entirety.
An effective threat model can aid teams in improving their ability to detect attacks and respond swiftly when they occur, as well as assess security posture and identify areas for improvement based on risk assessment. The ATT&CK framework can be an invaluable resource here, serving to prioritize detections while also evaluating current tools and depth of coverage.
ATT&CK stands for tactics, which refers to an attacker's goals in an attack. Such goals could include gaining initial access, running malicious code or stealing account names and passwords. Techniques refers to all the different means by which an adversary may achieve his tactical goal - for instance if privilege escalation is desired as the goal, techniques might include hacking, brute force or password spraying as means. These techniques can then be further refined through sub-techniques like password guessing or credential stuffing etc.
Attackers typically plan their attack in stages, so the ATT&CK framework provides an overview of typical attacks' phases. It details how an attacker might start by gathering intelligence before gaining initial access and moving laterally before exfiltrating data and possibly employing evasion tactics to avoid detection.
This approach allows teams to quickly identify and classify attacks while communicating the results of red team or pentest activities in an easily understandable format. Furthermore, it provides organizations with a benchmark against which they can compare their defenses to determine effectiveness.
Utilizing the ATT&CK framework can significantly enhance vulnerability management by allowing teams to map threats with specific TTPs, helping them understand if vulnerabilities have been exploited and prioritizing remediation efforts based on impact.
Planning and conducting red team or penetration test activities using a matrix can also be extremely helpful, as it enables teams to define their scope more precisely. Target lists can be created, along with levels of telemetry for detections required and how defenses will be scored at the end of an exercise. Furthermore, this matrix can help teams determine levels of sensitivity required for detections to achieve high confidence coverage on key systems or devices.
Risk
Security frameworks provide cybersecurity professionals with a knowledge base of adversarial tactics, techniques and procedures (TTPs) which allows them to recognize, detect and respond effectively to cyberattacks. Such knowledge helps organizations prevent attacks while mitigating the damage of breaches such as data loss, fraud, business disruption and regulatory fines.
The ATT&CK framework comprises matrices for different attack landscapes, such as enterprise and industrial control systems. This format resembles a periodic table in that its column headers identify each phase of an attack from initial access all the way to impact, with rows detailing specific tactics for each attack phase and user friendly navigation, so users can easily visualize attacks using techniques used by threat actors. Furthermore, updated matrices reflect any new attack methods or approaches being employed against them by threat actors.
For example, the ICS ATT&CK matrix details attack paths against industrial control systems and critical infrastructure. This information can be invaluable for companies that rely on interconnected machines, sensors and devices for operations, such as power plants or factories. In addition to outlining tactics used, this matrix also contains detailed technical descriptions for each technique, assets targeted by it as well as mitigation and countermeasure strategies and detection analytics used to detect attacks.
Implementing a security framework can be an effective way to enhance red team and penetration test activities by helping teams produce more logical attack plans. Furthermore, by speaking a common language it enables security teams to communicate better among themselves and report results more precisely. A security framework also serves as an efficient method for planning reverse engineering exercises as it offers a framework for identifying attack surface areas and potential vulnerabilities more efficiently.
Although ATT&CK can be an invaluable asset to an organization, using it may pose certain risks. Security teams may find it challenging to keep up with rapidly shifting threats represented in its matrices; this may prove especially challenging for junior or newly hired security staff lacking sufficient experience with using the framework. Luckily, organizations can overcome this hurdle by working with an ATT&CK partner who provides training and guidance on its use.
