What is the MITRE ATT&CK Framework?
MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. It was created in 2013 as a result of MITRE’s Fort Meade Experiment (FMX) where researchers simulated both adversary and defender behaviour to improve the detection of threats through post-compromise behavioural analysis.
The MITRE ATT&CK framework is developed by MITRE, a non-profit organization funded by the Government of U.S. The ATT&CK Framework is a cybersecurity knowledge base of adversary tactics and techniques based on real-world observations.
This framework is useful in various aspects of cybersecurity. It helps organizations to strengthen their threat intelligence and thereby improve their defences against attacks. It is backed by community-driven knowledge base of adversarial techniques.
This framework helps security professionals to share information in an efficient manner, which ultimately contributes to a higher level of security globally.
The behavioural model presented by ATT&CK contains the following core components:
- Tactics – Referring to short-term, adversary goals during an attack. Read more on red teaming here.
- Techniques – Contains different means through which adversary may achieve the tactical goals.
- Documentation of usage and techniques adopted by the adversary.
The MITRE ATT&CK framework comes in three iterations:
- ATT&CK for Enterprise: It focuses on the behaviour of adversary in Windows, Mac, Linux, and Cloud Environment.
- ATT&CK for Mobile: It focuses on behaviour of adversary in iOS and Android environments.
- ATT&CK for ICS: It focuses on the behaviour of adversary while operating within the ICS network.
Understanding the MITRE ATT&CK Matrix:
The MITRE ATT&CK matrix consists of a set of techniques used by adversaries to accomplish their goal. Those objectives are referred to as ‘Tactics’ in the ATT&CK matrix.
Tactics are the core of the ATT&CK Framework and represent the underlying motive behind an ATT&CK technique. Tactics group together the different methods used by an attacker, such as persist, discover information, move laterally, execute files, and exfiltrate data. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or “impact”.
1. Enterprise MATRIX
Currently, the MITRE ATT&CK Enterprise Framework consists of 14 easy-to-understand tactics which are as follows:
1. Reconnaissance: The adversary gathers information to be used in further operations.
2. Resource Development: The adversary establishes resource which can be used to support operation.
3. Initial Access: The adversary tries to get into network.
4. Execution: The adversary tries to run a malicious code.
5. Persistence: The adversary tries to maintain their foothold.
6. Privilege Escalation: The adversary tries to gain higher level of privilege by exploiting any existing vulnerability.
7. Defence Evasion: The adversary tries to escape detection. For example, using trusted processes to hide malware
8. Credential Access: The adversary tries to access username and passwords.
9. Discovery: The adversary tries to figure out the environment, to figure out further attacks.
10. Lateral Movement: The adversary moves through the environment, using legitimate credentials to pivot through multiple systems
11. Collection: The adversary gathers data of interest as per the attack objective.
12. Command and Control: The adversary communicates with compromised systems to control them.
13. Exfiltration: The adversary steals the gathered data.
14. Impact: The adversary changes, interrupts, or destroys systems and data.
2. Mobile matrix
The MITRE ATT&CK mobile framework also consists of 14 tactics that are similar to the Enterprise framework. They are as follows:
1. Initial Access: The adversary tries to get in your device.
2. Execution: The adversary tries to run malicious code.
3. Persistence: The adversary tries to maintain foothold.
4. Privilege Escalation: The adversary tries to gain higher levels of permission.
5. Defence Evasion: The adversary tries to avoid detection.
6. Credential Access: The adversary tries to access credentials which can be used to access resources.
7. Discovery: The adversary tries to get an idea about the environment.
8. Lateral Movement: The adversary tries to move through the environment.
9. Collection: The adversary tries to collect data of their interest.
10. Command and Control: The adversary tries to communicate with compromised devices.
11. Exfiltration: The adversary tries to steal data.
12. Impact: The adversary tries to manipulate, interrupt, or destroy your devices and data.
13. Network effects: The adversary tries to intercept or manipulate network to or from a device.
14. Remote Service Effects: The adversary tries to control device using remote service.
Mapping defences using ATT&CK
It is quite natural for security teams to develop detection or prevention control for each technique in the ATT&CK matrix. However, security team forgets that techniques in the ATT&CK matrix can be performed in numerous ways. Thus, preventing or detecting a single technique does not necessarily mean that the attack has been completely taken care of. One should keep the following things in mind while addressing this issue:
- Never restrict yourself to a single technique for a particular attack.
- Thoroughly log the results of the tests to identify potential gaps in the technique.
- Keep up to date with the latest methods to perform attacks.
- Keep a track of the effectiveness of tools which prove to be effective at specific detections.
MITRE ATT&CK is a detail-oriented and cross-referenced repository of knowledge about actual adversary groups and their known behaviour. It also tells us about the strategies, tactics, and methods used by adversaries.
The prime differentiating factor between MITRE ATT&CK and existing threat modelling lifecycle models is that is that is designed from an attacker’s perspective. This makes it a vital tool in learning and assessing the tactics used by adversaries in order to have a strong defence mechanism in place.
The depth of knowledge provided by ATT&CK is quite difficult to comprehend in one go. However, one should not hesitate to invest their time and do a thorough study of the framework.
Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.
Payatu is a research-powered, CERT-in empanelled cybersecurity consulting company specializing in security assessments of IoT (Internet of Things) product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.