top of page
Aug 23, 20223 min read

What is MITRE ATT&CK Framework?

If you have spent any time in the cybersecurity world, you have likely heard of the MITRE ATT&CK framework, but what you may not know is what it is, or that it is an important tool for cybersecurity professionals. Well Cyber Family, that is exactly what we are talking about today! So stay tuned for this 411 on the MITRE ATT&CK framework, and how it can help you keep up with the bad actors.



What is MITER ATT&CK?


First off, "MITRE" is a government- funded organization based in the US that has a substantial cybersecurity practice funded by NIST. MITRE ATT&CK is a MITRE framework that is short for Adversarial Tactics, Techniques, and Common Knowledge, a guideline that classifies and describes cyberattacks and intrusions. It is an incredibly useful matrix that allows cybersecurity professionals to map out the behavior and phases of an attack lifecycle and the platforms that are most often associated with those attacks. MITRE ATT&CK is used in intrusion detection, threat hunting, security engineering, threat intelligence, red teaming and risk management. There are three different iterations of MITRE ATT&CK, Enterprise that focuses in Windows, Linux and Cloud environments, Mobile that focuses on iOS and Android Operating systems and ICS that focuses within an ICS Network. For this article I'll be focusing on the MITRE ATT&CK Enterprise model that can be seen at a glance below.

Above is the MITRE ATT&CK Matrix, for full Matrix check out learning materials and links at the bottom of this article.



MITRE ATT&CK breakdown


MITRE ATT&CK matrix is laid out with a set list of objectives, known as attack tactics. Below each attack tactic is the

techniques associated with the specified attack tactic. Multiple techniques can be used per attack tactic.


ATTACK TACTICS

  • Reconnaissance

  • Resource Development

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Discovery

  • Lateral Movement

  • Collection

  • Command and Control

  • Exfiltration

  • Impact

These tactics are observed in order to map out a potential bad actors traversal through the attack process. Knowing the steps, potential outcomes and behaviors of each is important for making informed decisions. As cybersecurity professionals we can plan for attacks, respond to attacks, and formulate comprehensive plans to protect company assets.




How to use the MITRE ATT&CK



The MITRE ATT&CK framework can be used in a number of ways to assist an organization or cybersecurity professional by following a number of applications. Implementing MITRE ATT&CK can either be done manually or in tandem with other solutions such as SIEM, CASB or EDR. Here is a look at ways MITRE ATT&CK can be used...


Adversary Emulation: Assesses security by applying intelligence about an adversary and how they operate to emulate a threat. ATT&CK can be used to create adversary emulation scenarios to test and verify defenses.


Red Teaming: Acts as an adversary to demonstrate the impact of a breach. ATT&CK can be used to create red team plans and organize operations.


Behavioral Analytics Development: Links together suspicious activity to monitor adversary activity. ATT&CK can be used to simplify and organize patterns of suspicious activity deemed malicious.


Defensive Gap Assessment: Determines what parts of the enterprise lack defenses and/or visibility. ATT&CK can be used to assess existing tools, or test new tools prior to purchasing, to determine security coverage and prioritize investment.


SOC Maturity Assessment: Similar to Defensive Gap Assessment, ATT&CK can be used to determine how effective a security operations center (SOC) is at detecting, analyzing, and responding to breaches.


Cyber Threat Intelligence Enrichment: Enhances information about threats and threat actors. ATT&CK allows defenders to assess whether they are able to defend against specific Advanced Persistent Threats (ATP) and common behaviors across multiple threat actors.


411 of note: MITRE ATT&CK is a similar tool to Cyber Kill Chain with two key differences...

1: MITRE ATT&CK goes into significantly more detail and depth than Cyber Kill Chain and

2: Cyber Kill Chain does not factor in different tactics for cloud.


Final Thoughts


MITRE ATT&CK is a great tool for helping cybersecurity professionals understand the Lifecyle of an attack and potential impact. Becoming familiar with MITRE ATT&CK can quicken response time and help encourage critical problem solving. If you are getting into cybersecurity or are not yet familiar with the MITRE ATT&CK Framework, spend some time with it and expand your critical thinking skills.




Learning Materials





Sources

Mitre ATT&CK®. MITRE ATT&CK®. (n.d.). Retrieved August 23, 2022, from https://attack.mitre.org/


What is the mitre ATT&CK framework?: Get the 101 guide. Trellix. (n.d.). Retrieved August 23, 2022, from https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html




Comments

bottom of page