MITRE ATT&CK Framework – What’s That Then?
APPLY FOR PARTNERSHIP
Thank you for your interest. Kindly fill out the details below and we will contact you back soon.
Please complete this form to be contacted by one of our experts.
The cybersecurity threat landscape constantly changes as cybercriminals use increasingly sophisticated attack methods. It can be challenging to stay current with this threat landscape and the techniques used by bad actors. However, several frameworks that classify the tactics and techniques used by attackers are available. One of the most popular and widely used is the MITRE ATT&CK® framework. Knowing about and using this framework in your cybersecurity defence can help with strategy planning and tactical operations.
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework is a database of knowledge about potential cyber threats and corresponding mitigating actions. It is developed and maintained by the MITRE Corporation in collaboration with industry and other stakeholders. The MITRE Corporation is a USA federally funded research and development organisation that aims to provide solutions to keep the USA safe from various threats.
MITRE ATT&CK is one of the outputs of this work and can be used to identify and design specific protections for cybercriminal threats against any organisation worldwide. The ATT&CK part of the name is an acronym for Adversarial Tactics, Techniques and Common Knowledge. MITRE ATT&CK is free to use globally by anyone in the private sector, Governments, or cybersecurity solution vendors.
The framework has three top-level categories called Matrices: Enterprise, Mobile, and ICS. Each matrix gets subdivided into Tactics and Techniques covering cyber-attack methods, along with mitigations that organisations can use to bolster cybersecurity.
The Enterprise Matrix is the largest and most mature part of MITRE ATT&CK. Within the Enterprise Matrix are seven sub-matrices for popular operating systems, cloud-based technologies, containers, and general preparatory cybersecurity measures that are common across matrices. Alongside the Enterprise Matrix are Matrices for Mobile and Industrial Control Systems (ICS). The Mobile Matrix has two sub-matrices for Apple iOS and Google Android.
MITRE ATT&CK Tactics
The Enterprise Matrix is the most mature and contains 14 Tactics sections that explain the intention behind an ATT&CK technique or sub-technique. They highlight attackers’ strategic objectives and what motivates their actions. The 14 Enterprise Tactics are:
- Reconnaissance – Information gathering activity used to plan attacks.
- Resource Development – Building infrastructure to use in attacks. Such as fake websites.
- Initial Access – Initial attack vectors and attempts to breach security, like phishing emails.
- Execution – Performing attack activity, such as injecting and running malicious code.
- Persistence – Maintaining persistence on a breached network using various techniques.
- Privilege Escalation – Getting the rights and access permissions to perform escalated function attacks.
- Defence Evasion – Activities used by attackers to avoid discovery on the network.
- Credential access – Monitoring and stealing login details for systems not yet fully breached — keylogging, for example.
- Discovery – Finding other systems on the network to infect and control.
- Lateral Movement – Jumping from one infected system to another, often using credentials that work across systems.
- Collection – Gathering data that has value if sold or used for further attack planning or blackmail.
- Command and Control – Communication with infected systems from cybercriminals’ systems on the web. Often by using hidden transmissions in standard network packets.
- Exfiltration – Copying data to cybercriminals’ servers to be sold on the dark web, held for ransom, or used for future attack planning.
- Impact – Disrupt the operation of the IT systems, most commonly with ransomware encryption but also via other attack methods.
Each of the Tactics in the matrices gets subdivided into Techniques outlining the actions an attacker takes to achieve a specific goal, such as dumping credentials to gain access to login information.
Benefits of Using the MITRE ATT&CK Framework
Knowing about and using the information in the MITRE ATT&CK Matrices and the Tactics & Techniques can bolster cybersecurity strategy and defences in multiple ways.
Improve threat understanding – The framework helps organisations identify attackers’ tactics, techniques, and procedures (TTPs). Using the framework, security teams can focus their resources on areas most at risk, allowing them to prioritise their security defences. The information in the matrices enables businesses to pinpoint areas where they need to focus their attention and resources, thereby increasing their chances of preventing or mitigating a cyber-attack.
Penetration testing operations – By simulating attacks based on the ATT&CK framework, cybersecurity teams can evaluate an organisation’s defences and deal with any discovered weaknesses.
Prioritise threats and risks – The ATT&CK framework highlights the TTPs that attackers will likely use to target an organisation. By gathering threat intelligence and prioritising their security efforts, teams can first focus on the most likely threats. This helps to streamline security processes and increase the effectiveness of the defence against potential attacks.
Improve security controls – The ATT&CK framework enhances security controls by identifying TTPs that should be focused on to verify control efficacy and expose vulnerabilities.
Threat hunting and incident response – The MITRE ATT&CK framework is valuable for performing threat hunting and incident response. It provides a common language for describing and communicating attacker activity and sharing threat intelligence. Organisations are able to collaborate more effectively and better protect themselves and peers from emerging threats when everyone uses the same threat language. Security teams can also develop incident response plans that align with the MITRE ATT&CK framework, including using specific tactics and techniques to plan and simulate response measures before an attack occurs.
Security solution evaluation – The security framework provides a standardised classification system for evaluating security tools and technologies. Businesses can use it to assess the effectiveness of their current tools in addressing the methods and strategies outlined in the framework. This evaluation can help select the appropriate tools, identify gaps in security coverage, and direct the procurement of new security solutions.
Research and development – Security researchers and developers can use the ATT&CK framework to improve cybersecurity products and services.
MITRE ATT&CK for Insider Threats
Insider threats are a significant source of data breaches and cyberattacks, as shown in the Halodata Insider Threat report. The MITRE matrices contain tactics and techniques addressing various aspects of insider threat, such as preventing data exfiltration, leaking organisational secrets, resource hijacking, etc. Insider threats are such a growing problem that the MITRE Corporation has created an Insider Threat Framework Initiative.
The MITRE knowledge base provides a useful framework to analyse and design cybersecurity defence strategies. Halodata and our partner and vendor network have the expertise and solutions to help your organisation identify and mitigate the cybersecurity risks highlighted in the framework matrices. Talk to us today to find out how we can work together to make your organisation safer.
Halodata, our Partners, and our curated Vendors can help you build a cyber-aware workforce – supported by robust cybersecurity tools. Talk to the Halodata team today to find out more.