What is
the MITRE ATT&CK®
framework?
- Attack library
- What is the MITRE ATT&CK® framework?
- What is the MITRE Corporation?
- An introduction to the MITRE ATT&CK framework
- What are tactics?
- What are techniques?
- What is the MITRE ATT&CK Matrix?
- Who uses MITRE ATT&CK and why?
- Use cases of the ATT&CK framework
- How can Log360's implementation of MITRE ATT&CK help?
- How the MITRE ATT&CK framework helps with compliance
- How MITRE updates the framework
- MITRE v13: What's new?
- What lies ahead for the MITRE ATT&CK framework?
What is the MITRE Corporation?
The MITRE Corporation, also known as MITRE, is a non-profit organization based in Bedford, Massachusetts and McLean, Virginia. It runs federally financed research and development centers (FFRDCs) that support a range of government organizations in the United States, such as those in the cybersecurity, homeland security, aviation, defense, and healthcare industries.
Established in 1958, MITRE has been at the forefront of addressing critical challenges in various sectors, including cybersecurity. The MITRE Corporation has contributed significantly to a variety of fields and has been involved in a large number of projects. Some noteworthy contributions include:
- Common Vulnerabilities and Exposures (CVE): A list of publicly disclosed cybersecurity vulnerabilities.
- Common Weakness Enumeration (CWE): A community-developed list of software and hardware weakness types.
- National Cybersecurity FRDC: A collaborative center focusing on cybersecurity research and development.
- The MITRE ATT&CK framework: A knowledge base outlining adversary tactics and techniques from real-world incidents.
An introduction to the MITRE ATT&CK framework
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a threat modeling framework that classifies the tactics, techniques, and procedures (TTPs) that adversaries use to intrude and launch cyberattacks on enterprises, clouds, and . It’s designed to offer security teams insight into potential attack methods and effective defense mechanisms.
To help enterprises step up their defenses, the ATT&CK framework approaches cyberattacks from the adversaries' perspective: who they are, their objectives, and the specific methods each adversary group employs.
In MITRE ATT&CK, a tactic refers to the overarching goals of an adversary. A technique details the specific method or approach that an adversary employs to achieve these objectives. Lastly, a procedure refers to the precise execution methods employed by the adversary for techniques or sub-techniques.
- Credential access (Tactic)
- Brute force (Technique)
- Password spraying (Procedure)
In conclusion, the MITRE ATT&CK framework serves as a database that mostly comprises of threat intelligence. By researching new strategies and methods used by adversaries, cybersecurity analysts and threat hunters also contribute to improving the framework. It is to be noted that as new techniques and tactics are found, the MITRE ATT&CK framework is regularly updated.
ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge (Procedures)
What are tactics?
Tactics provide you with the "why" behind an attack. An organization's IT team or ethical hackers obtain insights into the reasons behind certain attacks with the knowledge of the particular attack tactic.
In the enterprise matrix, for example, there are 14 tactics as stated by MITRE ATT&CK:
- 1
Reconnaissance (TA0043):
The adversary conducts reconnaissance to gather information that will support their future operations. To achieve this, the adversaries often employ passive methods to avoid detection, such as researching public resources for information on targets.
- 2
Resource Development (TA0042):
This tactic involves adversaries creating or obtaining resources, like establishing command and control infrastructure or acquiring tools, that support their operations. These resources aid in launching attacks and maintaining a presence within a target's environment.
- 3
Initial Access (TA0001):
The adversary seeks to gain entry into your network. Techniques for initial access include tactics like spear phishing, exploiting public-facing applications, or using stolen credentials to masquerade as legitimate users.
- 4
Execution (TA0002):
The adversary will try to execute malicious code on a local or remote system. This could be achieved through various means, such as user execution of a malicious file or automated execution via a vulnerability exploit.
- 5
Persistence (TA0003):
The adversary will try to maintain their foothold in the network. Adversaries may create accounts, manipulate existing ones, or use legitimate credentials to ensure continued access to compromised systems, even in the event of disruptions like system restarts or credential changes.
- 6
Privilege Escalation (TA0004):
The adversary will try to gain higher-level permissions in a system or network. To achieve this, adversaries might make use of software vulnerabilities to elevate privileges. Exploiting such vulnerabilities involves taking advantage of programming errors within programs, services, or the operating system software itself. This allows adversaries to execute their own code, exerting control over the compromised system.
- 7
Defense Evasion (TA0005):
The adversary uses defense evasion to avoid being detected. They may disguise their actions, modify system processes, or use obfuscation to hide their activities, allowing them to remain undetected while conducting their operations.
- 8
Credential Access (TA0006):
The adversary aims to steal credentials like passwords or tokens to gain access to systems, services, and network resources. To achieve this, adversaries might employ brute-force techniques to gain unauthorized access to accounts when passwords are either unknown or when they have obtained password hashes.
- 9
Discovery (TA0007):
The adversary will try to figure out your systems and environment. To achieve this, adversaries might turn to network sniffing to gather information about a targeted environment. This involves intercepting sensitive login credentials and other network traffic.
- 10
Lateral Movement (TA0008):
The adversary will try to move through your environment to gain control of additional systems. Techniques include using stolen credentials to access networked devices or employing techniques like pass-the-ticket or remote services to extend their reach within the network.
- 11
Collection (TA0009):
The adversary will try to gather data of interest to their goal. To achieve this, adversaries might attempt to collect data from sensitive documents, key operational data, or proprietary technology within compromised environments, often prior to exfiltration.
- 12
Command & Control (TA011):
The adversary will try to communicate with compromised systems to control them. To achieve this, adversaries might employ a connection proxy which acts as an intermediary for network traffic between systems. By doing so, they can redirect network traffic through the proxy, avoiding direct links to their own infrastructure or command and control servers.
- 13
Exfiltration (TA0010):
The adversary will try to steal data from their targets. To achieve this, adversaries might illicitly move data, including backups of cloud environments, from one cloud account to another that they control within the same service. This is done to avoid standard detection systems that might trigger alerts based on file transfers, downloads, or network-based exfiltration.
- 14
Impact (TA0040):
The adversary will try to manipulate, interrupt, or destroy your systems and data. To achieve this, adversaries might disrupt the availability of systems, services, and network resources by deliberately deleting data and files on targeted systems or across an entire network.
What are techniques?
Techniques provide you with the "how" of a particular attack. Multiple tactics can be linked to a technique, as adversaries might have to employ one or more tactics in order to successfully achieve their goal.
Let's take a look at some techniques below:
- Phishing (T1566): An adversary deceiving and tricking individuals into disclosing sensitive information or executing malicious actions through fraudulent emails or messages.
- Account Manipulation (T1098): An adversary manipulating user accounts or associated permissions to gain unauthorized access or elevate privileges within a system or network.
- Hijack Execution Flow (T1574): Adversaries executing their own malicious payloads by hijacking the way operating systems run programs.
- Access Token Manipulation (T1134): Adversaries modifying access tokens to operate under a different user or system security context to perform actions and bypass access controls.
- Adversary-in-the-Middle (T1557): Adversaries attempting to position themselves between two or more networked devices using an adversary-in-the-middle technique to support follow-on behaviors such as network sniffing or transmitted data manipulation.
- Brute Force (T1110): Adversaries utilizing brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
- Lateral Tool Transfer (T1570): Adversaries transferring tools or other files between systems in a compromised environment.
What is the MITRE ATT&CK Matrix?
The MITRE ATT&CK Matrix organizes these tactics and techniques, offering a visual guide to understand and counteract cyberthreats. It serves as a roadmap for tracking and analyzing security events, encompassing:
- Enterprise ATT&CK®: TTPs targeting enterprise environments.
- Mobile ATT&CK®: TTPs focusing on mobile devices.
- ICS ATT&CK®: TTPs related to ICSs.
Each matrix provides tailored mitigation strategies, like implementing antivirus or antimalware solutions for enterprises or using recent OS versions for mobile devices.
Enterprise ATT&CK
This is a sub-framework within the MITRE ATT&CK framework that focuses specifically on TTPs used in attacks against enterprise environments. This Enterprise ATT&CK matrix can be used by security professionals to identify potential attack vectors and improve their defenses, by red teams to develop and execute realistic attack simulations, and by incident responders to quickly identify the tactics and techniques used in an attack and to develop effective response strategies.
Here are some mitigation recommendations for enterprises that might help improve their defenses:
- Antivirus/Antimalware (M1049):
Malicious software can be detected using signatures or heuristics. - Data Loss Prevention (M1057):
To classify sensitive data, recognize data formats that may contain personally identifiable information, limit the exfiltration of sensitive data, and implement a data loss prevention plan. - Network Intrusion Prevention (M1031):
Utilize intrusion detection signatures to block traffic at network boundaries.
Mobile ATT&CK
This is a sub-framework within the MITRE ATT&CK framework that focuses specifically on TTPs used in attacks against mobile devices, including network attacks, physical attacks, and app attacks. The Mobile ATT&CK matrix also covers techniques that attackers may use to compromise mobile devices, such as data manipulation, hooking, impairing defenses, and location tracking. Additionally, this sub-framework includes mitigations that may be used to detect and respond to mobile device attacks.
Here are some mitigation recommendations for mobile devices that might help improve their defenses:
- Enterprise Policy (M1012):
An enterprise mobility management system, alternatively referred to as mobile device management system, enables the implementation of policies on mobile devices to regulate various aspects of their permissible actions. - Security Updates (M1001):
Ensure that all mobile devices and software are up to date with the latest security patches and updates to reduce the risk of known vulnerabilities being exploited. - Use Recent OS Version (M1006):
Installing security updates not only addresses identified vulnerabilities but also frequently introduces enhancements to the security architecture of new mobile operating system versions. These improvements enhance resilience against potential vulnerabilities that may not have been discovered yet. Additionally, such updates may include enhancements that thwart observed adversary techniques.
ICS ATT&CK
This is a sub-framework within the MITRE ATT&CK framework that focuses specifically on TTPs used in attacks against ICSs. ICSs are computer-based systems used to monitor and control physical processes, such as those used in manufacturing, energy production, and other critical infrastructures. The ICS ATT&CK matrix includes a wide range of tactics involved in ICS attacks, including initial access, persistence, lateral movement, and impact. The sub-framework also covers a range of mitigations that may be used to detect and respond to ICS attacks, including IDSs and IPSs, network segmentation, and incident response planning. It is intended to help organizations better understand the unique risks and challenges associated with securing ICS environments.
Here are some ICS recommendations that might help improve their defenses:
- Data Backup (M0953):
Back up and secure data from end-user systems and critical servers, storing them in robust backup systems that are isolated from the corporate network to prevent any potential compromise. - Multi-factor Authentication (M0932):
Employ multiple forms of authentication to access a system, such as combining a username and password with a token obtained from a physical smart card or token generator. In industrial control settings, certain assets like low-level controllers, workstations, and human machine interfaces have stringent, real-time operational control and safety needs, which might limit the feasibility of implementing multi-factor authentication. - Password Policies (M0927):
Implement safe password guidelines for each account.
Who uses MITRE ATT&CK and why?
Private and public sector businesses of all sizes and in a variety of sectors have adopted MITRE ATT&CK. Red teams, cyberthreat intelligence teams, penetration testers, and internal teams looking to develop secure systems and services are just a few examples of its users.
Some of the users of MITRE ATT&CK include:
- Organizations: The designers and engineers of a company's security platforms use this framework to assess the performance of their systems, find bugs, and predict how their systems will act in the event of a cyberattack.
- Red teams: In order to find vulnerabilities in their organization's systems and to enhance their capacity to mitigate attacks, red teams employ the MITRE ATT&CK framework. This is accomplished by obtaining insights into how attackers breach the network, acquire access, navigate the compromised network, and employ covert techniques. This allows a business to understand its security posture better and identify and prioritize security vulnerabilities depending on the risk they pose.
- Threat hunters: By using MITRE ATT&CK, threat hunters can map observed behavior to specific TTPs used by known threat actors, identify gaps in their defenses, and develop effective detection and response strategies. MITRE ATT&CK also enables threat hunters to communicate their findings and analysis to others in the security community in a standardized way, making it easier to share knowledge and collaborate on threat intelligence.
Use cases of the ATT&CK framework
The MITRE ATT&CK framework equips organizations with the knowledge to understand and anticipate potential threats and helps them align their defensive measures with the framework’s insights. By identifying and addressing vulnerabilities, businesses can proactively bolster their defenses, leading to quicker detection and response times and reducing the risk of data breaches and security incidents.
Threat intelligence analysis:
At the core of threat intelligence, the MITRE ATT&CK framework provides a uniform language for cataloging adversary behavior. This common vocabulary enables diverse organizations to share intelligence seamlessly, uniting them in a collective defense against new and evolving threats. With the framework, defenders can continuously adapt to the latest adversarial strategies, fostering a collaborative and strategic approach to cybersecurity.
Red and blue team exercises:
The framework serves as a strategic tool for red teams to emulate real-world adversaries, enabling them to formulate detailed attack simulations. This benefits red teams and enhances the capabilities of blue teams and security operations centers. It empowers them to quickly and accurately evaluate ongoing attacks, categorize signs of compromise, and disrupt adversaries’ efforts early in the attack sequence.
Improved compliance alignment:
The MITRE ATT&CK framework assists organizations in aligning their cybersecurity initiatives with legal and industry standards. By mapping specific ATT&CK tactics and techniques to regulatory requirements—like those outlined in the GDPR, HIPAA, or the PCI DSS—businesses can demonstrate their commitment to proactive security and ensure compliance.
How can Log360's implementation of MITRE ATT&CK help?
Log360, when implemented with MITRE ATT&CK helps IT security teams enhance their security protocols so they can keep up with evolving and sophisticated security threats. Using this framework, organizations can widen their security capabilities to facilitate early detection and effective incident response.
Log360 can help you by:
- Providing security analytical dashboards and incident reports that align with the MITRE ATT&CK Matrix.
- Establishing predefined correlation rules for the ATT&CK techniques so security admins can track the entire attack plot with Log360's real-time, rule-based correlation engine.
- Offering actionable mitigation strategies for each stage of an attack to ensure thorough and accountable threat resolution.
- Conducting in-depth incident investigations by providing comprehensive visibility into all 14 ATT&CK tactics and their associated techniques.
- Expediting resolution of threats by integrating Log360's attack detection capabilities with the ATT&CK framework's incident management protocols.
To summarize, MITRE ATT&CK is a powerful framework for improving an organization's security posture and enhancing its ability to detect and respond to attacks. By understanding the TTPs used by attackers and implementing appropriate mitigation strategies, organizations can better protect their systems, networks, and data.
How the MITRE ATT&CK framework helps with compliance
The MITRE ATT&CK framework can provide significant value to compliance programs by taking a threat-informed approach to cybersecurity regulations and policies. It does this by:
- Enabling compliance teams to proactively optimize controls by evaluating defenses against real-world adversary techniques categorized in the framework. This identifies potential security gaps that need priority attention.
- Providing clarity on the security safeguards needed to satisfy compliance obligations related to cyberthreat protection.
- Allowing organizations to analyze the effectiveness of existing security measures by mapping them against ATT&CK's comprehensive inventory of adversary tactics and techniques.
- Supplying tactical direction to accurately assess and demonstrate compliance status based on the ability to defend against attacks mapped in the framework.
- Promoting continuous, proactive improvements to cyber resilience by framing security in terms of dynamic adversary behavior versus static compliance checklists.
In summary, adopting the MITRE ATT&CK framework introduces a risk-aware, threat-informed perspective for compliance programs seeking to implement robust security controls and proudly demonstrate cyber readiness.
How MITRE updates the framework
MITRE's framework is updated biannually, with adjustments and enhancements implemented to ensure its relevance and efficiency in addressing evolving cybersecurity threats.
Introducing campaigns:
MITRE adds new campaigns to mirror emerging attack patterns or strategies observed in the cyber domain.
Technique, software, and group modifications:
Regular updates include changes to current techniques, software, and groups to account for changes in adversary TTPs.
Community feedback and contributions:
MITRE solicits and incorporates feedback from the cybersecurity community. Security researchers, organizations, and users of the framework can submit new information about TTPs based on their observations and experiences.
Threat intelligence analysis:
MITRE analysts continually monitor threat intelligence feeds, incident reports, and other sources of information to identify new adversary behaviors, techniques, and procedures.
Research and validation:
New data is researched and validated to ensure accuracy. This involves cross-referencing with existing knowledge and potentially collaborating with external experts and entities.
Adversary emulation and testing:
MITRE may use adversary emulation plans to simulate tactics and techniques to validate their relevance and applicability within the framework.
Periodic review and updates:
The framework is reviewed periodically (typically biannually) to ensure it reflects the current threat landscape. During these reviews, existing entries may be updated and new ones added.
Changelog publication:
When updates are made, MITRE publishes a changelog that details the changes. This may include new techniques, the retirement or modification of existing ones, and restructuring of the framework to accommodate new concepts or threat models.
MITRE v13: What's new?
Version 13 introduces a new, more human-readable changelog that shows what changed in updated ATT&CK objects, as well as a new machine-readable JSON changelog, the format of which is explained on ATT&CK's GitHub. To properly convey the modifications to various ATT&CK objects, the terms used in these release notes have also been modified. ATT&CK for Enterprise includes 14 strategies, 196 methods, 411 sub-techniques, 138 groups, 22 campaigns, and 740 software pieces.
By providing complete changelogs in both human- and machine-readable formats, the ATT&CK Sync project supports upgrades to new versions of MITRE ATT&CK.
What lies ahead for the MITRE ATT&CK framework?
MITRE aims to help the community by offering tools and resources for utilizing the information in the ATT&CK framework. It strives to customize the gathered data and resources to help organizations create cybersecurity compliance programs that align with their specific needs. MITRE's roadmap involves regular updates, including the introduction of campaigns; modifications to techniques, software, and groups; as well as changes to data sources and components. The framework, refreshed biannually, stands as a continual resource for cybersecurity compliance professionals and the broader industry.
