Managed Security Services

Blog

Posted On: 21 June 2021

What is the MITRE ATT&CK Framework?

And how can I use MITRE ATT&CK for my business?

Who is developing the MITRE ATT&CK Framework?

Behind the MITRE ATT&CK Framework is the non-profit organisation MITRE. By creating ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world – by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available for free use by any person or organisation.

What is the MITRE ATT&CK Framework?

ATT&CK stands for “Adversarial Tactics, Techniques & Common Knowledge”. This is a knowledge database of cyber attacker techniques and tactics based on real attacks. The ATT&CK database is used as a basis for developing specific threat models and methods in the private sector, government and cyber security industry.

What tactics are included in the MITRE ATT&CK framework?

Tactics as well as techniques are divided into different matrices (models) by MITRE. These are divided into “Pre-ATT&CK”, Enterprise, Mobile and ICS. In this article we focus on the Enterprise matrix.

The tactics are divided into the following areas:

  • Reconnaissance: The attacker is trying to gather information that can be used to plan future attacks
  • Resource Development: The attacker is trying to build resources that they can use to support attacks.
  • Intitial Access: The attacker is attempting to penetrate your network.
  • Execution (of the attack): The attacker attempts to execute malicious code.
  • Persistence: The attacker tries to maintain his position in the network.
  • Privilege Escalation (expansion of the attacker’s user rights): The attacker attempts to gain higher privileges.
  • Defence Evasion (Detection Evasion): The attacker attempts to avoid detection.
  • Credential Access: The attacker attempts to steal account names and passwords.
  • Discovery: The attacker is trying to spy on your environment.
  • Lateral Movement: The attacker attempts to move undetected through your environment. “Lateral” or sideways here is to be understood as the attacker moving through a network with user rights of the same authorisation level. (A user does not have the same network rights as an administrator).
  • Collection (gathering data): The attacker attempts to collect data of interest to his target.
  • Command and Control: The attacker attempts to communicate with compromised systems in order to control them.
  • Exfiltration (data theft): The attacker attempts to steal data.
  • Impact: The attacker attempts to manipulate, disrupt or destroy your systems and data.

You can find more information on the individual tactics here.

What techniques are included in the ATT&CK framework?

Each tactic contains a set of techniques observed in attacks and compromises. Tactics are the “how” part of ATT&CK: How do the attackers escalate their privileges (permissions)? How do the attackers steal data?

Since there are many different techniques for each tactic (there are over 300 techniques in total), we cannot list them here. You can see the list here.  

What advantages does MITRE ATT&CK bring to my company?

With the help of the framework, it is possible to understand how an attacker was able to gain access to one’s own network and in what way data could be stolen. In this way, future attacks can be prevented more efficiently. 

Threat hunters can also use the ATT&CK framework pre-emptively to look for specific techniques that attackers might use to penetrate a network.

The framework can be extremely useful to measure the level of visibility of an environment against targeted external attacks with the existing tools deployed on the endpoints and perimeter of an organisation.

For which companies is the MITRE ATT&CK Framework suitable?

MITRE is suitable for all companies and industries, but special attention should be paid to ATT&CK by companies in the critical infrastructure sector. Companies that manage particularly sensitive data should also use MITRE as a guideline when creating their security concept.

Of course, the information from the framework can also be useful for SMEs, provided they have their own IT security resources in operation.

However, it must be mentioned that the effort to apply MITRE’s findings to your own infrastructure can turn out to be relatively time-consuming, especially in the start-up phase.

We would be happy to support you with our consulting services in the creation of an IT security concept.

Conclusion

MITRE has made an important contribution to the cyber security community by providing ATT&CK and its associated tools and resources. As attackers find more ways to disguise themselves and evade detection by traditional security tools, IT security managers must change their approach to detection and defence. ATT&CK shifts our perception from low-level indicators such as IP addresses and domain names to the way cyber criminals carry out attacks.

Did you know that our vendor Cybereason achieved 100% coverage in the 2020 MITRE ATT&CK evaluations for Windows and Linux-based threat prevention and detection of all 54 advanced attack techniques?