Go to listing page

Deciphering the ATT&CK Navigator: Part 1 - What and why ATT&CK?

Deciphering the ATT&CK Navigator: Part 1 - What and why ATT&CK?

Share Blog Post

Intro


There is an old English proverb - “There is honor among thieves”. While one can doubt the validity of the proverb, it is a fact that threat actors often learn from each other to realize their ill motives.

In this challenging scenario, it is essential for security professionals to also work together in order to defend against the ever-improving threat actors. One of the ways to do this is to develop a shared knowledge base for the security community. The MITRE ATT&CK framework is a major step in this direction.

What is ATT&CK?


MITRE’s ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a repository for modeling the cybercriminals’ behavior and documenting the various components of a cyberattack and the various target platforms.

ATT&CK began as a project to specify the known tactics, techniques, and procedures (TTPs) of the cybercriminals, especially those targeting Windows systems. Presently, the project has expanded to include other target systems like Linux and MacOS, pre-attack tactics and techniques, and attacks targeting mobile devices.

The motivation behind ATT&CK & Origin of the project


Any major collaborative project arises out of a strong need for addressing critical concerns in a certain domain. The same is true for the MITRE ATT&CK framework.

It was created out of a need to incorporate a systematic understanding of adversary behavior in enterprise security operations. The initial efforts began in 2010 at MITRE’s Fort Meade Experiment (FMX) research lab where researchers studied the methods aimed at detecting advanced persistent threats (APTs) in a quick and efficient manner.

The researchers conducted various exercises to “improve post-compromise detection of threats penetrating enterprise networks through telemetry and behavioral analytics”.

As per the ATT&CK philosophy whitepaper, the primary metric for success was “How well are we doing at detecting documented adversary behavior?”. The researchers enriched the knowledge base by categorizing the observed behavior of real-world threat actor groups and conducting controlled experiments using that knowledge.

Blake Storm, who is a MITRE ATT&CK lead, in his blog post, describes four main issues that the researchers aimed to address which include, focusing on adversary behaviors, creating lifecycle models suitable for mapping TTPs for new devices, maintaining applicability to real environments, and building a common taxonomy.

Components of ATT&CK


The ATT&CK consists of three core components - Tactics, Techniques, and observed adversary usage of techniques.


Tactics represent what tactical steps a threat actor takes during different their attack campaign. This can include different phases like initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command & control.

Techniques denote the methods used by the threat actors for executing the different tactics.
For example, an APT group can get Initial Access to their target device or network using different Techniques like Spearphishing Attachment or Drive-by Compromise.

Each Technique provides various details like the platforms it can be used to target, the permissions it requires, sources for data capture, detection of the technique, examples of the Technique usage from previous attacks along with detailed logs, and the mitigation steps required to protect against that Technique.

The complete behavioral profile of an attack campaign can be modeled by specifying the whole set of tactics and corresponding techniques used by the APT group. The ATT&CK framework also documents the observed usage of different techniques by relevant threat actors.

Conclusion


The first ATT&CK model released publicly in May 2015 contained 96 techniques categorized under 9 tactics. The initial focus of the model was on Windows enterprise systems, however, it now covers over 200 techniques across Windows, Linux, and Mac OS systems.

Currently, the model also features a separate knowledge base for documenting pre-compromise tactics and techniques which is known as PRE-ATT&CK and the main model is now referred to as the Enterprise ATT&CK. Furthermore, ATT&CK for Mobile was also created to focus on attacks targeting mobile devices.

The ATT&CK framework has helped address many of the issues the researchers had in mind when they first began working on it. However, the framework can only stay relevant and reliable if it evolves with the changing landscape of the cyberspace. The inclusion of newer attack vectors, techniques, and studying the activities of emerging threat actors is crucial for maintaining and improving the efficacy of the framework.

 Tags

attck
attck navigator
mitre
attck framework

Posted on: January 31, 2019

Related Guides

Future-Proofing Security: A Guide to SOC Transformation
Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
What is Confidence Scoring in Threat Intelligence?
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
STIX Cybersecurity: A Guide to STIX 2.1
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
What is a Threat Intelligence Platform (TIP)?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
Explaining the Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
Operational Threat Intelligence: What Is It and Why Is It Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
Strategic Threat Intelligence: Why Sharing Is Crucial?
What is Threat Intelligence Management?
Strategic Threat Intelligence vs. Tactical Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is MISP
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IOCs)?
What is Open Indicators of Compromise (OpenIOC) Framework?
What is the Cyber Information Sharing and Collaboration Program (CISCP)?
What is Malware Attribute Enumeration and Characterization (MAEC)?
What is CybOX? How do you use a CybOX object?
How is Surface Web Intelligence different from Dark Web Intelligence?
What is Open Source Intelligence (OSINT)?

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite

Explore Solutions

Capabilities

Resource Library

Use Cases