Why did MITRE develop ATT&CK?
MITRE began developing ATT&CK
in 2013 as a part of its research project called FMX (Fort Meade eXperiment). The goal of FMX was to investigate and analyze the endpoint telemetry data, which would help them improve the discovery of adversaries operating within enterprise networks after an attack. For this purpose, they developed ATT&CK to have detailed documentation of the common tactics, techniques, and procedures (TTPs)
used by the Advanced Persistent Threats (APTs) against the Windows enterprise networks. ATT&CK was used as the foundation for testing the effectiveness of the sensors and analytics under FMX. They gradually improved it further, and now it serves as the common language or a framework for both defense and offense strategies for the organizations.
What are Tactics, Techniques, and Procedures (TTPs) and Common Knowledge (CK)?
The “Tactics” explain the main aim or purpose of the adversary behind the attack and answers the ‘Why’ of an ATT&CK technique. The purpose of the adversary could be initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and exfiltration.
The “Techniques” explain “how” an adversary succeeds in a tactical goal, detailing the attack method used by the adversary. For example, an adversary may send a spear-phishing link via spam email, use process injection, credential dumping, unauthorized access, data theft, brute force attack, or removable media, etc.
The “Procedures” are the exact ways a specific adversary or piece of software performs a technique. Common Knowledge (CK) is the documented use of techniques and tactics by adversaries. Common Knowledge is essentially the documentation of procedures.
How does ATT&CK improve Cyber Threat Intelligence?
ATT&CK framework allows analysts to define adversarial behavior in a standard fashion. They can track the tactics and techniques associated with any Threat Actors (TAs) in ATT&CK. This information can be used by the security experts to fix any known bugs, vulnerability, or prepare counter-measures for the methods used by TAs. The ATT&CK framework can also be used with STIX/TAXII 2.0 feeds, allowing organizations to leverage existing tools and investments into cyber threat intelligence.