What is the Purpose of ATT&CK Framework?

See All

Why did MITRE develop ATT&CK?


MITRE began developing ATT&CK in 2013 as a part of its research project called FMX (Fort Meade eXperiment). The goal of FMX was to investigate and analyze the endpoint telemetry data, which would help them improve the discovery of adversaries operating within enterprise networks after an attack. For this purpose, they developed ATT&CK to have detailed documentation of the common tactics, techniques, and procedures (TTPs) used by the Advanced Persistent Threats (APTs) against the Windows enterprise networks. ATT&CK was used as the foundation for testing the effectiveness of the sensors and analytics under FMX. They gradually improved it further, and now it serves as the common language or a framework for both defense and offense strategies for the organizations.

What are Tactics, Techniques, and Procedures (TTPs) and Common Knowledge (CK)?


The “Tactics” explain the main aim or purpose of the adversary behind the attack and answers the ‘Why’ of an ATT&CK technique. The purpose of the adversary could be initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and exfiltration. 

The “Techniques” explain “how” an adversary succeeds in a tactical goal, detailing the attack method used by the adversary. For example, an adversary may send a spear-phishing link via spam email, use process injection, credential dumping, unauthorized access, data theft, brute force attack, or removable media, etc. 
The “Procedures” are the exact ways a specific adversary or piece of software performs a technique. Common Knowledge (CK) is the documented use of techniques and tactics by adversaries. Common Knowledge is essentially the documentation of procedures. 

How does ATT&CK improve Cyber Threat Intelligence?


ATT&CK framework allows analysts to define adversarial behavior in a standard fashion. They can track the tactics and techniques associated with any Threat Actors (TAs) in ATT&CK. This information can be used by the security experts to fix any known bugs, vulnerability, or prepare counter-measures for the methods used by TAs. The ATT&CK framework can also be used with STIX/TAXII 2.0 feeds, allowing organizations to leverage existing tools and investments into cyber threat intelligence.


See Our Products In Action




  • Share this blog:
Previous
What are Indicators of Compromise (IoCs)?
Next
What is ATT&CK Framework?
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.