What is MITRE ATT&CK Framework?

Table of Contents

Three Different Flavors of ATT&CK

Why did MITRE develop ATT&CK?

What is PRE-ATT&CK? 

What is ATT&CK for Enterprise?

What is ATT&CK for Mobile?

What are Tactics, Techniques, and Procedures (TTPs) and Common Knowledge (CK)?

How can Security Teams Benefit from the MITRE ATT&CK Framework?

Role of ATT&CK Framework in Incident Response

MITRE ATT&CK Framework for Threat Intelligence

MITRE ATT&CK for Security Analysts

View More guides on Incident Response

What is MITRE ATT&CK Framework?

  • Incident Response
  • Cyber Threat Intelligence

Posted on: July 22, 2019

What is MITRE ATT&CK Framework?
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a globally-accessible knowledge base of adversary techniques and tactics based on real-world observations of cyberattacks. In 2013, MITRE introduced Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) as a means to outline and classify adversarial behaviors stemming from real-world observations. ATT&CK framework, also known as ATT&CK Navigator, is an organized list of known attacker behaviors that have been collated into tactics and techniques, and articulated in various matrices and STIX/TAXII. As this list is an extensive representation of techniques attackers use when abusing networks, it is useful for a wide range of defensive measurements, characterizations, and other mechanisms. One such critical defensive activity is incident response.

As attackers are finding new tricks to avoid detection, security teams are changing the way they approach incident response. ATT&CK framework allows security teams to shift their focus from low-level indicators to attackers’ defenses through their behaviors. MITRE’s ATT&CK Navigator is one of the tools that helps security teams keep pace with the attackers and enables them to delineate their new techniques.

Three Different Flavors of ATT&CK

The ATT&CK framework has three different flavors:

  • PRE-ATT&CK: Focuses on the tactics used by the attackers before they exploit their target. 
  • ATT&CK for Enterprise: Covers the techniques and tactics employed for targeting Windows, Linux, or Mac OS. 
  • ATT&CK for Mobile: Underlines the attack tactics and techniques utilized for compromising mobile devices.

Why did MITRE develop ATT&CK?

MITRE began developing ATT&CK in 2013 as a part of its research project called Fort Meade eXperiment (FMX ). The goal of FMX was to investigate and analyze the endpoint telemetry data to improve the discovery of adversaries operating within enterprise networks post-attack. Furthermore, ATT&CK was built to provide detailed documentation of the common  (TTPs) used by the advanced persistent threats (APTs) against the Windows enterprise networks. Initially used as the foundation for testing the effectiveness of the sensors and analytics under FMX, ATT&CK now serves as the common language or a framework for both defense and offense strategies of organizations.

What is PRE-ATT&CK? 

PRE-ATT&CK model defines the pre-compromise techniques used by attackers. This model intends to raise awareness amongst defenders in terms of the actions that can be taken before a network intrusion occurs. It allows a comprehensive evaluation of computer network defense (CND) technologies, processes, data, and policies against a standard enterprise threat model.

What is ATT&CK for Enterprise?

ATT&CK for Enterprise is a framework and an adversary model, which can be used for explaining the actions a threat actor could take to compromise and operate within an enterprise network. This model can be used to better describe and characterize post-compromise adversary behavior. It broadens the knowledge base for security experts and helps them prioritize network defense at the same time. Moreover, this framework provides an in-depth understanding of the TTPs used by threat actors to gain access inside a network, helping in identifying their objectives while operating.
 

What is ATT&CK for Mobile?

ATT&CK for Mobile model is a comprehensive list of threats against mobile devices and other aspects of the mobile ecosystem. This model is designed to support the development of mobile security capabilities, solutions, and best practices to defend organizations as they deploy mobile devices.

What are Tactics, Techniques, and Procedures (TTPs) and Common Knowledge (CK)?

In simple words, TTPs and CK in the ATT&CK framework cover wide-ranging ways leveraged by the threat actors to better categorize attacks and evaluate organizational risk.

  • The “tactics” explain the main aim or purpose of the adversary behind the attack and answer the ‘why’ of an ATT&CK technique. The objective of the adversary could be initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and exfiltration. 
  • The “techniques” describe “how” an adversary succeeds in a tactical goal, detailing the attack method used by the adversary. For example, an adversary may send a spearphishing link via spam email, use process injection, credential dumping, unauthorized access, data theft, brute force attack, removable media, or other methods. 
  • The “procedures” are the exact ways a specific adversary or piece of software performs a technique whereas CK is the documented use of techniques and tactics by adversaries. Essentially, CK is the documentation of procedures. 

How can Security Teams Benefit from the MITRE ATT&CK Framework?

The MITRE ATT&CK framework is open-source, and hence easily accessible to any individual or organization. The main goal of this framework is to bring security experts and organizations together to develop a more effective cybersecurity model. The framework knowledge base can be used as a foundation to build more effective threat intelligence and security models, which can provide actionable insights needed by security teams to proactively mitigate cyberattacks. Security teams can use the ATT&CK Framework to picture their defensive handling, red/blue team planning, the rate of detected techniques, threat intelligence analysis, and in overall incident response process. Basically, it is a tool employed for mapping out controls against attacker techniques such as preventive controls, detective controls, or observed behaviors. Moreover, Navigator can be used online for quick mockups or scenarios, or it can be downloaded and internally installed as a more permanent solution.

In addition to using the ATT&CK methodologies to create a scenario to test network defenses, security teams use ATT&CK to plan their cybersecurity roadmap. The framework helps teams to build defense to respond to the known techniques and identify evidence of ATT&CK techniques in their network.

ATT&CK Navigator is a reference for incident response teams who can employ ATT&CK to learn the nature of threats they encounter and methods to alleviate those threats. By using ATT&CK as a reference for new threats, they can plan ahead and assess their overall cybersecurity strategy and bridge the gaps they discover.

MITRE’s ATT&CK Navigator tool can be utilized to extract all the controls of techniques that attackers deploy for pre-attack and post-attack stages. Subsequently, security teams can extract the information and compare it with their implemented controls or simply for educational or research purposes

Role of ATT&CK Framework in Incident Response

Detection and Analysis

Security operations centers (SOCs) and incident response teams can refer to the ATT&CK techniques and tactics that have been detected or undiscovered. This helps in understanding the defensive strengths and weaknesses, validating mitigation and detection controls, and identifying misconfigurations and related operational issues.

Containment

This stage is an effort to stop the threat from further spreading. The containment stage is an actionable phase where the security teams implement steps to reduce the adversary entrenchment. ATT&CK helps security teams with updated malicious signatures, IOC identification, contextual analysis of SIEM logs, providing tactical insights on moving abused hosts to a controlled environment for further monitoring, and much more. 

Eradication and Recovery

In this situation, security teams review an overall attack by aligning it to the ATT&CK framework to determine various defensive countermeasures for every attack phase. Typically, these countermeasures include rectifying a misconfiguration, updating relevant signatures, ingesting respective logs into a SIEM for correlation, or managing an internal workflow to ensure an alert is attended significantly faster. 

Learnings

This is often an overlooked process but it is crucial. With the help of ATT&CK Navigator, security teams can easily summarize the incident and learn whether the deployed countermeasures will be effective in the long run.

MITRE ATT&CK Framework for Threat Intelligence

ATT&CK Navigator empowers organizations by helping in deducing contextual threat intelligence. It provides a common standardized framework that is globally accessible, allowing security teams to work together with data to compare and tackle threat groups. As it offers a structured representation of adversary TTPs and real-time behavior of cybercriminals, security teams can draw significant analogies amongst the adversary groups.

Security analysts and defenders can organize their information through ATT&CK matrices. While the former can create and share threat intelligence related to the behavior of attackers, the latter can structure them for analyzing the behavior utilized in detection and mitigation by prioritizing risks. Collaboratively, they can create and share threat-based knowledge by closing the information gaps that attackers abuse. Hence, the ATT&CK Navigator is beneficial in quick decision-making and incident response plans for every organization due to its significance in deducing contextual threat intelligence.

Threat actors can be also tracked with connections to techniques and tactics in ATT&CK that they have been utilizing. This provides a roadmap to security teams to apply in their operational controls and realize their weaknesses and strengths against certain actors. Any threat intelligence platform that supports ATT&CK streamlines this process. Disseminating intelligence to various management is much easier when all parties communicate in the same language around adversarial behaviors. Therefore, standardizing on ATT&CK references in intelligence tools dramatically improves efficiency and ensures shared understanding.

MITRE ATT&CK for Security Analysts

MITRE ATT&CK framework allows security analysts to define adversarial behavior in a standard fashion. They can track the tactics and techniques associated with any threat actor in ATT&CK. This information can be used by the security experts to fix any known bug or vulnerability, or prepare counter-measures for the methods used by the threat actors. Besides, the ATT&CK framework can be used with STIX/TAXII 2.0 feeds, allowing organizations to leverage existing tools and investments into cyber threat intelligence.

Share Blog Post

Related Guides

Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Walls Can Talk: An Introduction to Internal Cyber Threat Intelligence
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
What is Confidence Scoring in Threat Intelligence?
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
What is STIX 2.1? How is it Different From STIX 2.0?
What is STIX 2.x? How is it Different from STIX 1.x?
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
The Benefits of Cross-Sectoral Threat Intelligence Sharing
What is a Connected Threat Intelligence Platform (TIP)?
How Useful is MITRE ATT&CK Framework in Threat Intelligence?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
Combining SOAR and TIP for Intel-Driven SecOps
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
The Concept of Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
What is Operational Threat Intelligence and Why is it Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
What is Strategic Threat Intelligence Sharing and Why is it Important?
What is a Threat Intelligence Platform (TIP)?
Strategic vs. Tactical Threat Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is Malware Information Sharing Platform (MISP)?
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IoCs)?
What is MITRE ATT&CK Framework?
What is Open Indicators of Compromise (OpenIOC) Framework?

Related Guides

Explained: The Role of AI in Cyber Threat Intelligence
What is a TAXII Server? How is it Different from a TAXII Client?
Everything You Need to Know About MITRE ATT&CK Framework
What is Cyber Threat Intelligence Sharing? And Why Should You Care?
Threat Intelligence Processing: The Key to Leveraging Unstructured Data
Walls Can Talk: An Introduction to Internal Cyber Threat Intelligence
Why is Correlation the Most Important Phase in Cyber Threat Intelligence Lifecycle?
What is Confidence Scoring in Threat Intelligence?
How to Choose the Best Threat Intelligence Platform for Your Security Team?
How to Build Your Own Cyber Information Sharing Community?
What is STIX 2.1? How is it Different From STIX 2.0?
What is STIX 2.x? How is it Different from STIX 1.x?
How Can You Tell if Your Cyber Threat Intelligence Program is Working Well?
What is Threat Intelligence Analysis?
What is Threat Intelligence Normalization?
What is Threat Intel Ingestion?
How Real-Time Cyber Threat Intelligence Sharing Enables Security Collaboration
The Benefits of Cross-Sectoral Threat Intelligence Sharing
What is a Connected Threat Intelligence Platform (TIP)?
How Useful is MITRE ATT&CK Framework in Threat Intelligence?
Significance of Threat Intelligence Platform (TIP) for Growing Teams
Combining SOAR and TIP for Intel-Driven SecOps
What is the Role of Threat Intelligence Platform (TIP) in a Security Operations Center (SOC)?
What is the Hub and Spoke Information Sharing Model?
The Concept of Pyramid of Pain
What are the Different Use Cases of a TIP?
Why Do MSSPs Need Automation?
What is the Diamond Model of Intrusion Analysis?
The Evolution of Threat Intelligence
Don’t Wait! Leverage Threat Intelligence
Why do Organizations Need to Leverage Actionable Threat Intelligence?
What is Technical Threat Intelligence?
What is Operational Threat Intelligence and Why is it Important?
What is Tactical Threat Intelligence and Why is it Important?
What is the Threat Intelligence Lifecycle?
Everything You Need to Know About a Threat Intelligence Platform (TIP)
5 Steps to Effective Cyber Threat Intelligence Program
Things to Consider When Choosing the Right Threat Intelligence Platform
Open Source or Commercial Threat Intelligence Platform - Which one is better?
What is Strategic Threat Intelligence Sharing and Why is it Important?
What is a Threat Intelligence Platform (TIP)?
Strategic vs. Tactical Threat Intelligence
Role of SOAR and TIP in Cyber Fusion
Information Sharing in Cyber Fusion
Role of Threat Intelligence in Cyber Fusion
What is Malware Information Sharing Platform (MISP)?
What is Signals Intelligence (SIGINT)?
What are Indicators of Compromise (IoCs)?
What is MITRE ATT&CK Framework?
What is Open Indicators of Compromise (OpenIOC) Framework?

The Virtual Cyber Fusion Suite