What is the Mitre Att&ck Framework?

ATT&CK details behaviour and taxonomy for adversarial actions in threat lifecycles, improving threat intelligence and security operations/architecture.

The ATT&CK Framework has two parts: ATT&CK for Enterprise, which is a detailed knowledge base covering behaviour against enterprise IT networks and cloud, and ATT&CK for Mobile, which focuses on behaviour against mobile devices.

MITRE created ATT&CK in 2013 as a means of documenting common tactics, techniques and procedures (TTPs) that are part of advanced persistent threats (APTs) against organisations. It has grown in popularity and in industry support as a means of creating a common taxonomy and relationship model for defenders and researchers working to understand and defend against evolving attack activities and adversary behaviours.

The framework addresses four primary issues:

Adversary behaviours

Typical indicators like IP addresses, domains, registry keys, file hashes etc., can quickly be changed by attackers and are only so useful during detection. They aren’t representative of how attackers interact with different systems—they only indicate that there has been interaction with one system at some point in time. Detecting possible adversarial behaviours helps focus investigations on tactics and techniques that are less ephemeral or untrustworthy.

Lifecycle models that didn’t fit

Adversary lifecycles and Cyber Kill Chain concepts are a bit too high-level to relate behaviours to defences—that particular level of abstraction wasn’t useful to map TTPs to any type of new sensor.

Applicability to real environments

It’s important to base TTPs on observed incidents and campaigns to show the work is applicable.

Common taxonomy

TTPs should be comparable across separate types of adversary groups by using the same terminology.

The ATT&CK Framework functions as an authority on the behaviours and techniques that hackers use against organisations. It eliminates ambiguity and outlines a centralised vocabulary for industry professionals. This helps them discuss and collaborate on how to combat attackers and apply practical security measures.

ATT&CK adds rigour and detail beyond the threat intelligence and tooling techniques that are useful in opportunistic and less-targeted attacks. The Pyramid of Pain explains how it complements other indicators that are typical today.

The “Pyramid of Pain” is a representation of the types of indicators of compromise (IoCs)—it measures the potential usefulness of threat intelligence and focuses on incident response and threat hunting.

Trivial - hash values

A hash value is generated by algorithms like MD5 and SHA, and represents a specific malicious file. Hashes provide specific references to malware and suspicious files that are used by attackers for the intrusion.

Attacker Behaviours

Easy - IP address

IP addresses are one of the more-fundamental indicators of a malicious attack source, but it is possible to adopt an IP address using a proxy service and frequently change the IP address.

Simple - domain names

There could be a domain name or even a type of sub-domain that is registered, paid for and hosted. But, there are many DNS service providers that have decently relaxed registration standards.

Annoying - network/host artefacts

Network artefacts are pieces of activity that can identify a malicious user and distinguish them from a legitimate user. Something standard might be URI pattern or C2 information that is embedded in network protocols.

Host artefacts are observables caused by adverse activity on a host that identifies malicious activities and distinguishes them from legitimate activities. Such identifiers include registry keys or values that are known to be created by malware, or files/directories dropped in certain areas.

Challenging - tools

Tools are usually types of software that an attacker will use against you. This can also be a series of tools that are brought with them to interact with existing code or software. Tools include utilities that create malicious documents for spearphishing, backdoors that establish C2 or password crackers, or other utilities that can compromise.

Tough! - TTPs

Tactics, techniques and procedures are at the top of the pyramid. This is the entire process of how an attacker accomplishes their mission, from the beginning research phase to the exfiltration of the data, and everything in between.

The ATT&CK Matrix is a visualisation of the relationship between tactics and techniques. Tactics are a higher-level idea of why an attacker is performing an action and techniques are the actions that they are taking to support the tactic.

What are ATT&CK Framework tactics?

The Enterprise ATT&CK Framework has 14 tactics—this is considered the “why” part of the equation. The tactics are classified as the following:

  • Reconnaissance
  • Resource development
  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defence evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Command and control
  • Exfiltration

What are the techniques of the ATT&CK Framework?

Within each tactic is contained a series of techniques that are used by malware or threat groups in the course of compromising a target and achieving their goals. There are eleven tactics in the ATT&CK Framework, but there are around 300 techniques to be aware of.

Each of the techniques in the knowledge base has information with context, like the permissions that are required, which platform commonly has the technique and how to detect the commands and processes where they’re used.

Threat Intel

Defences are informed based on potential threats. Techniques are also prioritised based on common traits among groups and a gap analysis of current defences vs. common threats.

Detection and analytics

Purple teaming, data sources, testing, custom analytics and OOB analytics.

Mitre Att&ck Use Cases

Adversary emulation

Comms to blue team, red team varied behaviours, adversary emulation based on CTI and atomic technique tests.

Assessments and engineering

Assess coverage gaps based on real-world usage and prioritise mitigations and investments, such as single technique, mitigations and fidelity across multiple techniques.

An important aspect of ATT&CK is how it incorporates cyber threat intelligence (CTI). ATT&CK documents attacker behaviour based on publicly available reporting to indicate which groups use which techniques. It’s typical for there to be individual reports that document an incident or a single group, but ATT&CK focuses more on a type of activity and technique, then associates attackers and groups with the activity—this helps technicians focus on techniques with the highest usage.

In today’s digital world, your organisation’s ability to prepare for, identify, minimise and recover from a security event plays a key role in your success. As such, Security incident response supplemented by MITRE ATT&CK can help ensure that your business is prepared, with access to resources for developing advanced threat models and methodologies against cyberattacks.

Working within the MITRE ATT&CK framework, your security teams can improve their analysis and response to incidents as they occur. They can accurately identify indicators of compromise and prioritise specific threats. They can improve automated workflows using essential tactics and other resources drawn from the ATT&CK playbook.

Get started Security Incident Response

MITRE ATT&CK empowers businesses across the Threat Intelligence and the SIR module, improving your incident response and protecting valuable assets.

Loading spinner