What Is The MITRE ATT&CK Framework? | 14 Tactics Used During A Cyber Attack
What Is The MITRE ATT&CK Framework?
The MITRE ATT&CKĀ® framework consists of a matrix that categorizes various tactics and techniques used by attackers during different stages of a cyber attack. It covers a wide range of attack vectors, including initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and more.
History of the MITRE ATT&CK Framework
The MITRE ATT&CK framework has a rich history that dates back to 2013 when it was initiated as part of a research project called FMX by MITRE, a nonprofit organization dedicated to providing technical guidance to the federal government. The primary goal of the project was to enhance post-intrusion detection of advanced persistent threat (APT) groups operating within enterprise networks.
To achieve this objective, MITRE recognized the need to document the tactics, techniques, and procedures (TTPs) employed by these adversaries. This led to the development of the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, which served as a comprehensive repository of APT TTPs.
Initially, the ATT&CK framework focused on Windows enterprise systems, as it aimed to improve the detection capabilities of endpoint telemetry data and analytics. It provided a standardized language that both offensive and defensive teams could use to evaluate and enhance their strategies over time.
By 2015, MITRE made the ATT&CK framework freely available to the public, recognizing its potential to benefit a broader range of organizations beyond the federal government. This move allowed security teams from various sectors to access and utilize the framework to gain a deeper understanding of the threats they faced and develop effective countermeasures.
Over the years, the ATT&CK framework has evolved and expanded its scope. It now encompasses techniques applicable to Linux, macOS, mobile, cloud, network, containers, and industrial control system (ICS) applications. This expansion reflects the changing landscape of cyber threats and ensures that organizations can address a wide range of potential vulnerabilities.
The framework is organized into matrices, which categorize techniques based on different stages of the attack lifecycle. This categorization enables security teams to align their defenses and response strategies accordingly. MITRE regularly updates the framework, incorporating new techniques and tactics based on real-world observations and contributions from the cybersecurity community.
The widespread adoption of the MITRE ATT&CK framework in the cybersecurity industry is a testament to its effectiveness. Organizations leverage it to enhance their threat intelligence, incident response, and security monitoring capabilities. It provides a standardized language and a wealth of knowledge that enables security professionals to understand, detect, and mitigate the tactics and techniques employed by adversaries.
To further support the cybersecurity community, MITRE maintains a public website dedicated to the ATT&CK framework. This website offers detailed information about each technique, including examples, mitigations, and detection recommendations. Additionally, MITRE conducts annual ATT&CK Evaluations, where they assess the capabilities of various security products in detecting and preventing real-world attack techniques.
What Is MITRE Engenuity?
MITRE Engenuity is an organization that collaborates with private companies to tackle critical challenges in various domains, including cybersecurity, infrastructure resilience, healthcare effectiveness, and next-generation communications. With a focus on cybersecurity, MITRE Engenuity aims to strengthen cyber defense by gaining a deeper understanding of cyber adversaries and improving organizations’ resilience to known adversary behavior.
One of the core initiatives of MITRE Engenuity involves utilizing the ATT&CK knowledge base, which is a comprehensive framework developed by MITRE. This knowledge base provides extensive insights into adversary tactics, techniques, and procedures (TTPs) observed in real-world cyber attacks. By leveraging ATT&CK, MITRE Engenuity conducts evaluations of cybersecurity products to assess their effectiveness in defending against these TTPs.
During the evaluation process, MITRE Engenuity brings together a diverse group of security experts from leading organizations. These experts collaborate to evaluate cybersecurity products based on three key criteria. Firstly, the evaluations aim to provide end users with objective insights into the functionality and capabilities of participating security products. This helps organizations make informed decisions when selecting and implementing cybersecurity solutions.
Secondly, the evaluations provide participating vendors with a clear understanding of the true capabilities of their security products. Through this process, vendors gain valuable feedback on the strengths and weaknesses of their offerings, enabling them to refine and enhance their products accordingly.
Lastly, MITRE Engenuity’s evaluations are designed to enhance the capabilities of the participating vendors. By identifying areas for improvement and providing constructive feedback, MITRE Engenuity helps vendors strengthen their products and align them with the evolving threat landscape. This collaborative approach fosters innovation and drives the development of more effective cybersecurity solutions.
The evaluations conducted by MITRE Engenuity do not focus on determining a “winner” or conducting competitive analysis. Instead, the goal is to illustrate how each vendor approaches threat defense within the context of ATT&CK. This approach ensures a fair and transparent evaluation process that benefits both end users and vendors.
What Are MITRE Engenuity ATT&CK Evaluations?
MITRE Engenuity ATT&CK Evaluations are rigorous assessments conducted by MITRE Engenuity to evaluate the capabilities of cybersecurity products in detecting and protecting against real-world adversary behavior. These evaluations serve as a valuable resource for organizations looking to make informed decisions when selecting and implementing cybersecurity solutions.
During the evaluation process, vendors are required to provide proof of detection, showcasing their ability to identify and mitigate potential adversary behavior. While vendors may not disclose all detection details publicly to protect their proprietary information, they provide sufficient evidence to support their claims. This evidence includes screenshots and notes captured during the evaluation, which serve as supporting documentation for the observed detections and protections.
To categorize the detections and protections, MITRE Engenuity utilizes a classification system that includes “Main” and “Modifier” categories. The main category designation is based on the amount of context provided to the user, representing the primary classification of a detection or protection event. The modifier category designation provides additional details to describe the event in greater depth, offering a more comprehensive understanding of the observed behavior.
Categories Utilized By MITRE Engenuity For Detection
The fourth-round attack evaluations conducted by MITRE Engenuity in March 2022 focused on assessing the capabilities of cybersecurity products against three distinct threat actors: Wizard Spider, Sandworm, and Turla.
Wizard Spider is a financially motivated criminal group that has been targeting major corporations, including hospitals, since August 2018. Their primary objective is to gain financial benefits through their cybercriminal activities. Their attacks are known for their sophistication and involve advanced techniques to breach security defenses and exfiltrate valuable data.
Sandworm, on the other hand, is a destructive Russian threat group that gained notoriety for its attacks against UK electrical companies in 2015 and 2016. They are particularly known for their involvement in the 2017 NotPetya attacks, which caused significant disruption and financial damage worldwide. Sandworm’s attacks are characterized by their highly coordinated and impactful nature.
In addition to Wizard Spider and Sandworm, the evaluations also included Turla, an internationally recognized threat group that has been active since at least the early 2000s. Turla’s targets include government agencies, diplomatic missions, military groups, and research and media organizations across more than 45 countries. They employ a combination of open-source and in-house tools to maintain operational security and utilize various sophisticated techniques.
The evaluations revealed significant growth and advancements in the products of various vendors, with Palo Alto Networks being highlighted for its emphasis on threat-informed defense capabilities and the prioritization of the ATT&CK framework. This demonstrates the industry’s progress in enhancing cybersecurity solutions to effectively detect and protect against real-world adversaries.
MITRE Engenuity’s evaluations play a crucial role in providing organizations with insights into the capabilities of different security solutions. By focusing on threat actors like Wizard Spider, Sandworm, and Turla, the evaluations provide a realistic testing environment that reflects the evolving threat landscape. This enables organizations to make informed decisions when selecting and implementing cybersecurity products, ensuring they have the necessary defenses in place to mitigate potential risks.
For more detailed information on the specific evaluation results, interested individuals can refer to the reports and documentation provided by MITRE Engenuity. These resources offer comprehensive insights into the growth and advancements made by vendors in their cybersecurity offerings, further promoting transparency and knowledge sharing within the cybersecurity community.
What Are Tactics In The MITRE ATT&CK Framework?
In the MITRE ATT&CK framework, tactics represent the overarching goals or objectives that adversaries aim to achieve during a cyber attack. These tactics provide insight into the motivations and intentions behind the actions performed by threat actors.
There are 14 tactics defined in the Enterprise ATT&CK Matrix.
1. Reconnaissance:
This tactic involves gathering information about the target organization or network, allowing adversaries to gain insights into potential vulnerabilities and plan future operations effectively. Adversaries may employ various techniques such as scanning, open-source intelligence (OSINT) gathering, or social engineering to collect valuable intelligence.
2. Resource Development:
Adversaries establish resources that can support their operations within the targeted environment. This may involve setting up infrastructure, creating fake accounts, or acquiring tools and capabilities necessary for carrying out their attacks. By developing these resources, adversaries can enhance their operational efficiency and maintain persistence within the compromised environment.
3. Initial Access:
Adversaries seek to gain initial entry into the target network or system. This can be achieved through various means such as exploiting vulnerabilities, leveraging social engineering techniques, or using stolen credentials. Once initial access is obtained, adversaries can proceed with their attack objectives.
4. Execution:
In this tactic, adversaries run malicious code or exploit vulnerabilities to execute their intended actions. This can involve delivering malware, launching exploits, or leveraging scripting capabilities to achieve their goals. By executing malicious code, adversaries can establish their presence within the compromised environment and initiate further stages of the attack.
5. Persistence:
Adversaries aim to maintain their presence and foothold within the compromised environment for an extended period. This may involve establishing backdoors, creating scheduled tasks, or modifying system configurations to ensure their access remains even after system reboots or security measures are implemented.
6. Privilege Escalation:
Adversaries attempt to gain higher-level permissions or access within the target environment. By escalating privileges, they can increase their control over compromised systems, access sensitive data, or move laterally within the network to expand their reach.
7. Defense Evasion:
Adversaries employ various techniques to avoid detection by security defenses and evade or bypass security measures. This can include using encryption, obfuscation, or anti-analysis techniques to hide their malicious activities and remain undetected by security solutions.
8. Credential Access:
Adversaries aim to steal or obtain account credentials, such as usernames and passwords, to gain unauthorized access to systems or networks. This tactic allows them to bypass authentication mechanisms, impersonate legitimate users, and move laterally within the network to achieve their objectives.
9. Discovery:
Adversaries conduct reconnaissance within the compromised environment to gather information about the network, systems, and applications. This information helps them understand the target’s infrastructure, identify potential vulnerabilities, and plan their subsequent actions more effectively.
10. Lateral Movement:
Adversaries move laterally within the network, expanding their reach and control across different systems or segments. This tactic enables them to explore and compromise additional systems, escalate privileges, and gain access to valuable resources or sensitive data.
11. Collection:
Adversaries focus on gathering data or information that is of interest to their objectives. This can include sensitive files, intellectual property, credentials, or other valuable information. By collecting relevant data, adversaries can further their goals, such as espionage or financial gain.
12. Command and Control:
Adversaries establish communication channels with compromised systems to control and manage their activities remotely. This can involve setting up command-and-control servers, utilizing covert channels, or leveraging legitimate communication protocols to maintain control over compromised systems.
13. Exfiltration:
Adversaries aim to steal or extract data from the compromised environment and exfiltrate it to external locations under their control. This can involve various techniques such as data compression, encryption, or disguising data within legitimate network traffic to evade detection.
14. Impact:
Adversaries seek to manipulate, interrupt, or destroy systems, data, or infrastructure to cause damage or achieve their desired impact. This can include activities such as deploying destructive malware, launching denial-of-service attacks, or manipulating critical system configurations.
What Are MITRE Techniques And How Many Are There?
The MITRE ATT&CK framework categorizes adversary actions into techniques, which represent the specific methods or actions employed by threat actors to achieve their objectives within each tactic. Techniques provide a detailed understanding of the “how” behind an adversary’s actions, shedding light on their tactics and enabling organizations to better defend against specific threat behaviors.
The Enterprise ATT&CK Matrix, which is a comprehensive subset of the ATT&CK framework, encompasses techniques across various operating systems and platforms. As of the 2022 version of ATT&CK for Enterprise, there are 14 tactics, 193 techniques, 401 subtechniques, 135 groups, 14 campaigns, and 718 pieces of software documented.
MITRE regularly updates the ATT&CK framework to incorporate newly discovered techniques, campaigns, and changes in the threat landscape. This ensures that the framework remains current and relevant in capturing the evolving tactics and techniques used by adversaries.
What Are Subtechniques?
In the MITRE ATT&CK framework, subtechniques provide a more detailed breakdown of the behaviors used by adversaries to achieve their objectives. While techniques offer a high-level view of adversary actions, subtechniques dive deeper into the specific actions taken within a technique. This additional granularity helps organizations gain a more comprehensive understanding of the tactics employed by threat actors.
Procedures: Real-World Implementations of Techniques
Procedures in the ATT&CK framework describe the specific implementations observed in real-world attacks. They provide concrete examples of how techniques or subtechniques are executed by adversaries. Procedures offer insights into the actual steps taken by threat actors to carry out their actions, highlighting the specific tools, methods, and behaviors employed.
For instance, a procedure may describe an adversary using PowerShell to inject into lsass.exe and dump credentials by scraping LSASS memory on a victim’s system. This level of detail goes beyond the subtechnique or technique level and provides organizations with real-world examples of how adversaries execute their attacks.
Differentiating Subtechniques and Procedures
While subtechniques and procedures are related, they serve distinct purposes within the ATT&CK framework. Subtechniques categorize behavior at a more granular level, providing specific descriptions of the actions taken within a technique. They help organizations understand the nuances and variations in adversary behavior, allowing for more targeted defense strategies.
Procedures, on the other hand, focus on the specific implementations of techniques or subtechniques observed in real-world attacks. They offer concrete examples of how adversaries carry out their actions, including the tools, techniques, and procedures employed. Procedures provide organizations with practical insights into the tactics used by threat actors, enabling them to better prepare and defend against such attacks.
Benefits of the MITRE ATT&CK Framework
The MITRE ATT&CK framework offers several benefits to organizations in their cybersecurity efforts. By leveraging subtechniques and procedures, organizations can:
1. Enhance Threat Understanding:
Subtechniques and procedures provide a deeper understanding of adversary behaviors, enabling organizations to better comprehend the techniques employed by threat actors. This knowledge helps organizations identify potential attack vectors and develop targeted defenses.
2. Improve Detection and Response:
By aligning security measures with observed subtechniques and procedures, organizations can improve their ability to detect and respond to cyber threats. This proactive approach allows for faster detection and more effective incident response, minimizing the impact of attacks.
3. Optimize Security Controls:
Understanding subtechniques and procedures helps organizations assess their existing security controls and identify any gaps or weaknesses. By aligning their defenses with observed adversary behaviors, organizations can optimize their security controls to better protect against specific threat actions.
4. Prioritize Threat Intelligence:
Subtechniques and procedures provide valuable insights for threat intelligence teams. By analyzing real-world implementations, organizations can prioritize their threat intelligence efforts and focus on the most relevant and impactful threats. This enables them to stay ahead of evolving adversary tactics and enhance their proactive defense strategies.
5. Support Incident Response and Forensics:
Subtechniques and procedures assist incident response and digital forensics teams in investigating and analyzing security incidents. By referring to observed adversary behaviors, teams can quickly identify the techniques used in an attack and take appropriate action to contain and remediate the incident. This knowledge also aids in the collection and preservation of digital evidence for future investigations.
Challenges of Implementing the MITRE ATT&CK Framework
While the MITRE ATT&CK framework offers significant benefits, there are challenges organizations may face when implementing it:
1. Expertise and Training:
Effectively utilizing the ATT&CK framework requires a solid understanding of its concepts and methodologies. Organizations need to invest in training their security teams to ensure they can effectively leverage the framework to its full potential.
2. Resource Investment:
Implementing the ATT&CK framework requires time, effort, and resources. Organizations need to allocate resources to collect and analyze relevant threat intelligence, map their defenses to the framework, and continuously update and adapt their security controls based on the evolving threat landscape.
3. Complexity and Scale:
The ATT&CK framework covers a wide range of tactics, techniques, and procedures. Organizations may face challenges in managing the complexity and scale of implementing the framework across their entire security infrastructure. Proper planning and prioritization are essential to effectively utilize the framework.
ATT&CK Technologies
The MITRE ATT&CK Framework serves as a comprehensive resource for understanding the tactics, techniques, and procedures (TTPs) employed by threat actors in cyber attacks. While it is not a technology or software application itself, the ATT&CK framework can be applied to various technologies and platforms that may be targeted by attackers. By leveraging the framework, organizations can develop effective countermeasures and enhance their overall security posture.
ATT&CK Technologies can include the following:
Enterprise IT Systems: Windows, macOS, Linux
The ATT&CK framework covers a wide range of enterprise IT systems, including popular operating systems such as Windows, macOS, and Linux. By understanding the specific techniques and tactics used by adversaries on these platforms, organizations can tailor their security measures and defenses to mitigate the associated risks. This includes implementing robust endpoint protection, secure configuration practices, and regular patch management to address vulnerabilities and protect against attacks.
Network Infrastructure Devices
Network infrastructure devices, such as routers, switches, and firewalls, are critical components of an organization’s IT infrastructure. These devices can also be targeted by threat actors seeking to gain unauthorized access or disrupt network operations. By applying the ATT&CK framework to network infrastructure devices, organizations can identify potential attack vectors and implement appropriate security controls, such as access controls, network segmentation, and intrusion detection systems, to safeguard against network-based attacks.
Container Technologies
Containers have become increasingly popular for deploying and managing applications. However, they also introduce new attack surfaces and security challenges. The ATT&CK framework can be used to analyze the techniques and tactics employed by adversaries targeting container technologies. By understanding the specific risks and implementing container-specific security measures, such as secure container configurations, image scanning, and runtime monitoring, organizations can protect their containerized environments from malicious activities.
Cloud Systems: IaaS, SaaS, Office 365, Azure AD, Google Workspace
Cloud computing has transformed the way organizations operate, but it also introduces unique security considerations. The ATT&CK framework can be applied to cloud systems, including Infrastructure as a Service (IaaS) and Software as a Service (SaaS) platforms. This enables organizations to understand the techniques used by adversaries to compromise cloud environments and implement appropriate security controls, such as identity and access management, encryption, and activity monitoring, to protect against cloud-based attacks. Specifically, platforms like Office 365, Azure Active Directory (Azure AD), and Google Workspace can benefit from aligning their security measures with the ATT&CK framework.
Mobile Devices: Android and iOS
Mobile devices have become ubiquitous in both personal and professional settings, making them attractive targets for attackers. The ATT&CK framework can be applied to mobile devices running on Android and iOS operating systems. By understanding the tactics and techniques used by adversaries targeting mobile platforms, organizations can implement effective security measures to protect against mobile-based attacks.
For Android devices, organizations can leverage the ATT&CK framework to identify potential vulnerabilities and implement security controls such as app vetting, secure app development practices, and mobile device management (MDM) solutions to secure the devices and data stored on them. This includes monitoring for malicious apps, protecting against privilege escalation, and securing communication channels.
Similarly, for iOS devices, organizations can use the ATT&CK framework to gain insights into the tactics and techniques employed by adversaries targeting Apple’s mobile operating system. This can help organizations in implementing security measures such as app sandboxing, secure coding practices, and device encryption to protect against iOS-specific attacks.
How To Use ATT&CK
The ATT&CK Matrix provides a structured overview of known attack tactics and techniques. It allows organizations to navigate and understand the various techniques employed by adversaries. By working from left to right in the matrix, from Initial Access to Command and Control, organizations can assemble a complete attack sequence.
The ATT&CK framework can be used in several ways to enhance security operations, threat intelligence, and security architecture. Here are some primary use cases:
1. Adversary Emulation:
Organizations can simulate real-world attack scenarios by emulating the tactics and techniques outlined in the ATT&CK framework. This exercise helps assess the effectiveness of existing security controls and identify potential vulnerabilities.
2. Red Teaming:
Red teaming exercises involve deploying skilled professionals to mimic the actions of adversaries. By using the ATT&CK framework as a guide, red teams can test an organization’s defenses, identify weaknesses, and provide recommendations for improvement.
3. Behavioral Analytics Development:
Security teams can leverage the ATT&CK framework to develop behavioral analytics and detection rules. By mapping observed behaviors to the framework, organizations can enhance their ability to detect and respond to malicious activities.
4. Defensive Gap Assessment:
The ATT&CK framework can be used to assess an organization’s defensive capabilities and identify any gaps in visibility, tools, or processes. This assessment helps organizations prioritize and implement necessary security improvements.
5. SOC Maturity Assessment:
Security Operations Center (SOC) maturity assessments involve evaluating the effectiveness and efficiency of a SOC’s operations. The ATT&CK framework can be used as a benchmark to assess the SOC’s ability to detect, respond, and recover from various attack techniques.
6. Cyberthreat Intelligence:
Organizations can leverage the ATT&CK framework to enhance their cyberthreat intelligence capabilities. By aligning their intelligence gathering and analysis with the framework, organizations can better understand the tactics and techniques employed by threat actors and proactively defend against emerging threats.
MITRE Engenuity ATT&CK Evaluations
MITRE Engenuity conducts ATT&CK evaluations to assess the capabilities of participating vendors in relation to the ATT&CK framework. These evaluations help vendors and end-users understand a product’s effectiveness in detecting and responding to attacks. While the evaluations do not provide overall comparison scores or rankings, they offer a vendor-agnostic summary of methodologies used by security practitioners to identify and prevent sophisticated attack campaigns.
Cortex XDR, a comprehensive security platform, aligns with the MITRE ATT&CK framework and consistently demonstrates strong performance in independent industry testing, including the MITRE Engenuity ATT&CK Evaluations. By leveraging AI and behavioral analytics, Cortex XDR provides industry-leading coverage of MITRE ATT&CK techniques, enabling organizations to detect and respond to modern attacks effectively.