The MITRE ATT&CK Framework
Understanding the behaviors and techniques attackers use against organizations.
InsightIDR ProductWhat is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework is a global index for collecting documentation of attacker tactics, techniques, and procedures (TTPs), all based on real-world observations. ATT&CK stands for "Adversarial Tactics, Techniques, & Common Knowledge."
Created by MITRE in 2013, this index continues to evolve with the threat landscape and has become a renowned knowledge base for the industry to understand attacker models, methodologies, and mitigation.
Comprehensive threat detection and attack mitigation requires understanding common adversary techniques, especially those that pose a threat to a security operations center (SOC). With that said, the volume and breadth of attack tactics make it nearly impossible for any single organization to monitor and catalog every single attack type.
ATT&CK's knowledge base of adversary tactics and techniques are indexed and broken down into detail, noting attacker steps and methods. To go a step further, MITRE also incorporates cyber-threat intelligence that documents adversary group behavior profiles.
The ATT&CK matrix structure is similar to a periodic table, with column headers outlining phases in the attack chain – from “initial access” all the way to “impact.”
MITRE ATT&CK Framework vs. Cyber Kill Chain
Both the MITRE ATT&CK Framework and the Cyber Kill Chain focus on helping organizations understand attacker behaviors and take steps to shut down an attack as quickly as possible. Let’s first discuss some background on the latter concept.
The Cyber Kill Chain framework was developed by defense contractor Lockheed Martin to identify vulnerabilities and breaches, examine the effectiveness of existing controls, and pinpoint the movements adversaries must make to achieve whatever goal they’ve defined for themselves or their organization.
The fundamental difference between the MITRE ATT&CK Framework and the Cyber Kill Chain is that the former is a repository for knowledge – containing a large amount of attacker methodologies targeting specific platforms – and the latter is essentially a more generalized series of predefined steps from which it is not recommended to stray. The Cyber Kill Chain consists of seven phases and is generally thought of as a simplified – and also very effective – way to stop an attack.
A third kill-chain methodology is known as the Unified Kill Chain. It attempts to solve for the scope limitations and time-agnostic nature of both MITRE ATT&CK and the Cyber Kill Chain, respectively. One of the biggest benefits of the Unified Kill Chain is that it more accurately captures the nuanced behaviors of attackers. The Unified Kill Chain details a whopping 18 specific attack phases, so it might be a bit much depending on the user and the use case.
History of the MITRE ATT&CK Framework
The framework was created in 2013 out of a need to help businesses and their security organizations better understand attacker methodologies, and thereby gain ground against the advancement of threat actors around the world. According to the MITRE ATT&CK website:
“MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. It was created out of a need to document adversary behaviors for use within a MITRE research project called FMX. The objective of FMX was to investigate use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.”
MITRE presents an index – or matrix – for individual use cases, like those detailed below:
- Industrial controls systems (ICS) matrix: The tactics by which an attacker could breach industrial control systems.
- Enterprise matrix: The tactics by which an attacker could breach enterprise systems.
- Mobile matrix: The tactics by which an attacker could breach mobile devices.
MITRE ATT&CK Matrix
Let's dive a little deeper into what exactly constitutes a MITRE ATT&CK “matrix.” It’s helpful to delineate attacker standards across use cases like those discussed in the previous section. The matrix essentially categorizes TTPs and presents them as easily indexed by specific platforms like operating systems or enterprise software platforms.
According to the MITRE ATT&CK website, there are 14 common tactics by which attackers attempt to achieve their goals:
- "Reconnaissance: The adversary is trying to gather information they can use to plan future operations.
- Resource development: The adversary is trying to establish resources they can use to support operations.
- Initial access: The adversary is trying to get into your network.
- Execution: The adversary is trying to run malicious code.
- Persistence: The adversary is trying to maintain their foothold.
- Privilege escalation: The adversary is trying to gain higher-level permissions.
- Defense evasion: The adversary is trying to avoid being detected.
- Credential access: The adversary is trying to steal account names and passwords.
- Discovery: The adversary is trying to figure out your environment.
- Lateral movement: The adversary is trying to move through your environment.
- Collection: The adversary is trying to gather data of interest to their goal.
- Command and control: The adversary is trying to communicate with compromised systems to control them.
- Exfiltration: The adversary is trying to steal data.
- Impact: The adversary is trying to manipulate, interrupt, or destroy your systems and data."
MITRE ATT&CK Framework Use Cases
The MITRE ATT&CK Framework is widely recognized as an authority on understanding the behaviors and techniques attackers use against organizations. It not only removes ambiguity and provides a common vocabulary for combat discussion and collaboration, but also provides practical applications for security teams.
Prioritize Detections Based on a Unique Environment
Even the most well-resourced teams cannot protect against all attack vectors equally. The ATT&CK framework can offer a blueprint for teams for where to focus their detection efforts. For example, many teams may begin by prioritizing threats earlier in the attack chain. Other teams may want to prioritize specific detections based on techniques used by attacker groups that are especially prevalent in their respective industries.
By exploring the techniques, targeted platforms, and risk, teams can educate themselves to help inform their security plan, then leverage the MITRE ATT&CK framework to track progress over time.
Evaluate Current Defenses
The framework can also be valuable in evaluating current tools and depth of coverage around key attack techniques. There are different levels of telemetry that might be applicable to each detection. In some areas, teams may decide they need high confidence in depth of detection, while a lower level of detection may be acceptable in other areas.
By defining and prioritizing threats to the organization, teams can evaluate how their current coverage stacks up. This can also be useful in penetration testing (pentesting) activities, and then as a scorecard during and after a test.
Track Attacker Groups
Many organizations may want to prioritize tracking specific adversary group behaviors that they know pose particular threat to their industry or vertical. The ATT&CK framework is not a static document, as MITRE continues to evolve the framework as threats emerge and evolve. This process makes it a useful source of truth to track and understand the movements of attacker groups and the techniques they use.