MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework and knowledge base that provides information about the tactics, techniques, and procedures (TTPs) that cyber adversaries use during different stages of a cyber attack. It was developed by MITRE to help cybersecurity professionals and organizations understand and defend against real-world cyber threats more effectively.

The ATT&CK framework is organized into matrices that cover different platforms, such as Windows, macOS, Linux, cloud environments, and mobile devices. Each matrix is divided into rows (tactics) and columns (techniques). Here's how it works:

  1. Tactics - Tactics represent the high-level goals that attackers aim to achieve during a cyber attack. Examples of tactics include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. These tactics are the stages of a typical attack lifecycle.

  2. Techniques - Techniques are the specific methods or actions that attackers use to accomplish the goals outlined in the tactics. Each technique describes a step or action taken by an attacker to achieve a specific objective. For instance, within the Execution tactic, there could be techniques like "Command-Line Interface" and "Scripting."

  3. Procedure Examples - For each technique, MITRE provides real-world examples of how attackers have used that technique in actual cyber attacks. These examples help provide context and insights into how attackers operate.

  4. Mitigations - Alongside the techniques, MITRE also provides information about potential mitigations that organizations can implement to defend against or prevent those techniques. These mitigations can help organizations strengthen their security posture.

  5. Groups and Software - The ATT&CK framework also associates techniques with known threat actor groups and specific malware or tools they have used. This provides information about the adversaries associated with each technique and helps organizations understand the threat landscape.

  6. Data Sources - For each technique, ATT&CK suggests the types of data sources (logs, events, etc.) that organizations can monitor to detect and respond to that technique's use.

By using the ATT&CK framework, organizations can:

  • Improve Detection and Response - By understanding the techniques used by adversaries, organizations can develop more effective strategies to detect and respond to cyber threats.

  • Enhance Threat Intelligence - ATT&CK provides a standardized way to describe and share threat intelligence, making it easier for organizations to collaborate and share insights about emerging threats.

  • Evaluate Security Tools - Organizations can use ATT&CK to assess how well their security tools and technologies cover various attack techniques. This helps in selecting and optimizing security solutions.

  • Train Security Professionals - ATT&CK can be used to train security professionals and help them understand the tactics and techniques that attackers might employ.