Introduction to the MITRE ATT&CK Framework
MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is a collection of information about advanced persistent threats (APTs) that commonly target enterprise networks. The goal of the framework is to collect all relevant and available information about these groups and organize it in a way that makes it accessible and usable for enterprise security teams.
The framework was originally used internally at MITRE for the development of realistic simulations of adversary tactics in order to help design and test potential defenses against these tactics. It focuses on higher-level adversary information like tools, tactics, and procedures (TTPs) that tend to persist throughout the lifecycle of a group rather than more transient indicators like IP addresses, specific malware variants, etc. MITRE made the framework publicly available in May 2015 so that other organizations could take advantage of the data and organizational structure provided by ATT&CK.
At its core, the ATT&CK tool is a massive database about potential tools, techniques, and procedures that adversaries could potentially use to achieve certain goals throughout the course of a cyberattack (gaining and maintaining access, stealing credentials, etc.). The main value of the framework is its organization, which allows a user to access this data in a variety of ways, allowing them to answer specific questions. Three of the main front-ends to the database are the Enterprise ATT&CK Matrix, the Pre-ATT&CK Matrix, and the list of Groups.
Enterprise ATT&CK Matrix
The Enterprise ATT&CK Matrix is the most widely-familiar component of the MITRE ATT&CK framework. It organizes various techniques used by threat actors based upon their role in the incident attack chain. The framework breaks an incident into the following stages:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
Under each stage is a collection of techniques that can be used to accomplish the goals of the stage. This information can be useful offensively in developing simulations to test the effectiveness of existing tools, defensively by encouraging deployment of solutions to address specific threats, and as part of incident response by providing information about the purpose of an identified component of an attack.
MITRE’s Pre-ATT&CK Matrix serves the same purpose as the Enterprise Matrix but focuses on a different phase of the attack cycle. The Enterprise Matrix includes the steps necessary for an attacker to achieve all their objectives from initial access on, while the Pre-ATT&CK Matrix focuses on what attackers do before they ever touch your network. This includes maintaining infrastructure and all the planning stages of the operation and is broken into the following stages:
- Priority Definition Planning
- Priority Definition Direction
- Target Selection
- Technical Information Gathering
- People Information Gathering
- Organizational Information Gathering
- Technical Weakness Identification
- People Weakness Identification
- Organizational Weakness Identification
- Adversary OPSEC
- Establish & Maintain Infrastructure
- Persona Development
- Build Capabilities
- Test Capabilities
- Stage Capabilities
The information provided in this matrix can be used both reactively and proactively. From a reactive perspective, identifying the “how” after a breach is an important part of incident management and response. Proactively, an organization can analyze the information available about them that can be gathered by the listed techniques and take steps to minimize their exposure and the associated risk.
The main purpose of the ATT&CK framework is to collect information about the TTPs of various APTs, so it’s logical that the database can also be searched for information regarding certain threat actors. The Groups page provides a list of common APT groups and includes information on the various names assigned to them and a description of their general tactics and goals. Clicking on a specific group provides information on the specific techniques and software that the group is known to use. This information can be invaluable in identifying whether a particular attack was launched by one of these groups or for developing defenses against the group that is most likely to target a given organization.
Using the ATT&CK Framework
The MITRE ATT&CK framework is designed to provide easy access to a wealth of information about threat actors and their tools, techniques, and procedures. This information can be used throughout the information security lifecycle from developing and testing defenses to incident response. Every organization could benefit from reviewing the data provided in this tool and determining to which of the listed techniques and tools their cyber defenses may be vulnerable.
Sword & Shield’s managed security services utilizes the MITRE ATT&CK and Cyber Kill Chain frameworks to build a comprehensive 24x7x365 monitoring program for our customers. Utilizing our internal threat intelligence team, your environment will be protected against the most advanced and recent adversarial Tactics, Techniques, and procedures (TTPs).