MITRE ATT&CK Framework

Pranav November 15, 2021


MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). This framework is a curated knowledge base and model for cyber adversary behaviors, reflecting the various phases of an adversary's attack lifestyle and the platforms they are known to target.

The tactics and techniques abstraction in the model provides a common taxonomy of individual adversary actions understood by both the offensive and defensive sides of cyber security.

So all that sounds really complex, right? Not really. Let's dive right in.

Why was it made?

MITRE ATT&CK was created in 2013 as a result of MITRE's Fort Meade Experiment (FMX) where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis. 

The key question for the researchers was "How well are we doing at detecting documented adversary behavior?" To answer that question, the researchers developed ATT&CK, which was used as a tool to categorize adversary behavior.

The MITRE ATT&CK Matrix

The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or "impact". 

Looking at the broadest version of ATT&CK for Enterprise, which includes Windows, MacOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments, the following adversary tactics are categorized:
 
  1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
  2. Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
  3. Initial Access: trying to get into your network, i.e., spear phishing
  4. Execution: trying the run malicious code, i.e., running a remote access tool
  5. Persistence: trying to maintain their foothold, i.e., changing configurations
  6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
  7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
  8. Credential Access: stealing accounts names and passwords, i.e., keylogging
  9. Discovery: trying to figure out your environment, i.e., exploring what they can control
  10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
  11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
  12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
  13. Exfiltration: stealing data, i.e., transfer data to cloud account
  14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware
Within each tactic of the MITRE ATT&CK matrix there are adversary techniques, which describe the actual activity carried out by the adversary. Some techniques have sub-techniques that explain how an adversary carries out a specific technique in greater detail. The full ATT&CK Matrix for Enterprise from the MITRE ATT&CK navigator is represented below:



MITRE ATT&CK vs the Cyber Kill Chain:

The Lockheed Martin Cyber Kill Chain is another well-known framework for understanding adversary behavior in a cyber-attack. The Kill Chain model contains the following stages, presented in sequence:

  1. Reconnaissance – Harvests email addresses, conference information, etc.
  2. Weaponization – Couples exploit with backdoor into deliverable payload.
  3. Delivery – Delivers weaponized bundle to the victim via email, web, USB, etc
  4. Exploitation – Exploits a vulnerability to execute code on a victim's system.
  5. Installation – Installs malware on the asset.
  6. Command & Control (C2) – Includes command channel for remote manipulation
  7. Actions on Objectives – Using 'Hands on Keyboards' access, intruders accomplish their original goals





Connect with me on Linkedin

0 Comments