3 min read

A Quick Overview of MITRE ATT&CK

A Quick Overview of MITRE ATT&CK

A worldwide knowledge repository on enemy tactics and methods based on real-world observations, MITRE ATT&CK®, is a freely available resource for military, intelligence, government, and academic communities. 

 

MITRE is a non-profit company that “works in the public interest across federal, state and local governments, as well as industry and academia.” They created the MIRE ATT&CK framework. 

 

Now you might be wondering, what is MITRE ATT&CK and what are some MITRE ATT&CK techniques? We’re answering these questions and more below.

 

What Does MITRE ATT&CK Stand For?

 

The acronym MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). 

 

With its establishment of MITRE ATT&CK techniques, the goal of the company is to make the world safer by bringing communities together to build more effective cybersecurity solutions.

 

ATT&CK is a free framework that is accessible to anybody or any organization that wants to use it.

 

MITRE ATT&CK Framework Explained

 

In 2013, the MITRE Corporation, a non-profit organization that assists several United States federal departments, started creating the MITRE ATT&CK framework. After being formally launched in May 2015, the framework has subsequently undergone multiple revisions, typically issued every three months.

 

The top questions that ATT&CK aims to answer are things like:

  • How effective are my cybersecurity defenses?
  • Can I detect and thwart the threats of the day (whatever they may be)?
  • With limited tools, can I defend my organization?

 

ATT&CK is a knowledge base of adversary behavior that is based on real-world observations. It’s free, open, and globally accessible using a common language and a community-driven mindset.

 

MITRE relies on the community to share persistent threats they are seeing and the tactics, methods, and procedures (TTPs) that are working/not working in cyber defense. More than 90 organizations contribute knowledge regularly to the framework. This “boots on the ground” intel gives the company a better idea of what is happening in the world of cybersecurity, which they then distill and share.

 

Elements of the Enterprise ATT&CK MITRE Framework

 

A total of 14 elements are included in the Enterprise ATT&CK framework. These include:

  1. Reconnaissance 
  2. Resource Development
  3. Initial Access
  4. Execution
  5. Persistence
  6. Privilege Escalation
  7. Defense Evasion
  8. Credential Access
  9. Discovery
  10. Lately Movement
  11. Collection
  12. Command and Control
  13. Exfiltration
  14. Impact

 

The initial elements of reconnaissance and resource development are considered the “Pre-ATT&CK” phase. In other words, when cybercriminals are trying to determine how to “break in.” The latter elements of the framework refer to when the bad actors are gaining unauthorized access, and what they are doing once they get in.

 

MITRE ATT&CK Techniques

 

Cyber adversary behavior and activities are cataloged and classified in ATT&CK, which serves as a knowledge repository of cyber adversary behavior and actions throughout their lifespan.

The ATT&CK framework is divided into two parts: ATT&CK for Business, which examines behavior against enterprise IT networks and the cloud, and ATT&CK for Mobile, which analyzes behavior against mobile devices.

Tactics

When it comes to ATT&CK techniques and sub-techniques, tactics constitute the "why." It is the tactical goal of the adversary or the reason for which an action is being performed. For example, a cybercriminal attempting to get access to credentials for the purposes of gaining entry to a website or network.

Techniques

By completing an action, an adversary's technique represents "how" he accomplishes a tactical aim. To get access to a system, an attacker may guess credentials, for example.

Procedures 

Procedures are the exact implementation the bad actor employs. For example, an adversary might use a program to inject into lsass.exe to leak credentials by scraping LSASS memory from a victim's computer.

 

MITRE ATT&CK Testing Tools

How can you use the MITRE ATT&CK framework to defend your organization against the threats to your cybersecurity? Along with the MITRE ATT&CK elements listed above are tools for testing, detecting, preventing, and eradicating attacks, and cyber threats.

 

For example, under the Reconnaissance element, Active Scanning is listed as a technique adversaries may use to attempt to “sneak in” to a network. The main tool recommended for detection of Active Scanning is network traffic monitoring. Spikes in traffic or “suspicious network traffic could be indicative of scanning.”

 

Another example is the element of “Credential Access.” One technique mentioned is Brute Force. A recommended tool for mitigation is multi-factor authentication, and another is User Account Management to reset accounts known to be part of breached credentials.

 

For a full breakdown of all techniques, and detection and mitigation tools for each of the 14 elements in the MITRE ATT&CK framework, click here. The more you learn about the threats online, the sooner you can develop your own internal framework for your own organization. If you would like assistance with this, contact Rivial Security to learn more about our cybersecurity solutions. 



NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...

Read More
Unlocking Budget With Quantitative Risk Assessments

Unlocking Budget With Quantitative Risk Assessments

Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...

Read More
ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

Cyber insurance can't fully shield your organization from cybercrime, but it can help keep your business operations going if there's a major security...

Read More