What is the MITRE ATT&CK® Framework?

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a curated knowledge base of tactics, techniques, and procedures (TTPs) that helps organizations understand and analyze cyber threats. It classifies adversarial behaviors and provides a common language for cybersecurity professionals to describe and communicate about cyberattacks.

Unlike other cybersecurity models focusing primarily on defense mechanisms, MITRE ATT&CK takes the attacker’s perspective. This approach enables organizations to see how adversaries think and operate, making anticipating their moves and mitigating risks easier. Initially used for threat detection, the framework is widely adopted for vulnerability management, threat intelligence, and incident response.

Evolution and History of the MITRE ATT&CK Framework

Developed in 2013 by the MITRE Corporation, the framework uses real-world observations of attacks to document how adversaries operate. It has become an industry standard for threat detection, adversary emulation, and red teaming.

The MITRE ATT&CK framework originated from research conducted within MITRE’s FMX project to improve threat detection on Microsoft Windows systems. Since its public release in 2015, the framework has grown significantly. It now includes coverage for Linux, macOS, mobile devices, cloud environments, and industrial control systems (ICS).

Key milestones in the framework’s evolution include:

• 2017: Expansion to cover macOS and Linux.
• 2017: Introduction of the Mobile ATT&CK Matrix for threats targeting mobile devices.
• 2019: Launch of ATT&CK for Cloud, focusing on cloud environments like AWS, Azure, and Google Cloud.
• 2020: Introduction of sub-techniques to add granularity to existing techniques, allowing for more precise documentation of adversarial behaviors.

This continuous evolution and refinement make MITRE ATT&CK a dynamic and up-to-date resource for understanding the latest threats.

Understanding the MITRE ATT&CK Matrices

The MITRE ATT&CK framework consists of multiple matrices, each tailored to a specific domain:

1. Enterprise ATT&CK Matrix

The Enterprise ATT&CK matrix covers tactics and techniques adversaries use to attack enterprise networks, including various platforms like Windows, macOS, Linux, Azure AD, and SaaS environments. It is the most widely used matrix, providing detailed insights into how adversaries compromise and operate within an enterprise.

2. Mobile ATT&CK Matrix

The Mobile ATT&CK matrix focuses on threats to mobile devices. It highlights tactics and techniques for iOS and Android platforms. It also covers methods attackers use without requiring physical access to the device, such as exploiting mobile apps or network services.

3. ICS ATT&CK Matrix

The ICS ATT&CK matrix is designed for industrial control systems in the energy, manufacturing, and utilities sectors. This matrix includes tactics and techniques unique to ICS environments, such as manipulating control system devices or exploiting industrial protocols.

4. Pre-ATT&CK Matrix

The scope of MITRE ATT&CK also expands beyond technology domains with PRE-ATT&CK. PRE-ATT&CK documents adversary activities such as gathering requirements, performing reconnaissance, and preparing for an attack before gaining access to a network.

It focuses on the early stages of an attack, independent of specific technologies, by modeling the strategies and tactics adversaries use to target and plan attacks against organizations before they penetrate a network. This helps organizations anticipate and defend against threats earlier in the attack lifecycle.

Each matrix provides detailed descriptions of attacker tactics, techniques and common knowledge. They also outline the detection and mitigation, if applicable, and examples of real-world use cases.

When viewing the matrices, such as the Enterprise ATT&CK matrix above, the tactics are listed horizontally above. The associated techniques and sub-techniques appear beneath each tactic. For example, under the initial access tactic, you can find the phishing technique and its three sub-techniques – spear phishing attachment or link and spear phishing via service. On the MITRE website, you can click on the tactics, techniques and sub-techniques to get detailed information on each.

Components of the MITRE ATT&CK Framework

The MITRE ATT&CK framework is built around three core components: tactics, techniques, and sub-techniques.

Primary Components

Tactics

Tactics represent the overarching goals or objectives adversaries try to achieve during an attack. These are the different stages of the attack lifecycle, such as gaining access, escalating privileges, or exfiltrating data.

The Enterprise ATT&CK Matrix outlines 14 tactics:

Example Tactic: Execution

• Adversaries aim to run malicious code on a victim’s system.
• This tactic can involve script execution, command-line interface abuse, or malicious document macros.

Techniques

Techniques describe “how” adversaries achieve their tactical goals. For example, phishing is a technique used for Initial Access, while process injection can be used for Privilege Escalation. Each method in the framework is associated with one or more tactics.

Example Technique: Command and Scripting Interpreter (T1059)

• Linked to the Execution tactic.
• This technique uses command-line interfaces (like PowerShell or Bash) to execute malicious code.
• Sub-technique: PowerShell (T1059.001), where adversaries exploit PowerShell to execute commands or scripts on a Windows system.

Sub-techniques

Sub-techniques provide a more granular breakdown of techniques. For example, the brute force technique can be divided into sub-techniques like password guessing, password cracking, password spraying and credential stuffing.

Supporting Components

Data Sources are the types of logs, telemetry, or information that security teams can collect to detect adversarial activity. Understanding which data sources are relevant to each technique helps monitor and detect.

Example Data Source: Process Monitoring

• They are used to detect the Command and Scripting Interpreter technique. By monitoring processes, security teams can see when PowerShell or other interpreters are invoked, potentially flagging suspicious execution.

Mitigations provide preventative measures organizations can take to stop or reduce the likelihood of successful techniques. These could be technical controls, process changes, or user education.

Guide

Stop Sabotaging Your Cybersecurity

Avoid the 11 common vulnerability management pitfalls

Get the Guide

Example Mitigation: Restrict File and Directory Permissions (M1022)

• Organizations can restrict access to PowerShell or deactivate it entirely for non-administrative users to prevent attackers from exploiting PowerShell (related to Command and Scripting Interpreter).

Contextual Components

Assets are the systems, environments, or devices that adversaries target. These could be endpoints, cloud environments, mobile devices, or industrial control systems. In the MITRE ATT&CK framework, each environment may have its matrix (like Enterprise, Mobile, or ICS).

Example Asset: Windows Endpoints

• Adversaries might target Windows machines to gain a foothold or exfiltrate data. Techniques like PowerShell exploitation typically occur on this type of asset.

Groups are specific adversary teams (e.g., APTs or cybercriminal groups) known for using certain TTPs. Each group has a unique profile of behaviors and can be mapped to multiple tactics and techniques.

Example Group: APT29

• A Russian cyber espionage group known for targeting government agencies.
• Tactic and Technique Example: They are known to use Spearphishing Attachments (T1566.001) to gain initial access as part of the Initial Access tactic.

Software refers to the tools, malware, and frameworks adversaries use to conduct attacks. These can include open-source tools, commercial penetration testing tools, or custom malware.

Example Software: Mimikatz

• A tool commonly used for Credential Dumping (T1003) allows attackers to steal credentials from memory.
• They are used for Privilege Escalation and Credential Access tactics.

Campaigns represent specific instances of adversary activity over time. They might involve multiple groups or different software and can span various techniques. This helps track an adversary’s methods during a particular attack sequence.

Example Campaign: SolarWinds Campaign (2020)

• Adversaries used a supply chain attack to inject malicious updates into the SolarWinds Orion platform.
• Techniques used: Supply Chain Compromise (T1195) for Initial Access and Remote System Discovery (T1018) for Discovery.
• Known groups: APT29 is suspected to be linked with the SolarWinds attack.

How to Use the MITRE ATT&CK Framework

Organizations leverage MITRE ATT&CK in various ways to enhance their cybersecurity posture and understand the event from an attacker’s perspective:

Adversary Emulation

Security teams use the framework to mimic known adversary behaviors during security tests. Organizations can identify weaknesses and improve defenses by emulating how real-world adversaries attack their systems.

Red Teaming

Red teams apply the framework to conduct realistic penetration tests, simulating adversarial tactics and techniques. This helps organizations test their detection and response capabilities against sophisticated attacks.

Behavioral Analytics Development

The framework’s documentation of adversary behaviors helps security teams develop advanced detection mechanisms based on attackers’ tactics and techniques.

Defensive Gap Assessment

Organizations use ATT&CK to identify gaps in their current security controls. By mapping their defenses against ATT&CK techniques, they can prioritize investments and strengthen their security posture.  Additional countermeasures can be viewed on the corresponding MITRE D3FEND site.

SOC Maturity Assessment

The framework can evaluate a Security Operations Center (SOC) by assessing how effectively it detects and responds to ATT&CK techniques.

MITRE ATT&CK Tools and Resources

Several tools are built around the MITRE ATT&CK framework to help organizations operationalize it:

• ATT&CK Navigator: A visualization tool that helps users navigate and analyze the various matrices.
• MITRE Cyber Analytics Repository (CAR): A resource that provides analytics for detecting adversarial behaviors documented in the ATT&CK framework.
• Caldera: An automated red-teaming tool that simulates adversarial behavior based on ATT&CK techniques.
• Red Canary Atomic Red Team: An open-source tool that allows organizations to test their defenses against specific ATT&CK techniques.

Benefits of the MITRE ATT&CK Framework

The MITRE ATT&CK framework offers numerous benefits, including:

• Informed Decision-Making: ATT&CK provides data-driven insights into adversary behaviors, enabling CISOs to make more informed decisions on security investments, resource allocation, and risk management.
• Improved Risk Management: By mapping the organization’s defenses to known tactics, techniques, and procedures (TTPs), CISOs can better identify gaps, prioritize risks, and address vulnerabilities, reducing the overall attack surface.
• Enhanced Incident Response and Recovery: ATT&CK helps streamline incident response strategies, allowing CISOs to guide teams in mitigating threats faster and more effectively, minimizing downtime and impact.
• Increased Boardroom Confidence: CISOs can use ATT&CK to demonstrate a straightforward, structured approach to cybersecurity to executive leadership and the board, building trust and supporting requests for security funding.
• Alignment with Industry Standards: Implementing ATT&CK supports compliance with regulatory requirements and industry best practices (e.g., NIST, ISO), improving the organization’s security maturity and audit readiness.
• Proactive Threat Hunting: CISOs can foster a culture of proactive security by enabling threat-hunting teams to identify emerging threats before they cause damage, staying ahead of attackers.

Challenges of Implementing the MITRE ATT&CK Framework

Despite its benefits, implementing the MITRE ATT&CK framework can be challenging:

• Resource Intensive: Smaller organizations may need help with the resources required to implement and maintain ATT&CK.
• Complexity and Scale: ATT&CK covers many tactics, techniques, and procedures (TTPs). Adapting the entire framework can be overwhelming, especially for smaller teams or organizations with limited resources.
• Skill Gaps: Effective use requires a deep understanding of cybersecurity, threat hunting, and incident response. Organizations lacking specialized talent may need help interpreting and applying the framework.
• Integration with Existing Tools: Aligning ATT&CK with current security tools and processes, such as SIEMs or EDR systems, can be complex and require custom development.
• Data Overload: Mapping all security incidents to ATT&CK can generate massive data, leading to alert fatigue and difficulty prioritizing real threats.
• Continuous Maintenance: As the threat landscape evolves, updating the framework and adjusting the organization’s defensive strategies requires ongoing effort.

MITRE ATT&CK for CISOs and Security Leaders

ATT&CK plays an important role for CISOs and Security leaders in removing the ambiguity in securing their infrastructure. It provides a methodology for effectively defining objectives for their teams, which are measurable and detailed enough to address the communication gap between the teams’ different expertise. It also enables them to better align security measures with business objectives. Security leaders can make informed resource allocation and risk management decisions by quantifying and communicating cyber risk through the framework.

It opens up the capability to answer three major questions, which are selectively answered based on the specificity of the organization:

• What adversary tactics and techniques are most likely to impact your organization?
• Do you have the security control coverage to protect against these tactics and techniques?
• What changes can you make to technologies, processes, and skills to address the coverage gaps?
• Evaluate the initial potential landing zones by searching for the Sub Technique ID and matching it against known assets. Balbix can offer a capability in this area and produce impact value.

MITRE ATT&CK vs. Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, is another widely used model for understanding cyberattacks. However, there are fundamental differences between it and the MITRE ATT&CK framework:

• Focus: While the Cyber Kill Chain emphasizes the pre-attack phases, ATT&CK focuses on the post-compromise behaviors of adversaries.
• Granularity: ATT&CK provides a more detailed view of adversarial techniques, making pinpointing specific behaviors and responses easier.

Cyber Kill Chain did not have a high adoption rate due to the lack of detail and flexibility, making it suitable for High-level understanding and disrupting attacks during their lifecycle; however, for organizations seeking a deep understanding of adversary behavior and a comprehensive approach to defense, MITRE ATT&CK is preferred.

Using MITRE ATT&CK for Vulnerability Management

The MITRE ATT&CK Framework can be used for vulnerability management, notably to prioritize which vulnerabilities to fix first. By mapping a common vulnerability and exposure (CVE) to TTPs, security practitioners can better assess the impact of that CVE if it were to be exploited. They can also take action to mitigate their risk and implement controls to improve their cyber security posture.

Security teams can also map TTPs to their CVEs and security controls to improve resource allocation and productivity by wasting less time remediating risks that matter less. Moreover, if they use a risk-based vulnerability management solution that does this mapping automatically, they can analyze vulnerability data accurately and prioritize vulnerabilities in real time.

The Future of the MITRE ATT&CK Framework

The future of the MITRE ATT&CK Framework is likely to see greater integration with AI and machine learning to enhance threat detection and response. As cyber threats evolve, ATT&CK will continue to expand its knowledge base, incorporating new tactics, techniques, and procedures (TTPs) for emerging technologies like cloud computing, IoT, and 5G. It will also play a key role in standardizing cybersecurity practices and fostering collaboration across industries for more proactive defense against cyberattacks.