The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a
widely-used resource for understanding and defending against cyber threats. The framework was
developed by MITRE, a non-profit organization that operates research and development centers
for the U.S (United States) government.
The origins of the framework can be traced back to the early 2000s, when MITRE began working
with the U.S. government to develop a comprehensive approach to understanding and
defending against advanced persistent threats (APTs).
This work led to the creation of the MITRE
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix in 2013, which was
initially focused on APT threat groups and their tactics, techniques, and procedures (TTPs).
Over the years, the framework has evolved to include a wider range of threat actors, platforms,
and use cases. In 2016, the framework was made publicly available, and it has since become a
widely-used resource for organizations of all sizes and industries.
The MITRE ATT&CK framework is a widely used and important resource in the field of
cybersecurity. It provides a comprehensive understanding of the tactics, techniques, and
procedures used by cyber adversaries, which enables organizations to better identify, detect, and
respond to cyber threats. As you’ll remember, threat intelligence and data-based decisions are a
major part of a threat-informed defense. Understanding how your adversaries operate is
incredibly valuable in defending your enterprise.
The framework is based on real-world observations of actual attacks, which means that it is
constantly updated with new information and reflects the latest threat landscape. Additionally,
The ATT&CK framework covers a wide range of threat actors, platforms, and use cases, and it can
be used for not only detection and defense but also for planning and prioritizing security
investments, measuring the effectiveness of security controls, and communicating with
stakeholders. The ATT&CK framework has a community of researchers, practitioners, and
enthusiasts who contribute to its development and improvement.
MITRE allows for contribution to the ATT&CK Framework through the submission of:
- New techniques and sub-techniques
- New techniques and sub-techniques for macOS, Linux, cloud, and ICS
- Threat Intelligence
- Data sources such as endpoint or network log data for techniques used in incidents
- Your use cases
The MITRE Organization has a whole page on its website on how to contribute to the ATT&CK
Framework. We recommend looking there as a starting point in helping to keep ATT&CK up to
date.
The framework has been widely adopted by the industry, many vendors and organizations have
developed products and services that are based on or integrate with the ATT&CK framework.
Additionally, it can help organizations prioritize vulnerabilities and areas of weakness, and
demonstrate compliance with regulations and standards.
The ATT&CK framework is more than the single matrix you are used to seeing. There are, 3
matrices available to represent the ATT&CK Framework in different contexts. Those matrices are:
- The Enterprise Matrix
- The Mobile Matrix
- The ICS Matrix
Enterprise Matrix
The Enterprise Matrix is comprised of tactics and techniques that effect the following platforms:
- Windows
- macOS
- Linux
- PRE
- Azure AD
- Office 365
- Google Workspace
- SaaS
- IaaS
- Network
- Containers
As you can see, there are a wide variety of local host-based platforms, cloud based platforms,
network threats, and containers represented in this matrix. The Enterprise Matrix is most likely
the matrix you are familiar with because it is so vast, yet detailed. For those reasons, it is the
matrix we will reference throughout this class, unless stated otherwise.
Mobile Matrix
The Mobile Matrix covers techniques involving device access and network-based effects that can
be used by adversaries without device access. Both iOS and Android operating systems are
covered in this matrix.
The mobile matrix consists of 12 tactics:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
Within the Matrix you will find techniques that can apply both to the enterprise or mobile
platforms. You will also find techniques that are specifically used on mobile platforms. One such
technique is Access Notifications.
The description of Access Notifications reads:
“Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.”
ICS Matrix
The ICS Matrix covers tactics and techniques that apply to industrial control systems. Like the
Mobile Matrix, there are 12 tactics. You will notice however, that not all of those tactics are the
same. The 12 tactics in the ICS Matrix include:
Initial Access
- Execution
- Persistence
- Privilege Escalation
- Evasion
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Inhibit Response Function
- Impair Process Control
- Impact
You might have observed that certain tactics in the ICS Matrix are exclusive to it. For instance, the
Inhibit Response Function includes Alarm Suppression, Block Command Message, and
Manipulate I/O Image as its techniques. Another tactic is the Impair Process Control Tactic, which
encompasses Brute Force I/O and Spoof Reporting Message as its techniques.
The Inhibit Response Function refers to the methods employed by cyber criminals to hamper the
protective measures implemented for processes and products. On the other hand, the Impair
Process Control Tactic refers to the ways in which attackers can interfere with control logic and
lead to adverse impacts on the processes being managed in the target environment.
Tactics, techniques, and procedures are key concepts in the ATT&CK framework.
Tactics refer to the technical goals of an adversary. These goals could include stealing sensitive data, disrupting operations, or establishing a foothold in a target’s network.
Techniques are the behaviors an adversary displays when trying to achieve these goals.For example, an adversary might use phishing emails to gain initial access to a network,followed by techniques such as lateral movement and privilege escalation to gain deeperaccess.
Procedures are specific implementations of techniques.For example, a procedure for lateral movement might involve using stolen credentials tolog into another system, while another procedure might involve using a tool like RemoteDesktop Protocol (RDP) to connect to a system. Together, these concepts provide acomprehensive understanding of the ways in which cyber adversaries operate and canhelp organizations identify, detect, and respond to cyber threats.
Think of these in terms of your day: You have several things you do every day that can be split into
broad categories or goals. These could be things like getting to work safely or staying healthy. These are your tactics.
You have different ways to meet these goals. For something like getting to work safely, you may drive to work. You might walk to work. You may even have a mixed commute of drive, walk, and public transit. In terms of staying healthy, you may employ techniques like washing your hands, taking a walk, or lifting weights. Notice that the same technique of taking a walk was actually used in both tactics of staying healthy and getting to work safely. Techniques may span multiple tactics.
We will continue with “taking a walk” as our technique since it spans both tactics. The map you would use with the turn-by turn directions for your walk could be a procedure for the technique of taking a walk.
This is the basic organizational principle of the MITRE ATT&CK Framework, so it’s important to
commit these to memory.
The enterprise matrix breaks all of the techniques down into 14 tactics, each of which serves a
specific purpose in the adversary’s lifecycle.
From left to right, the first tactic is Reconnaissance, which involves adversaries actively or
passively gathering information about a potential target, such as details about the victim
organization, infrastructure, or staff/personnel. This information can be used to support targeting
and aid in other phases of the adversary lifecycle.
The second tactic is Resource Development, where adversaries create, purchase, or compromise
resources, such as infrastructure, accounts, or capabilities, that can be used to support targeting.
The third tactic is Initial Access, which involves using various entry vectors to gain a foothold in
the target network. These footholds may allow for continued access or may be limited use due to
changing passwords.
The fourth tactic is Execution, which results in adversary-controlled code running on a local or
remote system. This tactic is often paired with techniques from other tactics to achieve broader
goals.
The fifth tactic is Persistence, where adversaries use techniques to keep access to systems across
restarts, changed credentials, and other interruptions that could cut off their access.
The sixth tactic is Privilege Escalation, where adversaries use techniques to gain higher-level
permissions on a system or network. This tactic often overlaps with Persistence techniques.
The seventh tactic is Defense Evasion, where adversaries use techniques to avoid detection
throughout their compromise.
The eighth tactic is Credential Access, in which adversaries steal credentials, like account names
and passwords.
The ninth tactic is Discovery, where adversaries use techniques to gain knowledge about the
system and internal network.
The tenth tactic is Lateral Movement, this is where adversaries use techniques to enter and
control other remote systems on a network.
The eleventh tactic is Collection, in which adversaries use techniques to gather information and
the sources information is collected from that are relevant to following through on their
objectives.
The twelfth tactic is Command and Control, these are techniques that adversaries use to
communicate with systems under their control within the victim network.
The thirteenth tactic is Exfiltration, where an adversary uses techniques to steal data from your
network.
And finally, Impact, where adversaries use techniques to disrupt availability or compromise
integrity by manipulating business and operations processes.
It’s important to note that these tactics are not mutually exclusive and often used in combination
to achieve the adversary’s objectives.
Sub-Techniques
In the 8.0 release of the ATT&CK Framework, a new classification was added. That classification is
called a “sub-technique.” Sub-techniques are a way to further break down and describe the
specific methods used by adversaries to achieve their goals. Each technique in the framework is
made up of one or more sub-techniques, which provides a more granular understanding of the
techniques and how they are used. Version 13 of the framework includes 411 sub-techniques.
Gather Victim Network Information (T1590)
This technique has to do with gathering information about a victim’s network in order to plan and
execute an attack. This information can include details about the network’s infrastructure and
organization, such as IP ranges, domain names, and topology. Adversaries can gather this
information through various means, such as actively scanning the network or sending phishing
emails to trick individuals into revealing information. Additionally, this information may also be
obtained from publicly available sources, such as online databases.
Phishing: Spearphishing Attachment (T1566.001)
This sub-technique involves sending a targeted email with a malicious attachment in an attempt
to gain access to victim systems with the goal (or tactic) of Initial Access (TA0001). Other, similar
sub-techniques of Phishing include Spearphishing Link (T1566.002) and Spearphishing via Service
(T1566.003).
Spearphishing is a type of social engineering that is delivered electronically and targets a specific
person, organization, or field. In this specific technique, the attackers include a file attachment
with the email and rely on the recipient to open it to execute their plan.
Some of the procedure examples listed include: