The MITRE ATT&CK Framework was created in 2013 to create a comprehensive document of tactics, techniques, and procedures that cyber attackers were regularly using to breach the defenses of individuals and organizations. Since then, it has grown to be a global knowledge base that has helped to standardize defensive security and remains accessible to all security professionals.
This framework continues to be regularly updated and helps to bring together the intelligence of cybersecurity experts around the world in order to better defend against the ever-growing threat landscape. In this blog, we’ll take a closer look at the different aspects of MITRE ATT&CK and how it can be incorporated into your security practices.
The Components of the MITRE ATT&CK® Framework
The ATT&CK Matrix consists of two main parts: tactics and techniques.
Tactics are the high-level categories of attacks and focus on the primary goal of the attack. There are currently 14 types of tactics:
- Reconnaissance – Gathering information about a target
- Resource Development – Gathering assets that can be leveraged for an attack, such as infrastructure, accounts, or capabilities
- Initial Access – Gaining a foothold within an IT environment
- Execution – Running malicious code
- Persistence – Establishing long-term compromise of an IT environment
- Privilege Escalation – Gaining additional access through higher permissions
- Defense Evasion – Avoiding detection
- Credential Access – Stealing account names and passwords
- Discovery – Observing and mapping a target IT environment
- Lateral Movement – Pivoting within an IT environment
- Collection – Gathering targeted data to either steal or manipulate
- Command and Control – Communicating with compromised systems
- Exfiltration – Stealing data gathered during collection
- Impact – Changing or destroying data gathered during collection
Techniques are the way in which tactics are achieved. Techniques are sometimes further broken down into sub-techniques in order to clarify different approaches to a technique. For example, a threat actor may want to compromise an account (technique), but they may go through a social media account or an email account (sub-techniques).
Clicking on a technique or sub-technique within the ATT&CK Matrix will provide a detailed description, including guidance on mitigation or detection. Additionally, it offers examples of different types of procedures an attacker has used to execute the technique. For example, the threat group DarkHydrus achieved forced authentication through template injection.
MITRE ATT&CK® Groups
In addition to the MITRE ATT&CK framework, MITRE also has a comprehensive list of groups, which are sets of related attack activities that are associated with one or more threat or cyber espionage groups. For example, Magic Hound is an Iranian-sponsored threat group that conducts intensive, long-term cyber espionage activities.
How Do You Use MITRE ATT&CK®?
There are many ways to use this dynamic framework, including detection, analytics, and threat intelligence. It is particularly useful for assessing the security of an organization. For example, it is an excellent resource for Red Teaming, providing a resource library of potential ways to emulate an adversary. Additionally, it can be used in penetration testing engagements, identifying particular areas of weakness and guiding remediation. Knowing the tactics or techniques for which your organization needs to improve defenses can help determine the type of tool or procedure needed to successfully bolster security.
MITRE ATT&CK® and Core Impact
Core Impact, an automated penetration testing tool that enables security teams to assess the security of their environment, uncovering and exploiting security weaknesses. The MITRE ATT&CK Framework perfectly complements these testing engagements, as it can map and categorize every Core Impact engagement, highlighting which attack types their organization may be most vulnerable to. Core Impact has two reporting options that utilize the MITRE ATT&CK Navigator layer output.
The ATT&CK Navigator Report
Based on the techniques executed during an engagement, this report uses the MITRE layer to classify and prioritize risk. It also includes the option of exporting results with the ATT&CK Navigator JSON format.
The NIST 800 Navigator Report
Building on the impressive work being done by MITRE’s Center for Threat-Informed Defense, this report offers a modified JSON output for organizations who want to align their activities with both ATT&CK and NIST’s catalog of security and privacy controls, known as NIST 800-53.
Contributing to MITRE ATT&CK®
As threat actors continue to evolve, the MITRE framework will also need to follow suit. In order to continue to make this resource as effective as possible, cybersecurity professionals can help by contributing information—whether it be a new technique seen in the wild or simply sharing if you’ve discovered a new way that MITRE can be used to help with defensive security. You can reach out directly to ATT&CK to contribute.
Want to see MITRE ATT&CK® and Core Impact in action?
Watch a demo of Core Impact to see how a penetration test can be mapped to MITRE as well as other features of this powerful pen testing tool.