Flowmon / Blog / What is MITRE ATT&CK and How to Use the Framework?

What is MITRE ATT&CK and How to Use the Framework?

The cybersecurity threat landscape constantly changes as attack methods increase in frequency and sophistication. Having a complete view of the threat landscape and the techniques that attackers use is difficult. Several frameworks are available to classify bad actors’ tactics and techniques to assist defensive strategy planning and tactical operations.

Posted on |

The MITRE ATT@CK® framework is one of the most widely known and used.  The Flowmon Anomaly Detection System (ADS) incorporates knowledge of the MITRE ATT&CK framework. Using ADS and its MITRE ATT&CK knowledge makes detecting advanced threats against networks and IT systems easier and simplifies explaining the danger and risks when outlining an attack to all stakeholders.

What is MITRE ATT&CK?

MITRE ATT&CK is a knowledge base of threats and actions the MITRE Corporation maintains and develops with industry and other stakeholder input. The MITRE Corporation is a not-for-profit federally funded research and development organization tasked with devising solutions to keep the USA safe from various threats. Using their R&D centers and public-private partnerships, MITRE works across Government to tackle safety, stability and well-being challenges in many areas. One of which is the security of IT systems. MITRE ATT&CK is one output from this work that can be used as a foundation to identify and build protections against specific threats from cybercriminals.

The ATT&CK part of the name is an acronym for Adversarial Tactics, Techniques and Common Knowledge. MITRE ATT&CK is free to use globally by anyone in the private sector, Governments or cybersecurity solution vendors. 

The MITRE ATT&CK Framework

MITRE ATT&CK has three top-level categories called Matrices using the framework’s terminology: Enterprise, Mobile and ICS. Each gets subdivided into Tactics and Techniques that attackers use, plus MITRE ATT&CK also details mitigations that organizations can use to bolster cybersecurity.

The Enterprise Matrix is the largest and most mature part of MITRE ATT&CK. Within the Enterprise Matrix, there are seven distinct sub-matrices. They are:

  • PRE - covers preparatory techniques.
  • Windows - a subset of the main Enterprise matrix focused on the Windows platform.
  • macOS - a subset focused on the macOS platform.
  • Linux - a subset focused on the Linux platform.
  • Network - a subset covering network-related security.
  • Containers - a subset covering security for the container-based application delivery model.
  • Cloud - a subset covering cloud-related security. There are five focused on these specific cloud-based services and models:
  • Office 365
  • Azure AD
  • Google Workspace
  • SaaS
  • IaaS

Alongside the Enterprise Matrix are Matrices for Mobile and ICS. The Mobile Matrix has two sub-matrices for Apple iOS and Google Android, the leading mobile operating systems.

MITRE ATT&CK Tactics

The Enterprise Matrix is the largest and most mature –it contains 14 Tactics sections that explain the intention behind an ATT&CK technique or sub-technique. They highlight attackers’ strategic objectives, which motivate their actions. For instance, when a threat actor is trying to get credential access. 

The 14 Enterprise Tactics are:

  1. Reconnaissance - Information gathering activity used to plan attacks.
  2. Resource Development - Building infrastructure to use in attacks. Such as fake websites.
  3. Initial Access - Initial attack vectors and attempts to breach security, like phishing emails.
  4. Execution - Performing attack activity, like injecting and running malicious code. 
  5. Persistence - Maintaining persistence on a breached network using various techniques.
  6. Privilege Escalation - Getting the rights and access permissions to perform escalated function attacks.
  7. Defense Evasion - Activities used by attackers to avoid discovery on the network.
  8. Credential access - Monitoring and stealing login details for systems not yet fully breached — keylogging, for example.
  9. Discovery - Finding other systems on the network to infect and control.
  10. Lateral Movement - Jumping from one infected system to another, often using credentials that work across systems.
  11. Collection - Gathering data that has value if sold or used for further attack planning or blackmail.
  12. Command and Control - Communication with infected systems from cybercriminals’ systems on the web. Often by using hidden transmissions in standard network packets.
  13. Exfiltration - Copying data to cybercriminals’ servers to be sold on the dark web, held for ransom or used for future attack planning. 
  14. Impact - Disrupt the operation of the IT systems. Most commonly with ransomware encryption but also via other attack methods.

There are 12 Mobile Tactics - mobile does not include Reconnaissance and Resource Development. 

The ICS Matrix also has 12 Tactics, including two unique ones (Inhibit Response Function and Impair Process Control):

  1. Initial Access - Attempts by attackers to gain access to an ICS environment.
  2. Execution - Trying to run code or manipulate system functions, parameters and data in an unauthorized way.
  3. Persistence - Maintaining a foothold in an ICS environment.
  4. Privilege Escalation - Getting the rights and access permissions to perform escalated function attacks.
  5. Evasion - Attempting to avoid security defenses.
  6. Discovery - Searching for information to identify and access other targets in the ICS environment.
  7. Lateral Movement - Movement through the ICS environment.
  8. Collection - Gathering data of interest and domain knowledge on the ICS environment to aid attackers’ goals.
  9. Command and Control - Communication with and control of compromised systems, controllers and platforms with access to the ICS environment.
  10. Inhibit Response Function - The attacker tries to prevent any safety, protection, quality assurance and operator intervention functions from responding to a failure, hazard or unsafe state.
  11. Impair Process Control - The attacker tries to manipulate, disable or damage physical control processes.
  12. Impact - The attackers try to manipulate, interrupt or destroy the ICS systems, data and their surrounding environment.

MITRE ATT&CK Techniques

Each of the Tactics in the Enterprise Matrix (and in the Mobile and ICS Matrices) subdivides into Techniques outlining the actions an attacker takes to achieve a specific goal, such as dumping credentials to gain access to login information.

At the time of writing (July 2023), the three Matrices contain the following number of Techniques and Sub-techniques. There are too many to list here. Use the links below to view them on the MITRE website.

Matrix

Techniques

Sub-techniques

Enterprise

196

411

Mobile

66

41

ICS

81

0

 

Practical Applications of MITRE ATT&CK

MITRE ATT&CK, specifically the framework Matrices and their Tactics & Techniques, can be used to bolster cybersecurity strategy and defenses in multiple ways.

Improve understanding of threats - By utilizing the ATT&CK framework, organizations can pinpoint the tactics, techniques and procedures (TTPs) that attackers are more likely to use. This valuable information helps security teams concentrate their resources on the vulnerable areas that are most at risk, enabling them to prioritize their security efforts effectively.

Penetration testing operations - By simulating attacks based on the ATT&CK framework, red team attack operations can create realistic scenarios and evaluate the effectiveness of an organization’s defenses. Security teams can then address any weaknesses discovered.

Prioritize threats and risks - The ATT&CK framework is useful for identifying the TTPs that attackers are likely to use to target a specific organization — assisting cybersecurity teams in gathering threat intelligence and prioritizing their security efforts to concentrate on the most plausible threats first.

Improve security controls - The ATT&CK framework is useful in enhancing security controls by pinpointing the TTPs that these controls aim to prevent. This data can assist security teams in verifying their controls’ effectiveness and highlighting vulnerabilities in their security setup. 

Threat hunting and incident response - The framework is valuable for performing threat hunting and incident response. It provides a shared language for describing and communicating adversary activity and for sharing threat intelligence. This helps organizations to collaborate more effectively and protect themselves from emerging threats. Organizations can create incident response plans that align with the MITRE ATT&CK framework, including specific tactics and techniques to plan and simulate response measures before an attack occurs.

Security solution evaluation - The framework offers a consistent classification system for assessing security tools and technologies. Businesses can utilize it to determine how effectively their current tools address the methods and strategies outlined in the framework. This assessment can aid in deciding which tools to choose, identifying areas where coverage may be lacking and directing the creation of new security solutions. As noted previously, Flowmon Anomaly Detection System (ADS) includes knowledge from the MITRE ATT&CK framework.

Research and development - Researchers and developers can utilize the ATT&CK framework to create better security products and services, ultimately enhancing everyone’s cybersecurity.

MITRE ATT&CK Navigator

The MITRE ATT&CK Navigator is an online tool that enables users to visualize and investigate the significant amounts of information in MITRE ATT&CK. With this web-based navigator tool, cybersecurity teams can more easily perform the actions outlined in the previous section. Using Navigator, you can apply filters to focus on specific information. For example, if they wanted to focus on what the framework says about Privilege Escalation attacks.

They can use it to:

  • Understand TTPs - The ATT&CK Navigator offers a graphical display of the ATT&CK framework, enabling users to understand attackers’ methods and create more efficient defenses.
  • Prioritize security risks - The ATT&CK Navigator helps identify tactics used by attackers against an organization. This assists cybersecurity defenders to prioritize security measures and focus on the most vulnerable areas.
  • Improve security controls - The ATT&CK Navigator helps enhance security controls by identifying the TTPs that controls aim to prevent, helping users ensure their controls are robust and to identify any shortcomings in their defenses.
  • Threat hunting and incident response - The ATT&CK Navigator helps detect and investigate suspicious activity more efficiently by providing a visual view of typical adversarial activity.

Navigator is one of the tools listed on the MITRE Getting Started page.

Cyber Kill Chain vs. MITRE ATT&CK

The Cyber Kill Chain is another popular framework designed to help organizations plan their cybersecurity defense. Lockheed Martin created the Cyber Kill Chain framework, and it is a core component of their Intelligence Driven Defense model. Like MITRE ATT&CK, the Cyber Kill Chain is used to identify and prevent cyber attacks by identifying what steps attackers take to achieve their objectives. 

Cyber Kill Chain and MITRE ATT&CK are two of the most popular frameworks used to understand and defend against cyberattacks. They both provide a structured way to think about the different phases of an attack, and security teams can use them to identify vulnerabilities in an organization’s security posture. However, the Cyber Kill Chain focuses on Attack stages, whereas MITRE ATT&CK provides a comprehensive view of attacker behaviors and TTPs.

Cybersecurity teams can improve security posture, enhance threat detection and boost incident response capabilities by combining the MITRE ATT&CK framework with the Cyber Kill Chain. Examples of how defenders can use the frameworks together to enhance cybersecurity include:

  • Deliver a broader understanding - Using the MITRE ATT&CK framework and the Cyber Kill Chain together delivers a comprehensive understanding of TTPs and information about the different stages of a cyber attack. The combination allows for a deep analysis of the entire attack lifecycle and the specific TTPs attackers may use at each stage.
  • Threat hunting and detection - Using the MITRE ATT&CK framework in threat hunting helps detect adversary tactics and procedures. Mapping TPPs to Cyber Kill Chain phases helps identify possible attack routes and which indicators of compromise to look for.
  • Incident response - Using the MITRE ATT&CK framework and the Cyber Kill Chain together helps incident response teams understand an attacker’s behavior and apply appropriate countermeasures and remediation actions.
  • Defense planning - By matching TTPs from the MITRE ATT&CK framework with the corresponding stages of the Cyber Kill Chain, cybersecurity teams can take proactive measures to identify potential future attack paths and close any security gaps.
  • Defense infrastructure design - Mapping MITRE ATT&CK to Cyber Kill Chain helps design & implement security controls for each stage of an attack. Analyzing TTPs assists in identifying the necessary security solutions like Intrusion Detection Systems, firewalls, endpoint protection and secure email gateways.
  • Threat intelligence sharing - The MITRE ATT&CK framework and the Cyber Kill Chain allow organizations to share threat intelligence in a standard manner. Mapping threats with both enhances understanding and increases protection across the threat landscape.

Specialized Aspects of MITRE ATT&CK

The MITRE Corporation also works on specialized Framework versions for use against specific threats.

MITRE ATT&CK for ICS (Industrial Control Systems)

The MITRE ATT&CK for ICS is a specialized framework Matrix focusing on the defense of ICS infrastructure, also frequently called Operational Technology (OT). The ICS Matrix helps Cybersecurity teams deal with the unique challenges faced when securing ICS environments. It also provides guidance on detecting and responding to attacks targeting ICS. 

The current version of the ICS Matrix has 12 tactics and 81 techniques. Unlike the Enterprise and Mobile Matrices, the ICS Matrix has no sub-techniques. We listed the 12 Tactics in the MITRE ATT&CK Tactics section above. Two unique tactics to the ICS Matrix are Inhibit Response Function and Impair Process Control.

MITRE ATT&CK for Insider Threats

The current Matrices contain tactics and techniques that address various aspects of insider threat — for example, the Data Destruction technique in the Enterprise Matrix. The table below outlines other insider threat activities discussed in the Matrices.

Threat

MITRE ATT&CK TPP Number

Data Exfiltration

T1537 – Transfer Data to Cloud

Leaking Organizational secrets

T1020 – Automated Exfiltration

Using organization resources for personal gain

T1496 – Resource Hijacking

Phishing

T1566 – Phishing

T1534 Internal Spear Phishing

Accessing restricted customer data

T1213 – Data from Information Repositories

Misconfiguring access controls on servers or data stores

T1190 – Exploit Public Facing Application

Deliberate deletion of logs

T1070 – Indicator removal on host

Unauthorized access to resources

T1078 – Valid Accounts

 

Insider threats are such a growing problem that the MITRE Corporation has created an Insider Threat Framework Initiative. Quoting from the project webpage:

"MITRE is creating an evolving, data-driven Insider Threat Framework that includes psycho-social and cyber-physical characteristics as common and observable indicators for insider risks. MITRE’s framework will help Insider Threat/Risk Programs more accurately target and operationalize their deterrence, detection and mitigation of insider threats."

See the Insider Threat Framework Initiative page for an in-depth discussion of the project and the reasoning behind it.

Leveraging MITRE ATT&CK in Training and Certifications

The MITRE ATT&CK framework is a valuable educational and training tool for security professionals. Its well-organized structure provides a comprehensive approach to learning about various attack tactics and techniques. Organizations can enhance the expertise of their security personnel by training based on the structured format of the framework. 

The MITRE Corporation includes the following training and certification resources on the MITRE ATT@CK website.

  • Using ATT&CK for Cyber Threat Intelligence Training - A five-module training course using videos and exercises from ATT@CK team members. Designed to help anyone learn how to improve threat intelligence practices.

The training page also lists three third-party Cybrary Courses:

  • MITRE ATT&CK Defender (MAD) ATT&CK Fundamentals Badge Training Course - The ATT&CK Fundamentals course teaches real-world adversary tactics via the ATT&CK knowledge base. It helps with tackling present and upcoming threats.
  • MITRE ATT&CK Defender (MAD) ATT&CK Cyber Threat Intelligence Certification Training - Learn how to convert data into ATT&CK format and apply intelligence to offer recommendations for defenders in this MITRE ATT&CK Defender (MAD) Cyber Threat Intelligence Certification course. Taught by MITRE experts, it also prepares you for certification.
  • MITRE ATT&CK Defender (MAD) ATT&CK SOC Assessments Certification Course - This training course allows cybersecurity professionals to become certified in SOC assessments and evaluate SOC defense alignment with ATT&CK. 

MITRE ATT&CK Evaluations and Engenuity

The MITRE Corporation also operates two initiatives related to the core frameworks. 

  1. The MITRE ATT&CK Evaluations program assesses the effectiveness of cybersecurity solutions against known adversary tactics and techniques. Experts at MITRE conduct these evaluations and make the results public, enabling anyone to use them to make informed decisions about choosing the best security solutions for their needs.
  2. MITRE Engenuity is an independent non-profit organization operating independently of the MITRE Corporation. Its focus is tackling critical cybersecurity and public safety challenges through objective research and development. It achieves this goal by collaborating with industry, academia and Government while promoting better cybersecurity outcomes. MITRE Engenuity is actively involved in advancing technical capabilities, benchmarking cybersecurity tools and practices and driving innovation in the field. It is Engenuity that manages the MITRE ATT&CK Evaluations program.

 

MITRE ATT&CK FAQs

What is MITRE ATT&CK?

  • MITRE ATT&CK is a framework that helps organizations understand and categorize cyber threats and attack methods. 

How does MITRE ATT&CK work?

  • By providing a comprehensive list of tactics, techniques and procedures attackers use to compromise networks, steal data and cause damage. Mitigations that defenders can use get identified by MITRE.

How can organizations benefit from using MITRE ATT&CK?

  • Using MITRE ATT&CK, organizations can better understand their security posture and take improvement actions to close any security gaps that attackers may exploit.

Is MITRE ATT&CK free to use?

  • Yes. It is open to any company, Government or any other organization to use with no charge via a MITRE Corporation grant of a non-exclusive, royalty-free license to use ATT&CK for research, development and commercial purposes. 

Is MITRE ATT&CK regularly updated?

  • Yes. The current version is ATT@CK V13 which got released in April 2023. The first version was in January 2018. There have been two or three new releases every year.

Explore the Flowmon interactive demo

Experience a fully interactive product demo to see what issues Flowmon can tackle for you.

Launch Demo
Product

Flowmon ADS

Detect and Stop ransomware!

Launch more
Trial

Request free trial

Get no-obligation 30-day trial of Flowmon in your network.

Get your trial today
Products
Solutions
Why Flowmon
Company

Flowmon is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2024 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon, MarkLogic, Semaphore and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity