The MITRE ATT@CK® framework is one of the most widely known and used. The Flowmon Anomaly Detection System (ADS) incorporates knowledge of the MITRE ATT&CK framework. Using ADS and its MITRE ATT&CK knowledge makes detecting advanced threats against networks and IT systems easier and simplifies explaining the danger and risks when outlining an attack to all stakeholders.
What is MITRE ATT&CK?
MITRE ATT&CK is a knowledge base of threats and actions the MITRE Corporation maintains and develops with industry and other stakeholder input. The MITRE Corporation is a not-for-profit federally funded research and development organization tasked with devising solutions to keep the USA safe from various threats. Using their R&D centers and public-private partnerships, MITRE works across Government to tackle safety, stability and well-being challenges in many areas. One of which is the security of IT systems. MITRE ATT&CK is one output from this work that can be used as a foundation to identify and build protections against specific threats from cybercriminals.
The ATT&CK part of the name is an acronym for Adversarial Tactics, Techniques and Common Knowledge. MITRE ATT&CK is free to use globally by anyone in the private sector, Governments or cybersecurity solution vendors.
The MITRE ATT&CK Framework
MITRE ATT&CK has three top-level categories called Matrices using the framework’s terminology: Enterprise, Mobile and ICS. Each gets subdivided into Tactics and Techniques that attackers use, plus MITRE ATT&CK also details mitigations that organizations can use to bolster cybersecurity.
The Enterprise Matrix is the largest and most mature part of MITRE ATT&CK. Within the Enterprise Matrix, there are seven distinct sub-matrices. They are:
- PRE - covers preparatory techniques.
- Windows - a subset of the main Enterprise matrix focused on the Windows platform.
- macOS - a subset focused on the macOS platform.
- Linux - a subset focused on the Linux platform.
- Network - a subset covering network-related security.
- Containers - a subset covering security for the container-based application delivery model.
- Cloud - a subset covering cloud-related security. There are five focused on these specific cloud-based services and models:
- Office 365
- Azure AD
- Google Workspace
MITRE ATT&CK Tactics
The Enterprise Matrix is the largest and most mature –it contains 14 Tactics sections that explain the intention behind an ATT&CK technique or sub-technique. They highlight attackers’ strategic objectives, which motivate their actions. For instance, when a threat actor is trying to get credential access.
The 14 Enterprise Tactics are:
- Reconnaissance - Information gathering activity used to plan attacks.
- Resource Development - Building infrastructure to use in attacks. Such as fake websites.
- Initial Access - Initial attack vectors and attempts to breach security, like phishing emails.
- Execution - Performing attack activity, like injecting and running malicious code.
- Persistence - Maintaining persistence on a breached network using various techniques.
- Privilege Escalation - Getting the rights and access permissions to perform escalated function attacks.
- Defense Evasion - Activities used by attackers to avoid discovery on the network.
- Credential access - Monitoring and stealing login details for systems not yet fully breached — keylogging, for example.
- Discovery - Finding other systems on the network to infect and control.
- Lateral Movement - Jumping from one infected system to another, often using credentials that work across systems.
- Collection - Gathering data that has value if sold or used for further attack planning or blackmail.
- Command and Control - Communication with infected systems from cybercriminals’ systems on the web. Often by using hidden transmissions in standard network packets.
- Exfiltration - Copying data to cybercriminals’ servers to be sold on the dark web, held for ransom or used for future attack planning.
- Impact - Disrupt the operation of the IT systems. Most commonly with ransomware encryption but also via other attack methods.
There are 12 Mobile Tactics - mobile does not include Reconnaissance and Resource Development.
The ICS Matrix also has 12 Tactics, including two unique ones (Inhibit Response Function and Impair Process Control):
- Initial Access - Attempts by attackers to gain access to an ICS environment.
- Execution - Trying to run code or manipulate system functions, parameters and data in an unauthorized way.
- Persistence - Maintaining a foothold in an ICS environment.
- Privilege Escalation - Getting the rights and access permissions to perform escalated function attacks.
- Evasion - Attempting to avoid security defenses.
- Discovery - Searching for information to identify and access other targets in the ICS environment.
- Lateral Movement - Movement through the ICS environment.
- Collection - Gathering data of interest and domain knowledge on the ICS environment to aid attackers’ goals.
- Command and Control - Communication with and control of compromised systems, controllers and platforms with access to the ICS environment.
- Inhibit Response Function - The attacker tries to prevent any safety, protection, quality assurance and operator intervention functions from responding to a failure, hazard or unsafe state.
- Impair Process Control - The attacker tries to manipulate, disable or damage physical control processes.
- Impact - The attackers try to manipulate, interrupt or destroy the ICS systems, data and their surrounding environment.
MITRE ATT&CK Techniques
Each of the Tactics in the Enterprise Matrix (and in the Mobile and ICS Matrices) subdivides into Techniques outlining the actions an attacker takes to achieve a specific goal, such as dumping credentials to gain access to login information.
At the time of writing (July 2023), the three Matrices contain the following number of Techniques and Sub-techniques. There are too many to list here. Use the links below to view them on the MITRE website.
Practical Applications of MITRE ATT&CK
MITRE ATT&CK, specifically the framework Matrices and their Tactics & Techniques, can be used to bolster cybersecurity strategy and defenses in multiple ways.
Improve understanding of threats - By utilizing the ATT&CK framework, organizations can pinpoint the tactics, techniques and procedures (TTPs) that attackers are more likely to use. This valuable information helps security teams concentrate their resources on the vulnerable areas that are most at risk, enabling them to prioritize their security efforts effectively.
Penetration testing operations - By simulating attacks based on the ATT&CK framework, red team attack operations can create realistic scenarios and evaluate the effectiveness of an organization’s defenses. Security teams can then address any weaknesses discovered.
Prioritize threats and risks - The ATT&CK framework is useful for identifying the TTPs that attackers are likely to use to target a specific organization — assisting cybersecurity teams in gathering threat intelligence and prioritizing their security efforts to concentrate on the most plausible threats first.
Improve security controls - The ATT&CK framework is useful in enhancing security controls by pinpointing the TTPs that these controls aim to prevent. This data can assist security teams in verifying their controls’ effectiveness and highlighting vulnerabilities in their security setup.
Threat hunting and incident response - The framework is valuable for performing threat hunting and incident response. It provides a shared language for describing and communicating adversary activity and for sharing threat intelligence. This helps organizations to collaborate more effectively and protect themselves from emerging threats. Organizations can create incident response plans that align with the MITRE ATT&CK framework, including specific tactics and techniques to plan and simulate response measures before an attack occurs.
Security solution evaluation - The framework offers a consistent classification system for assessing security tools and technologies. Businesses can utilize it to determine how effectively their current tools address the methods and strategies outlined in the framework. This assessment can aid in deciding which tools to choose, identifying areas where coverage may be lacking and directing the creation of new security solutions. As noted previously, Flowmon Anomaly Detection System (ADS) includes knowledge from the MITRE ATT&CK framework.
Research and development - Researchers and developers can utilize the ATT&CK framework to create better security products and services, ultimately enhancing everyone’s cybersecurity.
MITRE ATT&CK Navigator
The MITRE ATT&CK Navigator is an online tool that enables users to visualize and investigate the significant amounts of information in MITRE ATT&CK. With this web-based navigator tool, cybersecurity teams can more easily perform the actions outlined in the previous section. Using Navigator, you can apply filters to focus on specific information. For example, if they wanted to focus on what the framework says about Privilege Escalation attacks.
They can use it to:
- Understand TTPs - The ATT&CK Navigator offers a graphical display of the ATT&CK framework, enabling users to understand attackers’ methods and create more efficient defenses.
- Prioritize security risks - The ATT&CK Navigator helps identify tactics used by attackers against an organization. This assists cybersecurity defenders to prioritize security measures and focus on the most vulnerable areas.
- Improve security controls - The ATT&CK Navigator helps enhance security controls by identifying the TTPs that controls aim to prevent, helping users ensure their controls are robust and to identify any shortcomings in their defenses.
- Threat hunting and incident response - The ATT&CK Navigator helps detect and investigate suspicious activity more efficiently by providing a visual view of typical adversarial activity.
Navigator is one of the tools listed on the MITRE Getting Started page.
Cyber Kill Chain vs. MITRE ATT&CK
The Cyber Kill Chain is another popular framework designed to help organizations plan their cybersecurity defense. Lockheed Martin created the Cyber Kill Chain framework, and it is a core component of their Intelligence Driven Defense model. Like MITRE ATT&CK, the Cyber Kill Chain is used to identify and prevent cyber attacks by identifying what steps attackers take to achieve their objectives.
Cyber Kill Chain and MITRE ATT&CK are two of the most popular frameworks used to understand and defend against cyberattacks. They both provide a structured way to think about the different phases of an attack, and security teams can use them to identify vulnerabilities in an organization’s security posture. However, the Cyber Kill Chain focuses on Attack stages, whereas MITRE ATT&CK provides a comprehensive view of attacker behaviors and TTPs.
Cybersecurity teams can improve security posture, enhance threat detection and boost incident response capabilities by combining the MITRE ATT&CK framework with the Cyber Kill Chain. Examples of how defenders can use the frameworks together to enhance cybersecurity include:
- Deliver a broader understanding - Using the MITRE ATT&CK framework and the Cyber Kill Chain together delivers a comprehensive understanding of TTPs and information about the different stages of a cyber attack. The combination allows for a deep analysis of the entire attack lifecycle and the specific TTPs attackers may use at each stage.
- Threat hunting and detection - Using the MITRE ATT&CK framework in threat hunting helps detect adversary tactics and procedures. Mapping TPPs to Cyber Kill Chain phases helps identify possible attack routes and which indicators of compromise to look for.
- Incident response - Using the MITRE ATT&CK framework and the Cyber Kill Chain together helps incident response teams understand an attacker’s behavior and apply appropriate countermeasures and remediation actions.
- Defense planning - By matching TTPs from the MITRE ATT&CK framework with the corresponding stages of the Cyber Kill Chain, cybersecurity teams can take proactive measures to identify potential future attack paths and close any security gaps.
- Defense infrastructure design - Mapping MITRE ATT&CK to Cyber Kill Chain helps design & implement security controls for each stage of an attack. Analyzing TTPs assists in identifying the necessary security solutions like Intrusion Detection Systems, firewalls, endpoint protection and secure email gateways.
- Threat intelligence sharing - The MITRE ATT&CK framework and the Cyber Kill Chain allow organizations to share threat intelligence in a standard manner. Mapping threats with both enhances understanding and increases protection across the threat landscape.
Specialized Aspects of MITRE ATT&CK
The MITRE Corporation also works on specialized Framework versions for use against specific threats.
MITRE ATT&CK for ICS (Industrial Control Systems)
The MITRE ATT&CK for ICS is a specialized framework Matrix focusing on the defense of ICS infrastructure, also frequently called Operational Technology (OT). The ICS Matrix helps Cybersecurity teams deal with the unique challenges faced when securing ICS environments. It also provides guidance on detecting and responding to attacks targeting ICS.
The current version of the ICS Matrix has 12 tactics and 81 techniques. Unlike the Enterprise and Mobile Matrices, the ICS Matrix has no sub-techniques. We listed the 12 Tactics in the MITRE ATT&CK Tactics section above. Two unique tactics to the ICS Matrix are Inhibit Response Function and Impair Process Control.
MITRE ATT&CK for Insider Threats
The current Matrices contain tactics and techniques that address various aspects of insider threat — for example, the Data Destruction technique in the Enterprise Matrix. The table below outlines other insider threat activities discussed in the Matrices.
MITRE ATT&CK TPP Number
T1537 – Transfer Data to Cloud
Leaking Organizational secrets
T1020 – Automated Exfiltration
Using organization resources for personal gain
T1496 – Resource Hijacking
T1566 – Phishing
T1534 Internal Spear Phishing
Accessing restricted customer data
T1213 – Data from Information Repositories
Misconfiguring access controls on servers or data stores
T1190 – Exploit Public Facing Application
Deliberate deletion of logs
T1070 – Indicator removal on host
Unauthorized access to resources
T1078 – Valid Accounts
Insider threats are such a growing problem that the MITRE Corporation has created an Insider Threat Framework Initiative. Quoting from the project webpage:
"MITRE is creating an evolving, data-driven Insider Threat Framework that includes psycho-social and cyber-physical characteristics as common and observable indicators for insider risks. MITRE’s framework will help Insider Threat/Risk Programs more accurately target and operationalize their deterrence, detection and mitigation of insider threats."
See the Insider Threat Framework Initiative page for an in-depth discussion of the project and the reasoning behind it.
Leveraging MITRE ATT&CK in Training and Certifications
The MITRE ATT&CK framework is a valuable educational and training tool for security professionals. Its well-organized structure provides a comprehensive approach to learning about various attack tactics and techniques. Organizations can enhance the expertise of their security personnel by training based on the structured format of the framework.
The MITRE Corporation includes the following training and certification resources on the MITRE ATT@CK website.
- Using ATT&CK for Cyber Threat Intelligence Training - A five-module training course using videos and exercises from ATT@CK team members. Designed to help anyone learn how to improve threat intelligence practices.
The training page also lists three third-party Cybrary Courses:
- MITRE ATT&CK Defender (MAD) ATT&CK Fundamentals Badge Training Course - The ATT&CK Fundamentals course teaches real-world adversary tactics via the ATT&CK knowledge base. It helps with tackling present and upcoming threats.
- MITRE ATT&CK Defender (MAD) ATT&CK Cyber Threat Intelligence Certification Training - Learn how to convert data into ATT&CK format and apply intelligence to offer recommendations for defenders in this MITRE ATT&CK Defender (MAD) Cyber Threat Intelligence Certification course. Taught by MITRE experts, it also prepares you for certification.
- MITRE ATT&CK Defender (MAD) ATT&CK SOC Assessments Certification Course - This training course allows cybersecurity professionals to become certified in SOC assessments and evaluate SOC defense alignment with ATT&CK.
MITRE ATT&CK Evaluations and Engenuity
The MITRE Corporation also operates two initiatives related to the core frameworks.
- The MITRE ATT&CK Evaluations program assesses the effectiveness of cybersecurity solutions against known adversary tactics and techniques. Experts at MITRE conduct these evaluations and make the results public, enabling anyone to use them to make informed decisions about choosing the best security solutions for their needs.
- MITRE Engenuity is an independent non-profit organization operating independently of the MITRE Corporation. Its focus is tackling critical cybersecurity and public safety challenges through objective research and development. It achieves this goal by collaborating with industry, academia and Government while promoting better cybersecurity outcomes. MITRE Engenuity is actively involved in advancing technical capabilities, benchmarking cybersecurity tools and practices and driving innovation in the field. It is Engenuity that manages the MITRE ATT&CK Evaluations program.
MITRE ATT&CK FAQs
What is MITRE ATT&CK?
- MITRE ATT&CK is a framework that helps organizations understand and categorize cyber threats and attack methods.
How does MITRE ATT&CK work?
- By providing a comprehensive list of tactics, techniques and procedures attackers use to compromise networks, steal data and cause damage. Mitigations that defenders can use get identified by MITRE.
How can organizations benefit from using MITRE ATT&CK?
- Using MITRE ATT&CK, organizations can better understand their security posture and take improvement actions to close any security gaps that attackers may exploit.
Is MITRE ATT&CK free to use?
- Yes. It is open to any company, Government or any other organization to use with no charge via a MITRE Corporation grant of a non-exclusive, royalty-free license to use ATT&CK for research, development and commercial purposes.
Is MITRE ATT&CK regularly updated?
- Yes. The current version is ATT@CK V13 which got released in April 2023. The first version was in January 2018. There have been two or three new releases every year.