What is the MITRE ATT&CK Framework and How Does it Work?

Created in 2013 by the MITRE Corporation, MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a cyber threat intelligence knowledge base. As a non-profit operator of six federally funded research and development centers (FFRDCs), MITRE published ATT&CK® as a website and mobile app to help IT, engineering, and cybersecurity professionals access detailed information on adversary tactics, techniques, and domains, as well as resources. 

What does the MITRE ATT&CK® Framework include?

The ATT&CK® framework provides a catalog of information that looks at cybersecurity from the adversary’s perspective, including their goals, who they are, and the specific methods they deploy. The material is organized into various domains:

Tactics represent the attacker’s goal:

  • enterprise network – 14 tactics
  • mobile applications – 14 tactics
  • industrial control system (ICS) – 12 tactics

Techniques represent how the attacker achieves their goal:

  • enterprise network – 193 techniques and 401 sub-techniques
  • mobile applications – 66 techniques and 41 sub-techniques
  • industrial control system (ICS) – 79 techniques

Data sources represent the various types of information that might be targeted, leveraged, or logged. The framework tracks 39 data sources.

Mitigations represent techniques or tactics that have been used to counter adversarial attacks. The framework tracks 43 different mitigation types.

Groups represent adversary collectives by common names and their associated groups. Known groups are mapped to publicly-reported technique use along with any original references to their activity. The framework follows 135 groups.

Software represents the types of custom or commercial code, operating system utilities, open-source software, or other tools adversaries use to achieve their goals. The framework includes 718 types of software code.

Campaigns represent intrusion activity tracked. The framework follows 14 campaigns, attributing them to a group and type of software, where available.

The MITRE ATT&CK® Matrix contains information across numerous platforms, including Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, network, and containers.

How should you use the MITRE ATT&CK® Framework and knowledge base?

The MITRE ATT&CK® Framework is meant to equip IT, engineering, and cybersecurity professionals with real-world adversary information that can be used to enhance security posture against specific groups, tactics, and techniques.

Tools like their APT29 diagram maps potential means of mitigation that could defeat specific techniques used against specific data source types. Their tools can be used to educate a team on how adversaries prepare, launch, and execute their attacks. Security professionals can use the information to evaluate their defenses, detect adversary actions, and create a robust plan to mitigate an attack.

The level of real-world, open-source information offered provides a rich and usable resource for understanding how adversaries are penetrating networks, moving laterally, escalating privileges, and evading security defenses. With this knowledge, organizations can better protect themselves based on real-world behaviors and campaigns.

ATT&CK matrices are helpful when role-playing threat scenarios. MITRE ATT&CK® Navigator is their web-based tool that allows teams to explore and annotate ATT&CK matrices. Matrices and Navigator support visualizing defensive coverage, red and blue team planning, and measuring how often detected techniques occur. Each matrix allows a user to see specific tactics, techniques, and drill down into each to see specific procedure examples, mitigations, detection techniques, and references to specific groups or campaigns.

The MITRE ATT&CK® Framework offers robust real-world cyber-threat intelligence

The MITRE ATT&CK® framework is a catalog of invaluable information that helps organizations understand what specific behaviors are being used in real-world hacks, which can lead to better detection, interventions, and a more resilient security posture.

[CTA] Modern Cloud-native security starts with Panoptica

Cisco’s Emerging Technologies and Incubation (ET&I) team is paving the way with “DevOps-friendly” cloud-native security solutions that fundamentally simplify conventional offerings. Built from the ground up to meet the needs of mission-critical modern applications, our Panoptica solution simplifies cloud-native application security, making it easy to embed into the software development lifecycle. Panoptica protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (Containers or Serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using.