MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a model and knowledge base of adversary behavior. It catalogs the attack lifecycle of different adversaries and the platforms they choose to target, all based on real-world observations. ATT&CK is not a static framework, and is updated quarterly with new adversaries, tactics, techniques, and other information supplied by security vendors and organizations around the world.
In our paper on Five Steps to Enhance SecOps with MITRE ATT&CK, we explain how to use two of MITRE ATT&CK’s most important components to develop a continuously improving defense.
What are Tactics, Techniques, and Procedures?
Long before their use in cybersecurity, tactics, techniques, and procedures (TTPs) were used to describe military operations within the United States Department of Defense. Like much military terminology, TTPs are aptly used in cybersecurity, as they describe the processes and profile of a specific adversary.
Figure 1: A representation of how techniques, tactics, and procedures can be represented as part of the attack lifecycle.
Figure 2: A representation of how techniques, tactics, and procedures for APT19’s attack on forbes.com can be represented.
TTPs give vendors, analysts, and everyone in between a common vocabulary around which to consistently communicate methods of an attack.
Diving Deeper into MITRE ATT&CK
Choosing the Right Targets
MITRE ATT&CK has threat intelligence on almost eighty different adversaries, from the techniques they use to the industries they target. To get the most out of your AEP, prioritize simulating adversaries you are most likely to face in real life.
Table 1: Example adversaries and the industries they target.
To make things easier, you can search for an industry within the MITRE ATT&CK website and immediately see which adversaries are known to target it.
Figure 3: Searching the MITRE ATT&CK website for adversary groups known to target healthcare companies.
To learn more about how to use MITRE ATT&CK, download the white paper, Five Clear Steps to Enhance SecOps with MITRE ATT&CK.
About the Author
Cybereason Security Team
The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.