Learn more about the MITRE ATT&CK Framework and how it helps cybersecurity professionals better understand adversary behavior to protect against attacks.
In this 101, we’re going to cover:
One of the best ways of combatting cybersecurity threats is by looking at real-world behavior to understand how adversaries operate. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a framework for understanding this behavior.
This knowledge base is ever-evolving because it's updated quarterly with new adversaries, tactics, and techniques. The model reflects the various phases of an attack and potential targets to categorize attacks and help security analysts defend against them.
Created in 2013, MITRE ATT&CK aimed to emulate adversary and defender behavior. That helped improve the detection of threats and categorize adversary tactics and techniques. It's now used as the foundation for organizations developing their models to help better protect against cybersecurity threats.
The MITRE ATT&CK Framework is updated quarterly with new information from security vendors and includes:
The framework includes detailed descriptions of tactics, techniques, and procedures (TTP). These vary depending on what type of system an adversary is targeting — for example, the TTP used to compromise an enterprise system would be different from the TTP used to attack a mobile device. MITRE provides three matrices to address these distinct environments.
Some common tactics may be present in all three matrices, but the specific techniques and sub-techniques often vary by environment.
MITRE is a not-for-profit organization known for its work across federal, state, and local governments. It covers a wide variety of areas, including artificial intelligence, health informatics, cyber threat sharing, cyber resilience, and so much more. In addition to creating the MITRE ATT&CK Framework, it has also built a community for sharing techniques and holds a yearly cybersecurity conference.
The MITRE ATT&CK matrices contain a set of techniques adversaries use to accomplish an objective. Those objectives are categorized as tactics then presented across the entire lifecycle of the attack. The Enterprise matrix includes the following adversary tactics:
Within each of these tactics is a set of techniques that describe how they carry out each objective. That helps analysts understand what an adversary might try to do, which helps improve defense but can also help to improve detection if an attacker does gain initial access.
MITRE regularly evaluates the capabilities of cybersecurity solutions through an objective lens. The mission is to drive innovation for the public good and improve the industry's threat detection capabilities.
The MITRE Attack Framework emulates adversary groups during these evaluations to see how each solution performs against both tested and untested techniques. The most recent evaluations emulated Canara Bank and FIN7 threat actor groups, primarily targeting financial institutions.
The optional protection element showed how vendors could protect a system from attack by blocking malicious executions. Each solution had to protect against 54 attacker techniques included in the ATT&CK evaluation. It tests the vendor's ability to fend off advanced malware, lateral movement, and more. These solutions are then scored by MITRE based on how well they performed in each scenario.
In the latest round, Cybereason posted the best results in history of MITRE ATT&CK Evaluations. If you'd like to see what that looks like, you can watch the live webinar here.