PRODUCT

What is MITRE ATT&CK?

MITRE ATT&CK Framework Explained

Learn more about the MITRE ATT&CK Framework and how it helps cybersecurity professionals better understand adversary behavior to protect against attacks.

In this 101, we’re going to cover:

MITRE ATT&CK 101

One of the best ways of combatting cybersecurity threats is by looking at real-world behavior to understand how adversaries operate. MITRE's Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) is a framework for understanding this behavior.

WHAT IS MITRE ATT&CK AND HOW IS IT USEFUL?

This knowledge base is ever-evolving because it's updated quarterly with new adversaries, tactics, and techniques. The model reflects the various phases of an attack and potential targets to categorize attacks and help security analysts defend against them.

Created in 2013, MITRE ATT&CK aimed to emulate adversary and defender behavior. That helped improve the detection of threats and categorize adversary tactics and techniques. It's now used as the foundation for organizations developing their models to help better protect against cybersecurity threats. 

THE MITRE ATT&CK FRAMEWORK

The MITRE ATT&CK Framework is updated quarterly with new information from security vendors and includes:

  • Tactical goals of adversaries during an attack
  • Techniques adversaries use to achieve tactical goals
  • Documented usage of techniques and other metadata

The framework includes detailed descriptions of tactics, techniques, and procedures (TTP). These vary depending on what type of system an adversary is targeting — for example, the TTP used to compromise an enterprise system would be different from the TTP used to attack a mobile device. MITRE provides three matrices to address these distinct environments. 

  • Enterprise matrix - This addresses platforms such as Windows, macOS, Linux, and other enterprise operating systems.
  • Mobile matrix - This covers all mobile devices running Android or iOS.
  • ICS matrix - This addresses industrial control systems.

Some common tactics may be present in all three matrices, but the specific techniques and sub-techniques often vary by environment. 

WHAT IS MITRE KNOWN FOR? 

MITRE is a not-for-profit organization known for its work across federal, state, and local governments. It covers a wide variety of areas, including artificial intelligence, health informatics, cyber threat sharing, cyber resilience, and so much more. In addition to creating the MITRE ATT&CK Framework, it has also built a community for sharing techniques and holds a yearly cybersecurity conference.

WHAT IS THE MITRE TECHNIQUE?

The MITRE ATT&CK matrices contain a set of techniques adversaries use to accomplish an objective. Those objectives are categorized as tactics then presented across the entire lifecycle of the attack. The Enterprise matrix includes the following adversary tactics:

  • Reconnaissance - Gathering information about a target to help plan an attack
  • Initial Access - Attempting to gain access with techniques such as spear phishing
  • Execution - Running malicious code once they've gained access
  • Privilege Escalation - Leveraging further vulnerabilities to increase access
  • Defense Evasion - Avoiding detection
  • Lateral Movement - Moving through a system (often using legitimate credentials) to gain further access
  • Collection - Gathering data relevant to adversary objectives
  • Exfiltration - Stealing data to further adversary objectives

Within each of these tactics is a set of techniques that describe how they carry out each objective. That helps analysts understand what an adversary might try to do, which helps improve defense but can also help to improve detection if an attacker does gain initial access.

HOW DOES MITRE EVALUATE CYBERSECURITY VENDORS?

MITRE regularly evaluates the capabilities of cybersecurity solutions through an objective lens. The mission is to drive innovation for the public good and improve the industry's threat detection capabilities.

The MITRE Attack Framework emulates adversary groups during these evaluations to see how each solution performs against both tested and untested techniques. The most recent evaluations emulated Canara Bank and FIN7 threat actor groups, primarily targeting financial institutions. 

The optional protection element showed how vendors could protect a system from attack by blocking malicious executions. Each solution had to protect against 54 attacker techniques included in the ATT&CK evaluation. It tests the vendor's ability to fend off advanced malware, lateral movement, and more. These solutions are then scored by MITRE based on how well they performed in each scenario. 

In the latest round, Cybereason posted the best results in history of MITRE ATT&CK Evaluations. If you'd like to see what that looks like, you can watch the live webinar here.

Back to Cybersecurity 101

Schedule Your Demo today