Call a Specialist Today! 800-886-5787 Free Shipping! Free Shipping!


Fortinet Platinum Partner

What is the MITRE ATT&CK Framework?

Learn what MITRE ATT&CK is, its different elements, and how it can be used to analyze your network's security.

MITRE ATT&CK Definition

MITRE ATT&CK refers to a group of tactics organized in a matrix, outlining various techniques that threat hunters, defenders, and red teamers use to assess the risk to an organization and classify attacks. Threat hunters identify, assess, and address threats, and red teamers act like threat actors to challenge the IT security system.

Origin of the ATT&CK Framework

Back in 2013, the MITRE Corporation started developing MITRE ATT&CK. But what does MITRE stand for? It means MIT Research Establishment. The term “ATT&CK” is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. The framework was first presented to the public in May 2015, but it has been changed several times since then.

The MITRE Corporation is a nonprofit organization set up to support government agencies in the U.S. The MITRE ATT&CK framework was created to develop a straightforward, detailed, and replicable strategy for handling cyber threats. The underlying concept driving the framework is to use past experiences to inform future cyber threat detection and mitigation.

What is the Objective of the ATT&CK Framework?

The objective of the MITRE ATTACK framework is to strengthen the steps taken after an organization has been compromised. In this way, the cybersecurity team can answer important questions regarding how the attacker was able to penetrate the system and what they did once they got inside. As information is collected over time, a knowledge base is formed. This serves as an ever-expanding tool that teams can use to bolster their defenses. Using the reports generated by the MITRE ATT&CK, an organization can figure out where their security architecture has vulnerabilities and ascertain which ones to remedy first, according to the risk each presents.

For threat hunters, the MITRE ATT&CK framework presents an opportunity to analyze and evaluate the techniques attackers use. The framework is also a useful tool for assessing to what extent an IT team has achieved visibility across the network, specifically when it comes to cyber threats.

MITRE ATT&CK Framework Techniques and Tactics

There are three different kinds of ATT&CK matrices: Enterprise ATT&CK, PRE-ATT&CK, and Mobile ATT&CK. Each individual matrix employs different techniques and tactics.

The Enterprise ATT&CK matrix consists of tactics and techniques that apply to Linux, Windows, and macOS systems. When one of these operating systems is penetrated, the Enterprise matrix helps identify the nature of the threat and outlines information that can be used to defend against it in the future. The Mobile ATT&CK matrix has the same objective, but it applies to mobile devices. The PRE-ATT&CK matrix focuses on techniques and tactics used by attackers before they attempt to penetrate a system or network.

The report generated by an ATT&CK matrix is separated into columns. Each column describes tactics, which are what the attacker aims to accomplish. The techniques are the methods they use to succeed in the tactics. This information can be used in an ATT&CK evaluation to gain insight into the attacker’s methodologies.

There are 11 different tactics in the matrix for an Enterprise ATT&CK:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evasion
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection
  10. Exfiltration
  11. Impact

Each tactic is essentially a goal of the attacker. If cyber criminals are able to accomplish these individual goals, they are one step closer to their objective. In some cases, the attack will not seek to realize every tactic because some may go beyond what the attacker seeks to do. For example, an attacker may not want their attack to perform lateral movement if they simply want to steal information from a specific computer. In this case, the MITRE ATT&CK matrix may not have entries in the “Lateral Movement” section.

To illustrate how the techniques and tactics come to play in ATT&CK, suppose an attacker wants to access a network to install mining software. Their objective is to infect as many workstations as possible within the network, thereby increasing the yield of the mined cryptocurrencies. The end goal necessitates several smaller steps. Initially, the attacker has to get inside the network. They may use spear-phishing links, for example, that are sent to one or more users on the network. Then, to escalate their privileges, they may use process injection, which involves injecting code to get around defenses and elevate privileges. Once inside the network, the miner may try to infect other systems.

In this attack, the miner had to use a few different tactics. When they used spear phishing, they did so to attain Initial Access. This got them inside the network. Then, when they used process injection, they achieved the tactic of Privilege Execution. Further, as the miner infected other systems, they used the tactic of Lateral Execution. The ATT&CK report would outline how the miner accomplished each tactic and also the techniques used to get them done.

As security personnel analyze the results, they can ascertain not just the methods used but also why they were successful. For example, the phishing attack could only have been effective if someone clicked on a link. This raises important questions such as:

  1. Does all staff in the organization understand how to avoid phishing attacks?
  2. Are employees and management personnel educated regarding what a phishing attack looks like?
  3. Was there something about the target’s behavior, browsing habits, position, or personal network safety practices that made them a more likely target?
  4. What did the attack actually look like? How likely were other employees to have fallen for it?
  5. How can this information be used in future cybersecurity training?

Benefits and Challenges of MITRE ATT&CK Framework

MITRE formalizes the process of categorizing attacks and allows for a common language when different security teams have to communicate with each other. MITRE provides you with a system you can use to consistently address threats.

However, MITRE also presents challenges because it’s only a security framework, which means it may or may not work in a real-life scenario. For instance, if one company decides that the cyber risk associated with a threat is higher than that of another, the steps MITRE requires may end up being applied differently—even though both are facing the same threat.

How Does ATT&CK Framework Combat Cyber Threats?

Even though this framework is not new, it has become more and more popular as a tool for helping organizations, the government, and end-users combine efforts to combat cyber threats. Threat intelligence gives organizations, IT departments, and individual users an advantage when it comes to spotting and preventing cyber threats. Furthermore, with MITRE ATT&CK reports being generated on a consistent basis, the collection of threat profiles grows larger and more relevant. Over time, the portfolio of threats can help users prevent more types of attacks.

However, it is important to keep in mind that MITRE ATT&CK matrices are not a foolproof solution. While an attack may be well-described and the report contains a high level of detail, that does not mean that the same kind of attack cannot be accomplished using other techniques.

To again use the cryptomining example, the objective could have still been accomplished using whale phishing. While whale phishing merely goes after “bigger fish” in the organization, this may considerably change the nature of the attack. Specifically, the methods used to make the initial penetration successful may have taken more time to develop, perhaps incorporating social engineering or gathering personal data to help disguise the attacker’s approach. As a result, the MITRE ATT&CK report that began with a spear-phishing attack may have little relevance to one with the same objective but different initial steps.

To prevent succumbing to this vulnerability in the MITRE ATT&CK format, it is best to:

  1. Assume there are multiple ways to successfully execute ATT&CK techniques.
  2. Log the test results carefully so it can be easier to see the gaps attackers can use to their advantage, as well as specific techniques to accomplish tactics.
  3. Research the different methods attackers use and then test them against your current defenses, noting which protections work well and which fall short.
  4. Examine which tools do the best job of protecting your network, as well as where there are gaps that can threaten your system.
  5. Make sure you stay up to date with the most recent attack methods and continually test your strategies to defend against them. 

It is also important to remember that not all attacks within one category behave the same and can be stopped using the same methods. For example, there are several different ways of getting ransomware into a network. An attacker can use drive-by downloading or it can be a more targeted assault, such as one that employs a Trojan horse.

5 Uses Cases of the MITRE ATT&CK Framework

Here are five different ways enterprises can use MITRE:

  1. Sharing information between organizations regarding how threats behave
  2. Keeping track of the techniques, tactics, and procedures (TTP) threat actors use over time
  3.  Emulating the behavior and tactics of different types of hackers for internal training purposes
  4. Mapping out the connections between the tactics malicious actors use and the kinds of data they are after
  5. Figuring out which tactics are used the most frequently so cyber defense teams can keep an eye out for them

Understand the Behaviors and Techniques That Hackers Use Against Organizations

MITRE removes ambiguity and provides a common vocabulary for IT teams to collaborate as they fight threats. This is because, with the ATT&CK framework, the techniques hackers use are broken down, step-by-step. As a result, cybersecurity teams can communicate more clearly about MITRE ATT&CK techniques.

MITRE ATT&CK vs. Cyber Kill Chain

The MITRE ATT&CK framework is designed to address a broad range of attacks that could impact many different types of organizations. The Cyber Kill Chain, on the other hand, was developed by Lockheed Martin for the military, and it segments an intrusion into seven specific phases: reconnaissance, weaponizing, attack delivery, exploitation of the target, installation of malicious software, command and control (C2), and actions taken on objectives.

MITRE ATT&CK Enterprise Evaluation FAQs

Using the reports generated by the MITRE ATT&CK, an organization can figure out where their security architecture has vulnerabilities and ascertain which ones to remedy first, according to the risk each presents.

MITRE formalizes the process of categorizing attacks and allows for a common language when different security teams have to communicate with each other. MITRE provides you with a system you can use to consistently address threats.

There are three different kinds of Att&CK matrices: Enterprise ATT&CK, PRE-ATT&CK, and Mobile Att&CK. Each individual matrix employs different techniques and tactics.

A high visibility rate, such as the 98% achieved by FortiEDR, is crucial for organizations because it ensures that even the most subtle threats can be detected, enhancing proactive threat detection capabilities.

With this level of visibility, organizations can respond to threats more effectively and in a timely manner. It empowers them with the ability to accurately diagnose and respond to potential threats, facilitating more efficient threat hunting and risk management.

The MITRE ATT&CK (which means: Adversarial Tactics, Techniques, and Common Knowledge) framework is a comprehensive matrix that catalogs various TTPs observed in real-world cyber attacks and serves as a foundational tool for understanding, preparing for, and defending against cyber threats. It is structured as a matrix where the columns usually represent Tactics (see image below), and the rows contain Techniques that could be used to achieve those tactics. Procedures provide more granular details under each Technique and are often linked to real-world incidents or threat intelligence reports. The ATT&CK framework serves multiple purposes:

  • Understanding Adversary Behavior: It helps security researchers and professionals understand the behavior of adversaries in a structured way.
  • Incident Analysis: It aids in analyzing incidents by mapping observed behavior to known tactics and techniques, helping to identify possible motives and future actions an adversary might take.
  • Threat Intelligence: Organizations can use the Att&CK framework to enrich their threat intelligence, providing more context to raw indicators of compromise (IoCs).
  • Improving Defenses: By understanding the TTPs that adversaries use, organizations can better prepare their defenses, patching systems against known vulnerabilities and enhancing detection capabilities for specific techniques and procedures.
  • Evaluation and Benchmarking: MITRE's ATT&CK Engenuity Evaluations use the framework to assess the efficacy of different cybersecurity products in detecting, preventing, and mitigating threats based on real-world TTPs.

Techniques and tactics are typically chosen based on their relevance to real-world cyber threats, as documented in the ATT&CK framework. MITRE often selects techniques that have been used by advanced persistent threats (APTs) in recent incidents. For example, in round four they used Wizard Spider and Sandworm, two nation-state ransomware strains. In round five, they chose Turla, an advanced form of espionage malware.

These terms refer to the different levels of visibility and contextual information that a EPP solution provides when detecting or responding to simulated adversarial behavior.

  • Technique: When a product provides "Technique" level visibility, it means the solution has successfully identified a specific adversarial technique from the MITRE ATT&CK matrix. This is the most granular level of visibility, allowing security professionals to understand precisely which known adversarial method is being used. This can be invaluable for immediate response and remediation efforts. (see also the section below on Analytic Capabilities)
  • Tactic: "Tactic" level visibility implies that the product can identify the broader tactical objective behind an attack (such as "Exfiltration" or "Privilege Escalation"), but may not be able to pinpoint the exact technique being used. This level of visibility still provides useful context and helps to understand the adversary's goals, but it might require further investigation to get into the specifics.
  • General: When a product provides "General" visibility, it usually means that the product has flagged some suspicious or malicious activity but hasn't mapped it to a specific tactic or technique from the ATT&CK matrix. This can be seen as a lower-fidelity alert, which could be useful but will likely require further investigation to fully understand the scope and nature of the threat.
  • Telemetry: This term signifies that raw data or basic information related to an event is collected but no specific alert or contextual analysis is provided. Essentially, the product is aware that something has occurred, but it doesn't categorize or evaluate the activity as malicious or benign. Telemetry data often serves as the building blocks for more advanced analysis but by itself may not be immediately useful for threat detection.
  • None: This indicates a complete lack of visibility into a specific simulated technique or tactic. In other words, the cybersecurity product did not detect or log the simulated adversarial behavior. This could be a significant blind spot and is obviously not ideal from a security standpoint.

MITRE's evaluation reports usually provide context around detections, but they typically do not measure or report false positives and negatives.

The aim is for evaluations to be as transparent and repeatable as possible, although replicating the exact test conditions might be challenging without access to the same test environments.

Vendors usually apply to be part of the evaluation process, and MITRE selects participants based on various criteria like market relevance and technological capabilities.

No, these evaluations show how a particular solution responded to an advanced attack and is not a replacement for red teaming or penetration testing.

Evaluations are generally performed annually. They may not account for the very latest updates from vendors but aim to be as current as possible.