MITRE ATT&CK™

MITRE ATT&CK framework techniques, sub-techniques & procedures

Howard Poston
February 8, 2021 by
Howard Poston

The MITRE ATT&CK framework is a tool developed by the MITRE Corporation to aid understanding and discussion of cyberattacks.  MITRE ATT&CK takes the cyberattack lifecycle and breaks it down into stages (called Tactics). 

Each of these Tactics has additional information about it, providing a deep drive into the methods that a cyberattacker can use to carry out their goals.

Introduction to MITRE ATT&CK framework techniques

The MITRE ATT&CK framework is organized hierarchically.  At the top level are the Tactics, which describe the goals that an attacker may need to achieve during the cyberattack lifecycle, such as evading defenses and gaining access to user credentials.

Below this level are the Techniques.  Techniques are particular methods by which an attacker can achieve the goal outlined in a particular Tactic.  For example, the Credential Access Tactic in the Enterprise Matrix includes techniques like Brute Force and OS Credential Dumping.

MITRE ATT&CK framework PRE-ATT&CK techniques

PRE-ATT&CK used to be its own standalone matrix that rivaled the Enterprise matrix in size.  Now, it has been condensed to two Tactics within the Enterprise matrix: Reconnaissance and Resource Development.

Each of these Tactics has a number of Techniques. Reconnaissance’s ten Techniques are focused on using both active and passive techniques for collecting information about a target environment.  Resource Development’s six Techniques are intended to outline the steps that an attacker may take to build the capabilities needed to carry out an attack.

MITRE ATT&CK framework enterprise techniques

The MITRE ATT&CK Enterprise Matrix has twelve different Tactics, not including the two from PRE-ATT&CK.  These twelve Tactics each have several Techniques:

  • Initial Access (9)
  • Execution (10)
  • Persistence (18)
  • Privilege Escalation (12)
  • Defense Evasion (37)
  • Credential Access (15)
  • Discovery (25)
  • Lateral Movement (9)
  • Collection (17)
  • Command and Control (16)
  • Exfiltration (9)
  • Impact (13)

These numbers give some idea of the complexity of protecting against each of these Tactics, but the comparison is not exact.  For example, Discovery has more than twice as many Techniques as Privilege Escalation (25 vs. 12).  However, the structure of MITRE ATT&CK - and the existence of Sub-Techniques - hides the fact that there are more than twice as many ways of accomplishing Privilege Escalation as Discovery.

MITRE ATT&CK framework mobile techniques

The MITRE ATT&CK Mobile matrix is structured similarly to the Enterprise matrix.  It lacks the PRE-ATT&CK Tactics now included in the Enterprise matrix, but shares the same other Tactics.

The two matrices differ significantly in terms of the Techniques that they contain.  Mobile Techniques are largely focused on attack vectors unique to mobile devices, of which there are fewer than the Enterprise matrix.  However, many of the Techniques described in the Enterprise matrix apply to mobile devices as well.

MITRE ATT&CK framework sub-techniques

MITRE ATT&CK Techniques outline a particular way to achieve the goal of a Tactic.  A MITRE ATT&CK Technique may also include Sub-Techniques.  These are particular ways to carry out the action outlined in the Technique.  For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four Sub-Techniques:

  • Password Guessing
  • Password Cracking
  • Password Spraying
  • Credential Stuffing

All of these Sub-Techniques are ways to carry out the main Technique (i.e. a brute-force password guessing attack), but take advantage of different mechanisms to do so.

MITRE ATT&CK framework procedures

While they don’t appear in the matrices themselves, the MITRE ATT&CK Framework also has the concept of Procedures.  These Procedures can be viewed by clicking on a particular Technique or Sub-Technique in the matrix.

These Procedures detail known implementations of a particular Technique or Sub-Technique.  This may include malware variants known to use that particular method or threat actors whose TTPs include the Technique or Sub-Technique.

How are MITRE ATT&CK framework sub-techniques and procedures different?

Sub-Techniques and Procedures both describe a particular method of performing a Technique to accomplish the goals of a Tactic.  However, these two concepts are distinct in MITRE ATT&CK.

A Sub-Technique describes a “how” for a particular Technique.  It is a process or mechanism for accomplishing the goal of a Tactic.  For example, Password Spraying is a type of Brute Force attack for accomplishing Credential Access.

A Procedure is a “what”.  An example of a Procedure for Credential Access would be a password cracking tool like Hashcat or John the Ripper.

A Procedure may use multiple different Sub-Techniques, and many different Procedures may implement the same Sub-Technique.

 

Sources

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.