The Ultimate Guide to the MITRE ATT&CK® Framework
What is the MITRE ATT&CK framework?
The MITRE ATT&CK® framework is a knowledge base containing information about the various ways in which a cyberattacker can achieve certain goals. It is organized based on the cyberattack life cycle and details methods of achieving different goals that advance an attacker’s interests.
The ATT&CK framework was created and is maintained by MITRE. MITRE is a federally funded research and development center (FFRDC) of the US government with research interests that include cybersecurity. The MITRE ATT&CK framework was created to standardize cybersecurity vocabulary and increase awareness of cybersecurity threats and attack vectors.
Who uses the MITRE ATT&CK framework?
The MITRE ATT&CK framework is widely used across the cybersecurity industry. Potential applications include (but are not limited to):
- Standardizing cybersecurity vocabulary and threat understanding
- Verifying the coverage of cybersecurity defenses
- Planning penetration testing engagements
- Demonstrating coverage of cybersecurity solutions
As a result, the MITRE ATT&CK framework is being used in a growing number of contexts. It is now common for cybersecurity vendors to provide explicit mappings of their tools’ capabilities to the MITRE ATT&CK framework. Internal security teams and penetration testing service providers also commonly use it while planning defenses and engagements.
What’s Included in the MITRE ATT&CK framework?
The MITRE ATT&CK framework is designed to organize information about cybersecurity attack vectors and threat actors in a hierarchical fashion. Four different ATT&CK Matrices are further subdivided into tactics, techniques and sub-techniques and outline procedures, mitigations and other useful information.
MITRE ATT&CK matrices
The MITRE ATT&CK framework is organized into a collection of “matrices.” The four current MITRE ATT&CK matrices are:
- PRE-ATT&CK: The PRE-ATT&CK matrix covers the reconnaissance and weaponization stages of the cyberattack life cycle. It is designed to help an organization identify signs that they might be targeted by attackers and the information that an attacker might use to target them.
- Enterprise: The enterprise matrix covers the rest of the cyberattack life cycle. It details the ways that an attacker might gain access to and operate inside of an enterprise network.
- Mobile: The mobile matrix covers the same stages of the cyberattack life cycle as the enterprise matrix. However, it is focused on potential threats and attack vectors for mobile devices.
- ICS: The ICS matrix covers the methods by which an attacker could gain access to and operate within a network containing industrial control system (ICS) devices.
MITRE ATT&CK tactics
Tactics are the top-level unit of organization used within a MITRE ATT&CK matrix. These tactics outline the overall “goals” of a particular stage of a cyberattack.
The specific set of tactics contained within a matrix varies from one to another. The enterprise and mobile matrices have identical sets of tactics and the ICS matrix is largely similar (dropping some tactics and adding some ICS-specific ones). The PRE-ATT&CK matrix tactics are unique due to the fact that it focuses on a completely different section of the cyberattack life cycle.
MITRE ATT&CK techniques, sub-techniques and procedures
Below the level of tactics, the MITRE ATT&CK framework breaks information down into several different levels:
- Technique: A technique is a method of accomplishing the goal expressed in a particular tactic. For example, the Tactic Credential Access has a technique called Brute Force.
- Sub-techniques: For some techniques, multiple different methods exist for accomplishing them, which MITRE ATT&CK organizes into sub-techniques. Under the Brute Force technique are the sub-techniques Password Guessing, Password Cracking, Password Spraying and Credential Stuffing.
- Procedures: A procedure is a specific method for accomplishing the goal of a technique/sub-technique. This section of a MITRE ATT&CK matrix commonly contains a list of tools, malware and threat actors known to use that particular technique.
In addition to this hierarchy, MITRE ATT&CK includes a wealth of additional information about a particular technique. This includes a description of the technique, affected platforms, sources of information to detect this technique and more.
MITRE ATT&CK mitigations
The goal of MITRE ATT&CK is education in both cybersecurity attacks and the associated defenses. In addition to describing an attack vector, each MITRE ATT&CK technique contains a section on mitigations as well.
These mitigations contain a collection of policies, tools and other methods to reduce or eliminate the effectiveness of a particular technique. This provides support for prevention to complement the detection information provided in the rest of the technique description.
Where does the information in the MITRE ATT&CK framework come from?
The information provided in the MITRE ATT&CK framework comes primarily from MITRE. The ATT&CK framework was started in an effort to document cyber-threat actor behaviors as part of an internal MITRE project and grew from there.
MITRE welcomes external submissions as well. Their contribute page outlines the desired format and guidelines for these submissions.