GUIDE

MITRE ATT&CK®: The Complete Guide

Created in 2013, the MITRE ATT&CK framework is a knowledge base that classifies the tactics, techniques, and procedures (TTPs) employed by advanced persistent threat (APT) groups. It serves as a common language and framework for security practitioners across different teams. With this shared framework, the security community can compare adversary groups, defenses, and take actionable steps to mitigate threats.

TABLE OF CONTENTS

What is the MITRE ATT&CK framework used for?

Leveraging ATT&CK, security teams can evaluate the associated risks, identify gaps in protection, prioritize mitigations, and ultimately strengthen their organization’s security posture. As of ATT&CK version 12, there are 14 tactics, 193 techniques, and 401 sub-techniques in the framework that teams can test against their environment to identify gaps and weaknesses. Essentially, the framework helps defenders assess their security program and identify areas for improvement, strengthening their defenses against cyberattacks.

What does “ATT&CK” stand for?

It’s not just a cool, stylized name. “ATT&CK” actually stands for: Adversarial Tactics, Techniques, & Common Knowledge.

What are the main components of the ATT&CK framework?

With its comprehensive collection of techniques and sub-techniques, the framework can appear challenging for teams to use. Before we cover the tactics and techniques, let’s explore how organizations commonly utilize ATT&CK. ATT&CK has four primary use cases:

  • Threat Intelligence
  • Detection & Analytics
  • Adversary Emulation & Red Teaming
  • Assessment & Engineering

Threat Intelligence

ATT&CK provides a way for security teams to organize not only their threat intelligence about adversary behavior, but also their ability to detect and mitigate that behavior. By overlaying this type of information, security teams can create a threat-based awareness of gaps within their networks and determine whether their existing defenses can detect and respond to attacks by known adversaries.

Is MITRE ATT&CK a threat model?

ATT&CK is the knowledge base used to inform MITRE’s threat modeling language. Threat modeling typically involves identifying threats, vulnerabilities, and risks to enhance understanding and safeguard systems.

Detection & Analytics

ATT&CK helps defenders understand attacker techniques and build better detection models. By mapping log and event data about an attacker’s behavior to the framework, security teams can develop a comprehensive protection model that can detect an attack early in the attack lifecycle and across the entire kill chain to limit the damage caused by an attacker. The data used to develop these analytics can be gathered from various sources, including:

  • Authentication logs
  • File and registry monitoring
  • Packet capture—especially east-west capture—such as that collected between hosts and enclaves in your network
  • Process and process command line monitoring

Once a team has this information, they will need to collect that data into some kind of alert logging platform (SIEM) in order to run analytics against it. Once that data is there, teams can leverage threat intelligence to prioritize behaviors that they want to detect within the SIEM. By correlating suspicious behavior with the MITRE ATT&CK framework, security teams can quickly identify malicious intent to reduce false positives and facilitate viable remediation options.

Adversarial Emulation & Red Teaming (or Purple Teaming)

ATT&CK can be used to test and verify defenses against common adversary techniques by enabling security teams to create adversary emulation scenarios. Adversary emulators construct scenarios to test different aspects of an adversary’s TTPs. The red team then follows the scenario while operating on a target network to test how defenses would hold up against the attacks.

Assessment & Detection Engineering

MITRE ATT&CK provides a comprehensive list of methods by which attackers can achieve their objectives at each stage of the cyberattack lifecycle. Organizations can use this to better understand the attack methods that apply to them and identify whether appropriate solutions to detect and defend against them are in place. This gives analysts a clear way to assess capabilities, identify gaps, and communicate readiness to key stakeholders, aiding decision-making to enhance security posture. 

This analysis also provides detection engineers with the information needed to develop better detection models, ensuring a reduction in the mean time to detect (MTTD) and mean time to respond (MTTR). As the ATT&CK framework expands to include more TTPs, or as the organization begins to leverage more of the existing information, engineers can further optimize detection capabilities to reflect real-world attacks.

What are the weaknesses of MITRE ATT&CK?

Implementing the MITRE ATT&CK framework can be a challenge. It requires a significant investment of time and resources, as well as expertise to operationalize it effectively.

Security teams often debate whether to test against all techniques listed in the ATT&CK framework or focus on a few to start. Best practices suggest that focusing on specific attacks is a more strategic approach. However, this could lead to a rigid tactical perspective that limits the flexibility of the framework. 

This ongoing struggle to prioritize can create conflicts between teams, deprioritize important security responses, and cause frustration when hard work doesn’t effectively secure the organization.

How is MITRE ATT&CK different from Lockheed Martin’s Cyber Kill Chain?

Lockheed Martin’s Cyber Kill Chain® and ATT&CK are similar in that both are models that define the steps an adversary uses to achieve their goal in an effort to help organizations proactively detect threats. 

The MITRE ATT&CK framework, however, provides much more detailed insights into the execution of each stage through ATT&CK techniques and sub-techniques. MITRE is also regularly updated with industry input to ensure defenders stay current with the latest techniques and continuously enhance their defense practices and attack models.

The Cyber Kill Chain also doesn’t consider the unique tactics and techniques of a cloud-native attack. It assumes that an adversary will deploy malware or a similar payload within the target environment, which is less applicable in cloud environments.

How do you simulate ATT&CK TTPs using breach and attack simulation (BAS)?

Breach and attack simulation (BAS) can help organizations effectively adopt and leverage the ATT&CK framework by reducing the manual steps needed to test an organization’s resilience and providing a way to measure the impact of the team’s efforts.

Using a BAS platform, teams can leverage specific MITRE TTPs to test the environment by selecting them directly within the BAS platform to run automatically. Alternatively, teams can execute an entire attack simulation and its included TTPs. This can be done for a single instance, or scheduled to run automatically and periodically in order to track resilience over time and ensure that no new security gaps have appeared. 

If the team identifies gaps and performs the required remediations, they can then leverage the BAS platform once again to run the simulations and validate that the changes were effective and did not create additional vulnerabilities.

Best-in-class BAS solutions will also allow you to visualize the entire kill chain and map all the possible steps an attacker would have to take to reach their target. This provides teams with the ability to prioritize based on the criticality of security gaps.

How do you operationalize MITRE ATT&CK with the SafeBreach platform?

SafeBreach is a pioneer in BAS technology and boasts the best coverage of MITRE ATT&CK threats in the industry. Our Hacker’s Playbook currently consists of over 30,000 breach methods and is continuously updated upon the discovery of new threats. Enterprises operationalize the MITRE ATT&CK framework with SafeBreach to:

1. Leverage the most up-to-date attacks

Leverage a constantly updated attack playbook to continuously validate all deployed defenses against various attacker TTPs listed in MITRE ATT&CK, including specific attacks based on a particular threat group;

2. Execute the entire kill-chain

Easily execute a full kill-chain attack and carry out performance analyses based on specific tactics and techniques;

3. View security posture based on threat intelligence

Produce a threat-intelligence-based view of the organization’s security posture, based on the organized structure of the MITRE ATT&CK framework;

4. Communicate risk exposure

Effectively communicate overall organizational risk exposure based on the ATT&CK framework, as well as risk by each MITRE tactic, using the MITRE heatmap.