Mitre ATT&CK helps security managers defend their networks by providing a framework for categorising the techniques and tactics used in real world cyberattacks.
Founded in 2013 in order to document the common threats, tactics and procedures used to attack Windows networks, Mitre ATT&CK has gathered data and telemetry on real world attacks which can be used to defend today’s networks.
Today the scope of ATT&CK has been expanded beyond Windows networks to include MacOS, Linux, AWS, Azure, Office365 and mobile devices. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
The ATT&CK framework is written and organised from the perspective of the attacker. It asks the questions: what is the attacker trying to achieve? and how are they trying to do it? If you can answer those questions then it is much easier to design defences and detection systems optimised to spot those activities on your network.
What is the ATT&CK Matrix for Enterprise?
The ATT&CK framework is published as a matrix on the ATT&CK homepage. The framework is organised around a series of tactics used by attackers – such as gaining Initial Access, or Lateral Movement around the network. Under each tactic is listed numerous techniques that have been observed as a means to achieve the tactic.
Many security managers offices have a large printout of the matrix on the wall with each technique colour coded to indicate the defences in place in their network to mitigate or defend against that technique. It’s an easy way to get an overview of the defences in place and spot any gaps.
What are the ATT&CK tactics?
The tactics described by the ATT&CK framework represent the objectives of attackers when they target your network. Are they trying to achieve a persistent presence, is lateral movement needed in order to reach their ultimate target? Each tactic is enabled by a number of techniques which are used by attackers in order to achieve their objectives.
There are 12 tactics described in the framework:
Initial access describes the various techniques used by the attackers in order to first establish a beach-head in your network. This may involve exploiting a vulnerability in a public-facing web server or some form of spearphishing attack in order to capture credentials from a user.
The attacker tries to run malicious code using Execution techniques. Typically co-ordinated with other techniques such as Discovery in order to achieve the wider goals of the attack. The attacker may run a utility in order to map the network and identify the database servers which contain the data they want to steal.
The persistence techniques establish a permanent foothold in the network using different techniques than those used during the Initial Access. For example, a spearphished set of credentials could be used to obtain Initial Access however that access will be lost as soon as the account password is changed. Persistence techniques such a creating new accounts, adding start-up code or installing remote access tools allow the attacker to continue to infiltrate the network after the Initial Access vulnerability is resolved.
If the attackers gain access to privilege accounts such as Administrator or Root level access it will be easier to establish persistence and access the network resources they need to meet their objectives.
Defence Evasion techniques help the attackers avoid detection. They include disabling security software, obfuscating their own tools and scripts to avoid being fingerprinted by anti-malware software.
By stealing account names and passwords with keyloggers or dumping the credentials using privileged accounts, the attackers are able to impersonate legitimate users and gain access to secure data and resources on the network.
Attackers use Discovery techniques in order to work out how your network is configured and what devices and possible targets can be found on it. This could include techniques such as listing applications running on a compromised server, using stolen credentials to access dashboards, listing local or domain user accounts and reviewing browser bookmarks for any compromised accounts.
Lateral Movement techniques enable the attackers to move away from the point of Initial Access and explore the rest of the network. They may need to compromise and pivot through several systems and user accounts in order to reach their ultimate target. Techniques include capturing application authentication tokens or Kerberos tickets in order to access systems and activating remote desktop services to facilitate easy access to servers.
Collection techniques are used to gather data of use to the attackers. This is not just the target data they wish to steal (such as cardholder data) but also information useful during the attack. This could include capturing screenshots, audio recordings or emails.
Command and Control techniques enable the attackers to communicate with compromised systems within your network and remotely issue commands and execute code. They may try to hide their message traffic by using well known ports and disguising their traffic as normal web browsing or email traffic for example.
If data theft is the objective of the attack, then Exfiltration techniques will be used to gather, compress, disguise and transmit the data out of the network.
The attacker’s main motive may be to disrupt your business by destroying data or simply to cover their tracks after exfiltrating customer records. Either way, Impact techniques such as data deletion, account and permissions removal, disk wipes or formats, and data encryption for ransom will all have an impact on your business.
Mitigation and Detection of ATT&CK Techniques
The ATT&CK framework includes an extensive set of Mitigations that are related to the Techniques described in the ATT&CK matrix. Security managers can review each recommended mitigation and apply it as appropriate to their own network.
The MITRE Cyber Analytics Repository includes details of real-world examples of the various techniques described in ATT&CK along with example triggers and pseudocode that can be used to detect the attack. This will help network engineers to configure Intrusion Detection Systems and other security systems to detect attacks as they occur.