New Course Enquiry: 9513167997 9108318017

CATEGORIES
  • Certification based courses
  • Job-oriented Trainings
  • Vendor based training
View All Courses
Sign InSign In
img

What is Mitre ATT&CK?

May 16, 2023 235

 What is Mitre ATT&CK?

MITRE ATT&CK is an acronym that stands for MITRE Adversary Tactics, Techniques, and Common Knowledge. The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behaviour that reflects the various stages of an adversary’s attack lifecycle as well as the platforms that they are known to target. The abstraction of tactics and techniques provides a common taxonomy of individual adversary actions understood by both the offensive and defensive sides of cybersecurity. It also offers an appropriate level of categorization for adversary action as well as specific ways to defend against it.

 

Terminology Used in ATT&CK

Because tactics, techniques, and procedures can have different meanings in different contexts, it’s critical to understand how MITRE ATT&CK defines them.

  • Tactics: Describes the attackers’ immediate technical objectives (the “what”), such as gaining Initial Access, maintaining Persistence, or establishing Command and Control. To successfully complete an attack, attackers must invariably employ multiple tactics.
  • Mitre att&ck Techniques: Describes the “how”—the methods used by attackers to carry out a tactic. Every tactic in each matrix has multiple techniques; the Enterprise matrix further divides some techniques into sub-techniques. The Phishing technique used by attackers to gain Initial Access is an example of this (a tactic). Spear Phishing Attachment, Spear Phishing Link, and Spear Phishing via [a] Service are the three associated sub-techniques of phishing.
  • Procedures: Describes the specific implementations of techniques and sub-techniques used by APTs (sometimes in ingenious or novel ways), or it may refer to specific malware or other tools used by attackers.

 

Understanding the ATT&CK Matrix

 

MITRE divides into three matrices: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques related to the subject matter of that matrix.

The Enterprise matrix consists of techniques and tactics that are applicable to Windows, Linux, and/or MacOS systems. Mobile includes tactics and techniques that are specific to mobile devices. PRE-ATT&CK is a collection of tactics and techniques related to what attackers do before attempting to exploit a specific target network or system.

 

Who Is Using MITRE ATT&CK and Why?

ATT&CK is a free tool that has been widely adopted by private and public sector organizations of all sizes and industries. Security defenders, penetration testers, red teams, and cyber threat intelligence teams, as well as any internal teams interested in developing secure systems, applications, and services, are among the users.

The wealth of attack (and attacker) information it contains can assist organizations in determining whether they are collecting the right data to detect attacks effectively and evaluating how well their current defences are working.

It is in contrast to other models written from a defender’s perspective, intentionally takes an attacker’s point of view to help organizations understand how adversaries approach, prepare for, and successfully execute attacks. This also makes ATT&CK an excellent resource and teaching tool for those interested in a career in cybersecurity or threat intelligence, as well as those who simply want to learn more about attacker behaviour.

Although the information captured in ATT&CK reflects known APT behaviours, it would be a mistake to believe that those behaviours are the sole domain of APTs. “What APTs are doing today, script kiddies will do tomorrow,” warns Ray Pompon, former CISO and current Director of F5 Labs. Think

again if you believe your organization cannot benefit from ATT&CK because it is not a target of APTs and will never experience APT-like attack behaviour. The TTPs outlined in ATT&CK occur on a daily basis in organizations of all sizes and importance. It is not necessary to be an APT target to experience the same types of attacks or to use the ATT&CK tool to strengthen your defences.

what is mitre att&ck

MITRE ATT&CK

Real-Time Best Splunk Online Training by SIEM XPERT – Enroll Now!

You may have noticed that the ATT&CK matrices do not address an attacker’s overarching goal, such as “getting Company X to pay a ransom” (Enterprise), “bricking a device” (Mobile), or “shutting down a region’s electric grid” (Mobile) (ICS). It is impossible to list every attacker’s high-level goal, but even if it were possible, each goal could be achieved using many of the same tactics.

A vandal who wants to damage and destroy your home could use any of the same tactics as a burglar who wants to rob you, such as surveilling your home, disabling security cameras, picking a lock, and leaving a window open. Because the TTPs outlined in ATT&CK can be used to achieve a variety of attack objectives, The primary focus is on understanding the TTPs used by attackers and how to detect and mitigate intrusions.

 

How Does the MITRE ATT&CK Matrix Work?

The MITRE ATT&CK framework can benefit an organization in a variety of ways. In general, the following are the advantages of using MITRE :

Adversary Emulation: Assesses security by simulating a threat using intelligence about an adversary and how they operate. To test and validate defences, ATT&CK can be used to generate adversary emulation scenarios.

Red Teaming: Playing the role of an adversary in order to demonstrate the impact of a breach. ATT&CK can be used to organize operations and create red team plans.

Behavioural Analytics Development: Connects suspicious activity in order to monitor adversary activity. ATT&CK can be used to simplify and organize patterns of suspicious and malicious activity.

Defensive Gap Analysis: Identifies which parts of the enterprise lack defences and/or visibility. To determine security coverage and prioritize investment, ATT&CK can be used to assess existing tools or test new tools prior to purchase.

SOC Maturity Assessment: ATT&CK, like Defensive Gap Assessment, can be used to assess how effective a security operations centre (SOC) is at detecting, analyzing, and responding to breaches.

Enrichment of it

Cyber Threat Intelligence: Improves information about threats and threat actors. Defenders can use ATT&CK to determine whether they are capable of defending against specific Advanced Persistent Threats (ATP) and common behaviours shared by multiple threat actors.

MITRE ATT&CK is typically implemented through manual mapping or integration with cybersecurity tools, the most common of which are Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Cloud Access Security Broker (CASB).

  • Mitre att&ck siem use cases entail collecting log data from endpoints, networks, and cloud services, identifying threats, and mapping them to MITRE ATT&CK. Changes to security posture are then implemented in the security tools that provide log data (i.e., EDR or CASB).
  • Using MITRE ATT&CK with EDR allows defenders to map events observed by the endpoint agent, allowing them to determine the phases of a threat event, assess associated risk, and prioritize response
  • MITRE ATT&CK with a CASB begins with filtering out suspicious and threat behaviour from millions of cloud events using User and Entity Behavior Analytics (UEBA), then combining those events with DLP, Vulnerability, and Misconfiguration incidents and mapping to MITRE ATT&CK. Defenders can modify cloud security policy via the CASB to prevent adversary behaviour.

 

MITRE ATT&CK navigator

ATT&CK Navigator is a tool that eliminates the need to use a spreadsheet or other tool to analyze threats, evaluate defences, plan attack simulations, compare various elements tracked by ATT&CK, and more. On individual tabs in Figure 17, the techniques used by the Dridex and ZeusPanda banking trojans are tracked.

The selected tab combines the two for comparison. Dridex techniques are highlighted in yellow, ZeusPanda techniques are highlighted in red, and techniques shared by both are highlighted in green. This is just one of many applications for ATT&CK Navigator7, which can be used for analysis, planning, attack simulations, and more.

Conclusion 

MITRE ATT&CK is a highly detailed and cross-referenced repository of information about real-world adversary groups and their known behaviour; the tactics, techniques, and procedures they employ; specific instances of their activities; and the software and tools (both legitimate and malicious) they employ to aid in their attacks.

MITRE ATT&CK is unique in that it is designed from the perspective of an attacker, as opposed to other defender-focused and risk-based threat modelling and cyberattack lifecycle models. As a result, it is a particularly valuable tool for assisting organizations in gaining insight into attacker behaviour so that they can improve their own defences accordingly.

The wealth of information provided by ATT&CK is difficult to grasp through description alone. Setting aside an hour or two to explore it on your own will help you understand the depth of its value the best. You will not be sorry.

Read our next blog The complete guide of brute force attack, mitigation