What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is a framework, set of data matrices, and assessment tool developed by MITRE Corporation to help organizations understand their security readiness and uncover vulnerabilities in their defenses.

Developed in 2013, the MITRE ATT&CK Framework uses real-world observations to documents specific attack methods, tactics, and techniques. As new vulnerabilities and attack surfaces come to light, they are added to the ATT&CK framework, which thus is constantly evolving. In the past few years, the MITRE ATT&CK framework and its matrices have become an industry standard for both knowledge and remediation tools regarding attacker behavior.

VMware Delivers Comprehensive Endpoint & Network Visibility in Latest MITRE Engenuity ATT&CK® Evaluation

MITRE ATT&CK Workbook

Who Uses MITRE ATT&CK and Why?

ATT&CK matrices are utilized by a broad range of IT and security professionals including red teamers playing the role of attacker or competitor, threat hunters, and security product development engineers, threat intelligence teams, and risk management professionals.

Red teamers use the MITRE ATT&CK framework as a blueprint to help uncover the attack surfaces and vulnerabilities in corporate systems and devices, as well as to improve the ability to mitigate attacks once they occur by learning information. This includes attackers gained access, how they move within the affected network, and what methods are being used to evade detection. This toolset enables organizations to gain a better awareness of their overall security posture, identify and test gaps in defenses, and prioritize potential security gaps based on the risk they present to the organization.

Threat hunters use the ATT&CK framework to find correlations between the specific techniques that attackers are using against their defenses and use the framework to understand the visibility of attacks targeted at their defenses both at endpoints and throughout the network perimeter.

Security platform developers and engineers use MITRE ATT&CK as a tool to evaluate the effectiveness of their products, uncover previously unknown weaknesses, and model how their products will behave during the lifecycle of a cyberattack.

What is the MITRE ATT&CK framework?

MITRE ATT&CK is an abbreviation for MITRE Adversarial Tactics, Techniques, and Common Knowledge. The MITRE ATT&CK framework is a curated repository that includes matrices that provide a model for cyberattack behaviors. The framework is generally presented in tabular form, with columns that represent the tactics (or desired outcomes) used during the life of an attack, and rows that represent of techniques that are utilized to achieve their tactical goals. The framework also documents technique usage and other metadata that is linked to individual techniques.

MITRE ATT&CK framework is an outgrowth of a MITRE experiment that emulated both attacker and defender to help understand how attacks happen and improve post-compromise detection using telemetry sensing and behavioral analytics. To better understand how well the industry is doing at detecting documented adversarial behavior they created the ATT&CK framework as a tool to categorize these behaviors.

What is in the MITRE ATT&CK Matrix?

There are currently four major matrices that comprise the ATT&CK framework. Pre-ATT&CK and ATT&CK for Enterprise both relate to attacks on enterprise infrastructure.

PRE-ATT&CK: Many of the activities (such as reconnaissance and resource development) that bad actors take before an enterprise is compromised are normally done outside of the organization’s visibility, and thus these pre-attack tactics and techniques are extremely difficult to detect at the time. For example, cyber-attackers may leverage information freely available on the internet, relationships the organization has with other already compromised organizations, or other methods to attempt access. PRE-ATT&CK lets defending organizations better monitor and understand these pre-attack activities that occur externally to their network perimeter.

Enterprise ATT&CKATT&CK for Enterprise provides the model that details the actions that cyber-attackers may take to compromise and execute their activities within an enterprise network. There are specific tactics and techniques in the matrix for a broad range of platforms including Windows, macOS, Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Networks, and Containers. The PRE-ATT&CK matrix originally was part of ATT&CK for Enterprise since it is also focused with attempts to compromise enterprise infrastructure. The Enterprise framework helps organizations prioritize their network defenses to focus on those that present the greatest risk to the specific enterprise.

Mobile ATT&CK: The mobile ATT&CK matrix describes tactics and techniques used to compromise both iOS and Android mobile devices. To this end, ATT&CK for Mobile builds upon NIST’s Mobile Threat Catalogue, and as of this writing catalogs a dozen tactics and over 100 techniques that have been used to impact mobile devices and achieve whatever nefarious objectives the bad actors wished to achieve. Additionally, ATT&CK for Mobile lists network-based effects – tactics and techniques that can be used without requiring access to the actual device.

ICS ATT&CK: The newest matrix in the ATT&CK family is the MITRE ATT&CK for Industrial Control Systems (ICS) matrix, which is similar to Enterprise ATT&CK except that it is targeted specifically at industrial control systems, such as power grids, factories, mills, and other organizations that rely on interconnected machinery, devices, sensors, and networks.

Each of the matrices includes detailed technical descriptions of each technique used for each tactic through the adversarial attack lifecycle, assets, and systems that each technique targets, and indicates mitigation and countermeasure approaches for each, the detection analytics utilized to uncover the technique, and examples of real-world usage.

When viewing the matrices, tactics are presented in a linear fashion describing the attack lifecycle, starting with the point of reconnaissance all the way to the final goal, whether that goal is exfiltration of information, encrypting files for purposes of ransomware, both, and other malicious action.

What are the benefits of MITRE ATT&CK framework?

The main benefit of the ATT&CK framework is that organizations can gain an understanding of how adversaries operate, the steps they might plan to take to gain initial access, discover, move laterally, exfiltrate data.  This lets teams view activities from the attacker’s perspective which can lead to a richer understanding of motivations and tactics. Ultimately, organizations can leverage that understanding and knowledge to identify gaps in their security posture and improve threat detection and response by enabling teams to predict attacker’s next moves so remediation can occur quickly. It is often said in sports that the best defense is a good offense, and in cybersecurity, gaining an understanding of what the offense is deploying can greatly assist defense of the network, devices, and users.

Additionally, in the current work environment where there is a severe skills shortage in cybersecurity, the frameworks can help junior or newly hired security staff by giving them the knowledge and research tools they need to rapidly come up to speed on any given threat by leveraging the collective knowledge of all the security professionals before them who have contributed to the MITRE ATT&CK framework matrices.

What are the challenges of using MITRE ATT&CK framework?

As the ATT&CK matrices continue to grow in both number and size of each, they have become increasingly complex. The number of combinations and permutations of tactics and techniques in the framework, although incredibly thorough, can be overwhelming due to the sheer amount of data there is to digest and process.

For example, there are currently over 400 different techniques or attack patterns outlined in the fourteen tactics described in ATT&CK for Enterprise. Many of those techniques also contain sub-techniques that further increase the number of permutations. Many organizations have not automated the mapping of all that data to their current security infrastructure, which can be a formidable task.

A recent study by UC Berkely found that while nearly all organization use the framework to tag network events with various security products, not even half of respondents have automated the security policy changes that are indicated by the framework.

Other challenges include difficulty correlating cloud-based and on-premises events or the inability to correlate events from mobile devices and endpoints.

How do you use the MITRE ATT&CK framework?

A recent report from the US Center for Cybersecurity and Infrastructure Security Agency (CISA) offers a list of best practices for organizations to utilize the MITRE ATT&CK framework to map attacks to remediation and protection techniques. Although the study found that large enterprise organization were adopting the framework, the majority of users do not believe their current security products can detect all the known threats in the ATT&CK matrices relating to their infrastructure.

How does VMware utilize the MITRE ATT&CK framework?

The scale and economics of the cloud have been a boon for today’s enterprise. However, moving applications and data out of the data center into multi-cloud environments has greatly expanded threat surfaces, putting enterprises at a greater risk from the devastation of ransomware attacks. Furthermore, modern apps have tens of thousands of components. To defend against today’s increasingly sophisticated and damaging ransomware attacks, organizations must go beyond segmentation inside the data center and traditional next gen firewalls at the perimeter. Attend this session to see a real-world ransomware attack, following the MITRE ATT&CK Framework, and how VMware’s innovation inside the cloud teamed with cloud-to-cloud security provides the strongest defense in the industry. - Innovations in Ransomware Defense for Today's Multi-Cloud Environments

Organizations are finding gaps in their defenses and improving their ability to prevent, detect and respond to network threats by mapping their network security controls to MITRE ATT&CK. This session outlines the benefits organizations can achieve by mapping network security controls to MITRE ATT&CK. Get an overview of how you can map network security controls to adversarial movements across the MITRE ATT&CK tactics and techniques and highlights critical differences in MITRE ATT&CK coverage of NSX defined Firewall, Intrusion Prevention Systems, Network Sandbox, and Network Traffic Analysis. - Mapping NSX Firewall Controls to MITRE ATT&CK Framework Mapping NSX Firewall Controls to MITRE ATT&CK Framework

Learn how to find security gaps before an attacker does using the MITRE ATT&CK matrix. See how you can develop a series of starting points for more effective threat hunting and ultimately strengthen your security posture. Learn about MITRE’s most recent Carbanak+FIN7 evaluation as well as the basic steps to improve your threat hunting program with VMware Carbon Black Cloud and VMware NSX Advanced Threat Prevention. - How to Evolve Your SOC with the MITRE ATT&CK Framework - How to Evolve Your SOC with the MITRE ATT&CK Framework.

 

Related Solutions and Products

NSX Network Detection and Response

AI-powered correlation of events across multiple detection engines

Carbon Black Cloud

Transform your security with intelligent endpoint and workload protection that adapts to your needs.

NSX Distributed Firewall

Layer 7 internal firewall