by Paul Caiazzo
What is the MITRE ATT&CK Framework?
MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework is a threat-focused tool bringing together information about the tactics, techniques and procedures (TTPs) adversaries use to compromise their targets.
The goal of the framework is to collect all relevant and available information about the TTPs Advanced Persistent Threats (APT) use to aid security teams in detecting attacks and preventing compromises.
The framework was originally used internally at MITRE for the development of realistic simulations of adversary tactics in order to help design and test potential defenses against these tactics. It focuses on TTPs because patterns in a given threat group’s attack strategies form a fingerprint that tends to persist throughout the lifecycle of a group more than transient indicators like IP addresses, specific malware variants, etc.
MITRE made the framework publicly available in May 2015 so that other organizations could take advantage of the data and organizational structure provided by ATT&CK.
Since its public release, many security technology vendors and service providers have utilized the framework as a common frame of reference, allowing for greater interoperability between tools, improved ability to correlate events and ultimately greater success in preventing compromises.
At its core, the ATT&CK tool is a database containing information about the potential tactics, techniques, and procedures that adversaries could potentially use to achieve certain goals as the attacker progresses up the cyber kill chain towards their goal.
By aligning with the kill chain, using the MITRE ATT&CK framework helps an organization to prevent and detect early indicators that they are being targeted, as well as late-stage indicators that data is being exfiltrated from the environment. This is incredibly useful for a security operations center, and also provides significant insight to a forensic investigator working to contain and eradicate a threat while performing root cause analysis.
Three of the primary interfaces to the database are the Enterprise ATT&CK Matrix, the Pre- ATT&CK Matrix, and the list of Groups.
Enterprise ATT&CK Matrix
The Enterprise ATT&CK Matrix is the most widely used component of the MITRE ATT&CK framework. It organizes various techniques used by threat actors along the cyber kill chain, giving a clear point of reference to the analyst or researcher seeking to protect their organization.
The framework breaks an incident into the following Tactics:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
Within each Tactic is a collection of techniques and procedures that can be used to accomplish some goal along the kill chain. Tactics earlier in the list above are aligned with early-stage probing and access obtainment to the target environment. Tactics later in the list are employed by the attacker once initial access has been gained and the attacker is working to accomplish their ultimate objective, whether that be data exfiltration, command and control, or simple disruption.
The framework breaks down each technique into reference procedures which utilize that specific technique, recommendations for mitigation strategies, and specific information guiding the development of threat detection mechanisms.
This information can be useful to develop enhanced prevention and detection strategies, and is often employed by security operations centers in the development of correlation rules and automated response scripting. It provides clear benefit to the teams assigned to develop and deploy prevention technologies and techniques. Incident responders make use of the tool by referencing indicators of compromise (IOCs) to the tactics the attacker utilized as they progressed up the kill chain.
MITRE’s Pre-ATT&CK Matrix serves the same purpose as the Enterprise Matrix but focuses on an earlier phase of the attack cycle. Where the Enterprise ATT&CK Matrix focuses on the attack techniques themselves, the Pre-ATT&CK Matrix focuses on what attackers do before they ever touch your network.
This includes maintaining infrastructure and all the planning stages of the operation. The Pre-ATT&CK Matrix is broken into the following Tactics:
- Priority Definition Planning
- Priority Definition Direction
- Target Selection
- Technical Information Gathering
- People Information Gathering
- Organizational Information Gathering
- Technical Weakness Identification
- People Weakness Identification
- Organizational Weakness Identification
- Adversary OPSEC</li>
- Establish & Maintain Infrastructure
- Persona Development
- Build Capabilities
- Test Capabilities
- Stage Capabilities
While seemingly less useful to the enterprise, Pre-ATT&CK provides a wealth of insight into how threat actors build towards an attack. Proactively, an organization can utilize the techniques described in Pre-ATT&CK to analyze the information that can be gathered by an attacker and take steps to minimize their exposure and the associated risk. A security operations center, for instance, will often profile their organization from an external attacker’s perspective to gain a better understanding of the information available external parties. This understanding forms the foundation of situational awareness, and is an avenue which can also be employed to ensure sensitive information is not publicly available.
MITRE ATT&CK Groups
The main purpose of the ATT&CK framework is to collect information about the TTPs of various APTs, so it’s logical that the database can also be searched for information regarding specific threat actors.
The Groups page provides a list of common APT groups and includes information on the various names assigned to them with a description of their general tactics and goals.
Searching a specific group provides information on the specific tools and techniques that the group is known to use. This information can be invaluable in identifying whether a particular attack was launched by one of these groups or for developing defenses against the group that is most likely to target a given organization.
Using the ATT&CK Framework
The MITRE ATT&CK framework is designed to provide easy access to a wealth of information about threat actors and their tools, techniques, and procedures. This information can be used throughout the information security lifecycle – from developing and testing defenses to incident response.
Every organization could benefit from using the MITRE ATT&CK framework by reviewing the data provided in this tool and determining to which of the listed techniques and tools their cyber defenses may be vulnerable.
Additionally, organizations should use MITRE ATT&CK to support interoperability and correlation between the various tool sets it uses to create a cohesive analytical functionality. Doing so allows analysts to quickly determine if a specific alarm generated by their security tool is an indicator warranting attention, and provides actionable intelligence to draw attention to and handle real threats.
For instance, the MITRE ATT&CK framework is built in to Avertium’s proprietary managed security orchestration platform, providing cross-platform intelligence across the many tools our Cyberops Centers of Excellence uses to protect our customers. This mapping to ATT&CK enriches the information available to an analyst and, depending on the stage of the kill-chain, automatically triggers escalation rules to bring in the analysts’ skillsets appropriate to the situation.
This influences the severity of alerts and the intelligence we can provide to our customers regarding how the attacker will progress through the kill chain. In this way, using the ATT&CK Framework enables us to best leverage the capabilities of each of our tools to help our customers show no weakness.
Avertium’s managed security services utilizes the MITRE ATT&CK, Cyber Kill Chain and NIST Cybersecurity frameworks to build a comprehensive 24x7x365 monitoring program for our customers. By leveraging our expertise in preventing and detecting attacks, your environment will be protected against the most advanced and recent adversarial Tactics, Techniques, and procedures (TTPs).
Managing alerts and responding to incidents are the most dramatic and visible aspects of cybersecurity. But maintaining the tactical actions of a buzzing “alert factory” is not enough to protect a business long-term.
Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.
Paul Caiazzo, Senior VP of Security and Compliance
Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement and other strategic initiatives.