What is MITRE ATT&CK?
MITRE ATT&CK stands for MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). This was introduced in 2013 as a central knowledge base for cyber adversary behavior. A MITRE ATT&CK matrix consists of tactics and techniques used by adversaries to perform a cyber attack. ATT&CK matrix show tactics and techniques in an organized manner, from gaining access to the operating system to stealing data or controlling machines. Using these models, organizations can assess what type of attacks to expect, what resources are necessary to defend against them, and where to focus their efforts. These comprehensive set of tactics and techniques help threat hunters, red teams, and cyber defenders classify cyber threats and attacks and assess a company's risk more accurately. Using tactics and techniques abstractions, this model provides a common taxonomy to describe individual adversary actions understood by both the offensive and defensive sides of cybersecurity.
Different ATT&CK Models
There are currently three versions of the MITRE ATT&CK framework:
Enterprise ATT&CK |
Mobile ATT&CK |
PRE-ATT&CK |
Analyses
adversarial tactics and techniques behavior in Windows, Mac, Linux, and Cloud
environments. |
Analyses
adversarial tactics and techniques behavior on iOS and Android devices. |
Analyses
"pre-exploit" adversarial tactics and techniques behavior,
exploiting a target network before an attacker does it. |
However, in 2020, Pre-ATT&CK was integrated into Enterprise ATT&CK, making the framework more straightforward and more precise for the end-user.
MITRE ATT&CK Tactics, Techniques & Procedure
The most general version of ATT&CK for Enterprise, which includes Windows, macOS, Linux, AWS, Google Cloud Platform, Azure, Azure AD, Office 365, SaaS, and Network environments, the following are the tactics that an attacker will implement from the initial point of access to a full-fledged breach:
S No. |
Tactics |
Behavior Description |
1 |
Reconnaissance |
Reconnaissance
consists of techniques that involve adversaries actively or passively
gathering information that can be used to support targeting. |
2 |
Resource
Development |
Resource
Development consists of techniques that involve adversaries creating,
purchasing, or compromising/stealing resources that can be used to support
targeting. |
3 |
Initial Access |
Initial Access
consists of techniques that use various entry vectors to gain their initial
foothold within a network. |
4 |
Execution |
Execution
consists of techniques that result in adversary-controlled code running on a
local or remote system. |
5 |
Persistence |
Persistence
consists of adversaries’ techniques to keep access to systems across
restarts, changed credentials, and other interruptions that could cut off
their access. |
6 |
Privilege
Escalation |
Privilege
Escalation consists of techniques adversaries use to gain higher-level
permissions on a system or network. |
7 |
Defense Evasion |
Defense Evasion
consists of adversaries’ techniques to avoid detection throughout their
compromise. |
8 |
Credential
Access |
Credential
Access consists of techniques for stealing credentials like account names and
passwords. |
9 |
Discovery |
Discovery
consists of techniques an adversary may use to gain knowledge about the
system and internal network. |
10 |
Lateral
Movement |
Lateral
Movement consists of techniques that adversaries use to enter and control
remote systems on a network. |
11 |
Collection |
The collection
consists of techniques adversaries may use to gather information and the
sources of information is collected that are relevant to following through on
the adversary's objectives. |
12 |
Command and
Control |
Command and
Control consist of techniques adversaries may use to communicate with systems
under their control within a victim network. |
13 |
Exfiltration |
Exfiltration
consists of techniques that adversaries may use to steal data from your
network. Once they’ve collected data, adversaries often package it to avoid
detection while removing it. |
14 |
Impact |
Impact consists
of adversaries’ techniques to disrupt availability or compromise integrity by
manipulating business and operational processes. |
The ATT&CK matrix structure is similar to a periodic table, with column headers outlining each phase of the attack chain (from Initial Access to Impact). The rows beneath them go into greater detail about specific techniques. Framework users can delve deeper into any techniques to learn more about tactics, platforms, procedures, mitigation, and detections. The MITRE ATT&CK matrix includes adversary techniques, which describe the actual actions taken by the adversary. An adversary may be able to perform a specific technique in greater detail with the help of sub-techniques. The MITRE ATT&CK Navigator provides the following ATT&CK Matrix for Enterprise:

In ATT&CK, a procedure describes how an adversary or software implements a technique. Using the procedure, it is possible to understand precisely how the technique is applied in an incident through the emulation of an adversary and how to detect it if that instance occurs in the future.
Role of MITRE ATT&CK in Endpoint Security
MITRE ATT&CK is constantly updated with new information on reported incidents, technique variants, and mitigations. As a result, MITRE has quickly become a valuable resource for endpoint detection and response (EDR) tasks. There's a common misconception that security isn't a fair fight in the cybersecurity industry: An attacker only needs to be accurate once to succeed, whereas defenders must be correct 100% of the time to prevent a breach. Perfection is not possible with thousands of endpoints to protect. MITRE ATT&CK process helps industry professionals discuss and collaborate on combatting these adversary methods without ambiguity and provides practical applications for security teams to secure End Points. MITER ATT&CK is often implemented manually or in conjunction with security tools, such as Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Cloud Access Security Broker (CASB). MITRE ATT&CK for Endpoint Defense allows defenders to determine the phases of a threat event, assess the associated risk, and prioritize response based on events observed by the endpoint agent.
How Can Different SOC Teams Use MITRE ATT&CK?
All the SOC teams, including the Red team, blue team, and purple teams, can benefit from the ATT&CK framework:
Red Team:
The Red teams can model adversary behavior by following MITRE's adversarial emulation plans. ATT&CK campaigns make detecting attacks, identifying patterns, and rating existing defenses easier.
Blue Team:
A blue team can use the ATT&CK framework to focus on what the adversary can do, strategize the incident response and threat protection strategies accordingly, and ensure proper mitigations.
Purple Team:
Purple teams can use the ATT&CK framework to understand the adversarial tactics, techniques, and procedures to develop detection content to enhance the threat detection capabilities.
MITRE ATT&CK Use Cases in Endpoint Security
MITRE ATT&CK framework has several benefits for an organization. Following are some of the benefits of migrating to MITRE ATT&CK:
Adversary Emulation:
Emulates an adversary's threat behaviors by applying intelligence about how they operate. The ATT&CK tool can simulate an adversary to test and verify defenses.
Red Teaming:
Demonstrating the impact of a breach by acting like an adversary. Red team plans can be made, and operations organized with ATT&CK.
Behavioral Analytics Development:
Analyze suspicious activity to track adversary activity. By using ATT&CK, suspicious activity can be streamlined and organized.
Defensive Gap Assessment:
Determines where defenses and visibility gaps exist within the organization. To measure security coverage and prioritize investments, ATT&CK can assess existing tools or test new ones prior to purchase.
ATT&CK Navigator allows you to create different levels of security coverage. Using this tool, you can rank your coverage of each technique on a scale from zero to 100. These layers can then be exported or combined to see what you have covered and where you may be vulnerable. The objective should be to maximize coverage over time.
The ATT&CK framework helps SOC teams prioritize which areas to address and locate vulnerabilities. ATT&CK techniques, tactics, and procedures can help prioritize threat mitigation and identify security gaps. Threat intelligence data is passed to most SOCs and data on detected attackers.
MITRE ATT&CK allows you to integrate into your cyber defense the risk information you believe is associated with your organization's highly dangerous operations. The threats can most definitely be mapped to the strategies and methods used by intruders. MITRE ATT&CK makes it easy to identify vulnerabilities when faced with such challenges. In this case, you can devise a plan for filling these gaps and strengthening defenses.
SOC Maturity Assessment:
In the same way as a Defensive Gap Assessment, ATT&CK also helps organizations determine whether their security operations center (SOC) can detect, analyze, and respond to breaches.
Cyber Threat Intelligence Enrichment:
Improves information on threats and threat actors. With ATT&CK, defenders can assess their ability to defend against specific Advanced Persistent Threats (ATP) and common threats across multiple threat actors.
How To Detect Advanced Cyber Threats and Secure Endpoints?
Cyber security threats are rapidly increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities and integration with MITRE ATT&CK framework, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).