MITRE ATT&CK for Cyber Defense

Prasad Kadu
6 min readFeb 28, 2024

--

Understanding the Adversaries: Tactics, Techniques, and Sub-Techniques.

1. MITRE ATT&CK

MITRE ATT&CK is an extensive database that holds information about the tactics and techniques used by adversaries in the real world. This resource serves as a fundamental building block for creating specific threat models and methodologies in various sectors, including private industry, government, and the cybersecurity community.

In simple terms, think of MITRE ATT&CK as a giant encyclopedia of how bad adversaries try to break into computer systems and what they do once they’re inside. This information is important for companies, governments, and cybersecurity experts to understand and defend against cyber threats effectively.

The ATT&CK database uses a common language for describing both the methods attackers use and the strategies defenders can employ. This shared taxonomy helps everyone involved in cybersecurity communicate more clearly and work together more effectively.

Photo by GR Stocks on Unsplash

2. ATT&CK USE CASES

The core of ATT&CK revolves around a comprehensive set of techniques and sub-techniques that depict the actions adversaries can take to achieve their goals. These goals are categorised into tactics, providing a structured framework for understanding cyber threats.

For instance, think of ATT&CK as a toolbox filled with various techniques that hackers can use to break into systems. Each technique serves a specific purpose, like stealing data or disrupting services. These techniques are organised into different categories based on the border objectives they help attackers accomplish.

This arrangement strikes a balance between offering detailed technical insights into specific techniques while also providing the broader context of why those actions are taken.

2.1 The ATT&CK Matrix

Fig. 1 — The ATT&CK Matrix (Source — attack.mitre.org)

In the ATT&CK matrix (see Fig. 1), the interconnection between tactics, techniques, and sub-techniques is graphically represented.

  • Tactics — These are the overarching objectives or goals that adversaries aim to achieve within a targeted environment. For instance, one common tactic is “persistence," where adversaries seek to maintain their presence in the system even after their initial access.
  • Techniques — Techniques are the specific methods or actions adversaries employ to accomplish their objective outlined in the tactics. For example, within the “Persistence” tactics, there are various techniques such as “Hijack Execution Flow," “Pre-OS Boot,” and “Scheduled Task/Job.”.
Fig. 2 — Persistence tactics (Source — attack.mitre.org)
  • Sub-techniques — Sub-techniques are smaller parts of bigger techniques (see Fig. 2). They offer a more detailed understanding of how adversaries execute their tactics.

MITRE ATT&CK TACTICS

MITRE ATT&CK tactics has 14 fundamental strategies that adversaries utilize to conduct cyber attacks. Each tactics represents a distinct phase or objective within the cyber attack lifecycle.

  1. Reconnaissance — This tactic involves gathering intelligence and information about the target organization's systems, network and infrastructure. Adversaries perform reconnaissance to understand the target’s weaknesses and vulnerabilities, which aids in planning future attacks.
  2. Resource Development — Adversaries engage in resource development to acquire the necessary infrastructure, tools, and resources required to conduct their malicious activities effectively. This may include setting up command-and-control servers, acquiring malware, or renting botnets.
  3. Initial Access — This tactic focuses on gaining the first entry point into the target network or system. Adversaries exploit vulnerabilities, misconfigurations, or weak authentication mechanisms to gain initial access.
  4. Execution — Once inside the network, adversaries execute malicious code or commands to achieve their objectives. This may involve running malware, exploiting vulnerabilities, or executing scripts to explore the network or steal data.
  5. Persistence — Adversaries seeks to maintain long-term access to the target network by establishing mechanisms that allow them to maintain access even after detection or system reboots. This may involve creating backdoors or exploiting persistent vulnerabilities.
  6. Privilege Escalation — Adversaries escalate their privileges within the target environment to gain higher levels of access and control. This may involve exploiting vulnerabilities, abusing misconfigurations, or using stolen credentials to gain administrative or privileged access.
  7. Defense Evasion — Adversaries employ tactics and techniques to evade detection by security software and mechanisms. This includes techniques such as using encryption, obfuscation, or anti-forensic techniques to conceal their activities.
  8. Credential Access — Adversaries aim to steal credentials, such as usernames and passwords, to gain unauthorized access to systems, networks, or resources. This may involve exploiting vulnerabilities, phishing attacks, or password cracking techniques.
  9. Discovery — Adversaries explore the target network to gather information about its structure, assets, and configurations. This includes identifying active hosts, open ports, installed software, user accounts, and other relevant information.
  10. Lateral Movement — After gaining initial access, adversaries move laterally within the network to access and control additional systems or resources. This may involve exploiting trust relationships, abusing misconfigurations, or using stolen credentials to move between systems.
  11. Collection — Adversaries collect data from compromised systems or network resources. This may include sensitive information such as credentials, intellectual property, or personal data, which can be used for further exploitation or monetization.
  12. Command and Control — Adversaries establish and maintain communication channels with compromised systems or malware deployed within the target network. This allows them to remotely control and orchestrate their malicious activities.
  13. Exfiltration — Adversaries steal data from the target network and transfer it to external servers or locations under their control. This may involve compressing, encrypting, or obfuscating data to avoid detection during the exfiltration process.
  14. Impact — Adversaries aim to cause disruption, damage, or destruction within the target environment. This may involve deleting files, modifying configurations, or launching denial-of-service attacks to disrupt services or operations.

How to Use the MITRE ATT&CK Framework

Using the MITRE ATT&CK Framework requires several necessary approaches and behaviours to improve cybersecurity readiness and resilience.

  1. Cyber Threat Intelligence (CTI)—Cyber Threat Intelligence involves gathering, analysing, and interpreting information about potential cyber threats, including the tactics, techniques, and procedures (TTPs) employed by adversaries. By leveraging the MITRE ATT&CK Framework, organisations can categorise and contextualise threat intelligence data, enabling them to identify emerging threats, anticipate attacker behaviours, and prioritise security measures accordingly.
  2. Threat Intelligence & Analytics: This aspect focuses on the proactive analysis of threat intelligence data using advanced analytics techniques. By mapping threat intelligence to the MITRE ATT&CK Framework, organizations can gain deeper insights into the tactics and techniques utilized by adversaries. This enables the development of predictive models and behavioral analytics to detect anomalous activities and indicators of compromise (IOCs) effectively.
  3. Penetration Testing & Adversary Emulation: Penetration testing involves simulating real-world cyber attacks to assess the security posture of an organization’s systems, networks, and applications. By incorporating the MITRE ATT&CK Framework into penetration testing methodologies, organizations can emulate the tactics and techniques employed by adversaries, providing a more realistic assessment of their security defenses. Adversary emulation goes a step further by replicating specific threat actor behaviors and attack scenarios based on the MITRE ATT&CK Framework, enabling organizations to validate their detection and response capabilities effectively.
  4. Threat Coverage Gap Assessment: Assessing threat coverage gaps involves evaluating the effectiveness of existing security controls and measures in mitigating the risks posed by known threats. By comparing security controls against the tactics and techniques outlined in the MITRE ATT&CK Framework, organisations can identify areas where their defences may be lacking or where improvements are needed. This enables organisations to prioritise investments in cybersecurity technologies, processes, and training to address identified gaps and enhance overall cyber resilience.

In Conclusion

To sum up, the MITRE ATT&CK Framework is an important component in cybersecurity, providing an effective categorization and thorough understanding of adversary tactics, techniques, and procedures (TTPs). Organisations may efficiently assess, prioritise, and strengthen their cyber defences using this organised approach.

Using the framework’s extensive database and graphical representations like the ATT&CK Matrix, cybersecurity professionals can gain complex insights into the various stages of the cyber attack lifecycle, allowing for proactive threat intelligence analysis, penetration testing, adversary emulation, and gap assessment.

This entire strategy promotes a proactive and adaptive cybersecurity posture, allowing organisations to identify emerging threats, improve detection and response capabilities, and effectively reduce risks.

The MITRE ATT&CK Framework is an essential tool for organisations to manage and combat cyber threats with accuracy and resilience.

--

--