Introduction To The MITRE ATT&CK Framework

Red Teaming
1

THE MITRE ATT&CK FRAMEWORK

The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world threats and threat actors (APT groups). It was developed to improve the understanding of how cyber attacks are performed.

ATT&CK is an abbreviation for Adversarial Tactics, Techniques, and Common Knowledge.

The MITRE ATT&CK Framework is typically employed/used as a baseline and model for adversarial behavior and highlights the various phases of an adversary/threat attack lifecycle, what software they employ, and the OSs they target.

It is mostly used by Red/Blue Teamers to plan, implement, and orchestrate engagements based on specific threat actors/APTs. (adversary emulation/simulation)

It is also a valuable resource for blue teamers as it details the various TTPs used by specific threat actors and provides companies with valuable cyber threat intelligence (CTI) that can consequently be used to implement defenses and mitigations.

MITRE ATT&CK categorizes adversarial techniques into a collection of tactics further organized into techniques, sub-techniques, and procedures (TTPs).

image
image1815×834 547 KB

MITRE ATT&CK MATRICES

  • PRE – Adversary Prep (Recon, Resource Development)
  • Enterprise
  • Mobile
  • ICS (Industrial Control Systems)

image
image615×804 47.7 KB

TACTICS, TECHNIQUES & PROCEDURES (TTPs)

image
image412×823 102 KB

Tactics categorize each step of the adversary’s attack methodology.

Tactics represent the adversary’s tactical goal or objective.

Techniques are used to outline how each tactic is orchestrated.

Techniques describe actions taken by adversaries to achieve their objective.

Sub-Techniques outline the implementation of a specific technique in detail.

Procedures outline all known implementations of a technique or sub-technique.

WHY ATT&CK?

  • Provides attackers and defenders with a common knowledge base of adversarial behavior based on behavioral analysis of attacks and threat campaigns.
  • Organizes, categorizes, and contextualizes adversarial behavior based on the different phases of the attack lifecycle.
  • Utilizes common and standardized nomenclature when referencing TTPs and APT groups.
  • Frequently updated.

This post is also available in the form of a PDF: MITRE ATT&CK Framework.pdf (1008.0 KB)