The MITRE ATT&CK framework, explained

Field Effect took part in MITRE Engenuity’s ATT&CK® Evaluations: Managed Services - Round 2. See results here. 

In 2013, the not-for-profit security research organization MITRE developed the Adversarial Tactics, Techniques, and Common Knowledge Framework, otherwise known as ATT&CK.

The framework provides businesses with a detailed overview of the methods that advanced persistent threats (APTs) have used in past cyberattacks so that users of the framework can tailor their cybersecurity strategy accordingly. After all, threat actors often resort to the same old strategies (as long as they still work).

The MITRE ATT&CK Framework provides a "standardized language" that participants can use to describe the threats they face. That helps get those in the cybersecurity industry on the same page to address the threat landscape more efficiently.

The framework has proven to be an excellent tool, helping users globally understand and handle cybersecurity more effectively. It offers a consistent, accessible, industry-specific knowledge base that's as comprehensive as possible, and helps you think like a threat actor to keep them from ever infiltrating your system—or mitigate the damage if they do.

Knowing how best to use the framework can be slightly overwhelming, but working with the right experts can help simplify things. That's why in this article, we'll take a deeper look at the MITRE ATT&CK Framework, what it consists of, how to use it, and more.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework started as a research project in 2013 when a sponsor organization needed a better way to detect threat actors within its IT stack.

As MITRE searched for ways to meet the sponsor's needs, they quickly realized that finding a way to emulate adversarial behavior would help them achieve their goal and help others prepare for a threat. Enter the MITRE ATT&CK Framework. 

The primary feature of the MITRE ATT&CK Framework is the ATT&CK matrix. It also includes a global cybersecurity community formed by private and public sectors and leading product and service vendors. They come from different parts of the industry, but their common goal is the same: to guard against cyber threats.

They do it by developing better cyber threat models and sharing their insights from attacks that they've faced. And because the cybersecurity industry has so many varying terms, they created a common language that all can use for better communication.

Initially developed for Windows operating systems only, the MITRE ATT&CK Framework has since expanded its scope to include macOS, Linux, mobile devices, and industrial control systems (ICS).

And since APTs often use different methods to break into the cloud, there's a separate framework for cloud and enterprise systems. 

Tactics, techniques, and procedures

The ATT&CK matrix is essentially a grid plotting an APT's purposes for attempting their attacks (tactics) and their methods to achieve them (techniques), to give users a detailed understanding of what threat actors do and why. 

Tactics

Intended to describe an APT’s motives when they carry out their threats, tactics give the "why" behind a threat actor's actions. MITRE has classified these motives into 14 different categories, namely:

1. Reconnaissance: Collecting intelligence for planning future operations
2. Resource development: Establishing resources for further operations
3. Initial access: Entering the network
4. Execution: Running malicious code
5. Persistence: Maintaining their presence within systems
6. Privilege escalation: Gaining higher level permissions, often to access greater resources later on
7. Defense evasion: Keep from being detected
8. Credential access: Account and password theft
9. Discovery: Understanding the environment
10. Lateral movement: Navigating the environment
11. Collection: Gathering pertinent data that helps them accomplish their goal
12. Command and control: Connecting with compromised systems to take them over
13. Exfiltration: Data theft
14. Impact: Altering, interrupting, or destroying digital assets, including systems and data

These 14 tactics are listed as the columns of the MITRE ATT&CK Framework Matrix, and underneath are the methods that adversaries use to achieve each goal. 

Techniques

Threat actors have many tools to help them achieve their goals, which is why cybersecurity teams need to understand each one if they want to model adversary behavior accurately. 

Describing the methods used to accomplish tactics and techniques gives the "how" behind an attacker's behavior. In total, 227 techniques are listed in the 2022 Enterprise version of the matrix, which you can check out here. 

Techniques don't describe the exact means adversaries use to execute their attacks but give a general overview of how the threat was carried out.

Sub-techniques

Techniques show ATT&CK users the general methods adversaries are most likely to use to attack their IT infrastructure, but sub-techniques provide more specific insights.

For example, an adversary may attempt to achieve its "Collection" tactic by archiving collected data. They may do that by archiving them by a utility, library, or another custom method—all sub-techniques listed within the matrix. 

The 2022 Enterprise version of the MITRE ATT&CK Framework matrix contains 401 sub-techniques in total. Some techniques have multiple sub-techniques, while others have zero.

Procedures

Just as sub-techniques provide more specific details on adversaries' techniques, procedures dive even deeper into the exact methods used in the past. They can be found in each report's "Procedure Examples" section after you select the technique or sub-technique you'd like to learn more about. 

For example, suppose you'd like to guard against adversaries attempting the "Collection" tactic who archive collected data. In that case, you can select this technique and find the three sub-techniques listed earlier.

You'll then find an extensive list of known programs adversaries have used to encrypt and compress stolen data before exfiltration to avoid detection.

These specific methods that threat actors have used constitute the procedures portion of the MITRE ATT&CK matrix, and they help users know which ploys to guard themselves against. 

MITRE ATT&CK Framework: Benefits and challenges

The MITRE ATT&CK Framework gives one of, if not the most thorough listings of adversary behavior available. That brings many advantages—but it's not without challenges.

Such an extensive tool can be difficult to make the most of and overwhelming to use. Here are some of the benefits it offers, along with the challenges that come with it. 

Benefits 

From improving threat awareness to sharing information, the MITRE ATT&CK Framework offers all sorts of benefits, including: 

• Awareness. It's constantly updated to include adversaries' most recent attempts, so by using the framework, you're accessing a very up-to-date knowledge base. That helps you prepare for the latest threats and mitigate the damage proactively. 
• Anticipation. By modelling previous adversary behavior, the MITRE ATT&CK Framework helps you think like your attacker to better guard against them. 
• Standardization. Organizations sometimes struggle to learn from the attacks others have faced because they use different terms to describe the same threat. The MITRE ATT&CK Framework provides a common language for all to use, keeping everyone on the same page. 
• Access. The MITRE ATT&CK Framework is open to the public, so anyone from enterprise IT teams to private individuals may benefit from it.

Challenges

Despite all its benefits, some challenges arise that keep organizations from using the MITRE ATT&CK Framework to its fullest potential. These barriers include:

• Interoperability. One study found that the greatest challenge with ATT&CK framework implementation is its lack of interoperability with security products. Very few cybersecurity products integrate with or map to the framework out of the box.
• Detection. Some security products may be unable to detect all the techniques, sub-techniques, or procedures listed in the framework. In fact, the same study above found that less than half of respondents felt highly confident in their security product’s ability to detect the adversary tactics and techniques in each matrix.
• Complexity. The framework is extensive, and it takes time and effort to implement. This reality can put implementation out of reach for smaller businesses that lack the necessary resources and larger businesses faced with competing priorities.

How to use the MITRE ATT&CK Framework

To implement the MITRE ATT&CK Framework effectively, you'll need to integrate it with your other cybersecurity tools.

Thankfully, it's becoming an industry standard for cybersecurity vendors to leverage the MITRE ATT&CK Framework in their threat detection and blocking capabilities.

In fact, Covalence’s automated monitoring is designed to confidently detect tactics outlined in the framework and is routinely updated to reflect the latest techniques and indicators of compromise.

Beyond threat detection, the framework can also be used for:

1. Red teaming, where your team plays the role of the attacker and tries to infiltrate your system. This allows you to evaluate your team’s ability to defend against specific ATPs or threat actor techniques. 
2. Identifying security gaps, where you assess your current cybersecurity posture to identify gaps for remediation. This also helps to guide future investment as aligning the gaps to the framework makes it easier to prioritize your efforts.
3. Assessing SOC maturity, where you determine how efficiently your SOC can detect and respond to a threat; similar to a defensive gap assessment. 
4. Developing behavioral analytics, where you link and analyze suspicious activity to check if it's malicious.

The MITRE ATT&CK Framework is particularly helpful for anticipating threat actors' behaviours to prevent attacks before they occur, giving you a reference point from which you can reduce your vulnerabilities. 

Strengthen your defense today

The MITRE ATT&CK Framework started as a research project and has been expanding its scope ever since. It lets you think like a cybercriminal so that you can meet a threat head-on and gives you a common language to describe the landscape you face.

If you want to learn more about how Covalence protects your business at every stage of an attack, schedule a demo today.