The MITRE ATT&CK framework (Adversarial Tactics, Techniques, and Common Knowledge)
is a particularly comprehensive and widely used cyber security model for the description of cyber threats and attack methods. It categorises the tactics (high-level attack objectives) and techniques (specific methods) that cybercriminals use at different stages of an attack.
Compared to the concept of the Cyber Kill Chain, which depicts the typical progression of a cyber-attack in seven phases, the MITRE ATT&CK Framework provides a much more detailed analysis of each phase of an attack and the specific techniques that can be used in each phase.
What is the MITRE ATT&CK Framework?
Developed by the non-profit MITRE Corporation, the framework provides security analysts and organisations with a systematic and structured way to classify, analyse, and defend against cyber-attacks. It was developed in 2010 in response to the need to systematically categorise and document the behaviour of cyber-attacks. [1]
The MITRE ATT&CK framework is publicly available and is continually developed and updated to reflect new threats and attack techniques. It visualises the different phases of an attack in the form of a matrix, with each phase represented as a ‘tactic’ – from initial reconnaissance to data exfiltration. Each of these tactics contains specific ‘techniques’ that attackers use to achieve their goals at each stage.
Threat models for enterprise, mobile and ICS
The MITRE ATT&CK framework focuses on three technical areas to address a range of scenarios:
- Threat analysis and identification: In practice, threat intelligence platforms and endpoint detection and response (EDR) systems are primarily used for threat analysis and detection. These tools can help security analysts categorise attacks and identify threats based on real attack techniques and correlate them with over 152 documented criminal groups. Threat intelligence is collected, analysed and structured based on the framework to accurately track attacks and predict the attackers’ next steps.
- Detection and response testing: Detection and response tests are typically conducted using Security Information and Event Management (SIEM) systems, which collect and analyse log data from a variety of sources. These systems correlate security-related events with attack techniques from the MITRE ATT&CK framework to identify defensive weaknesses and test the effectiveness of existing detection systems. Security Orchestration, Automation, and Response (SOAR) platforms support the automation of response processes by creating automated defence playbooks based on the framework.
- Red Teaming and Penetration Testing: The framework provides a structured basis for red teaming activities and penetration testing by simulating real-world attack techniques described in the MITRE ATT&CK Framework. Organisations can test the vulnerabilities in their IT infrastructure and validate the effectiveness of their security measures.
- Threat Information Sharing: Threat intelligence sharing is facilitated by the standardised terminology of the ATT&CK framework, which is built into most threat intelligence platforms and SIEM systems. These tools promote the sharing of up-to-date threat information between organisations by providing threat data in a common language and improving collaboration in the cyber security industry.
In addition to these practical application areas, the MITRE ATT&CK Framework provides a comprehensive database of additional relevant information. This includes information on cybercriminal groups and their attack techniques, definitions of data sources for correlating security events, assets and defence options for various attack scenarios, and references to software packages used and their possible defences. To date, around 30 criminal campaigns have been documented to help security professionals monitor the activities of threat actors.
MITRE ATT&CK Evaluations
MITRE’s ATT&CK evaluations use the framework to measure the effectiveness of security solutions based on the tactics and techniques described in the framework. Products such as endpoint detection and response (EDR) solutions are tested by running realistic attack scenarios based on the techniques described in the framework. This tests how well a solution detects, reports and responds to these attacks.
The goal of these tests, conducted by the MITRE Corporation, is to provide a neutral and independent evaluation of security solutions based on standardised attack methods. They provide an objective comparison of the performance of participating security products. The evaluations also help security vendors identify weaknesses in their products and make targeted improvements.
This might also interest you:
EDR: Why anti-virus is no longer enough
Threat Modelling: Guidelines for creating practical threat models
Effective integration of threat intelligence with cyber defence
[1] https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf