MITRE ATT&CK - definition & overview

MITRE ATT&CK, MITRE ATTCK, MITRE ATTCK framework, ATTCK matrix or simply ATT&CK, is a knowledge base, framework and methodology developed by MITRE Corporation to describe the tactics techniques and procedures (TTPs) that adversaries use in cyberattacks. ATT&CK stands for adversarial tactics, techniques and common knowledge. It provides a structured and comprehensive way to understand and categorize the behavior of cyber adversaries during different phases of the cyber kill chain.

The MITRE ATT&CK framework is primarily designed to help cybersecurity professionals understand, categorize and respond to cyber threats and attacks for a threat-informed defense. Security teams use it for:

Cyber threat intelligence: ATT&CK provides a structured and detailed taxonomy of adversary TTPs that helps security teams develop countermeasures and defenses against threat actors.

Threat detection and analysis: Security professionals can use ATT&CK to more effectively identify signs of malicious activity in their networks and systems.

Cybersecurity planning and preparedness: ATT&CK is a standardized way to assess an organization's security posture so security teams can identify potential gaps in their defenses and develop strategies to mitigate risks.

Red and blue teaming: Red teaming involves simulating attacks to test an organization's defenses, while blue teaming focuses on defense and incident response. ATT&CK can be used to create realistic scenarios for both exercises, allowing organizations to practice and improve their security practices.

Security product evaluation: Organizations can use the framework to compare the coverage of security solutions against ATT&CK techniques.

Incident response and investigation: During and after security incidents, the framework can assist in understanding the attack's scope, identifying the attacker's TTPs and planning an effective response for reinforced cloud security.

Compliance and regulation: ATT&CK can help organizations align with regulatory requirements and industry standards. Organizations can improve their compliance efforts by demonstrating an understanding of adversary tactics and countermeasures.

Overall, MITRE ATT&CK is an essential resource for organizations aiming to strengthen their cybersecurity posture and resilience. Be aware that MITRE continually updates and expands the framework with new procedures and examples as it collects and analyzes data on real-world cyber threats.

Common Knowledge in the MITRE ATT&CK framework refers to a set of foundational concepts and information that serves as the basis for understanding the framework's structure and content. It includes essential information about how the framework is organized, the terminology used and the key elements that make up the framework. Common Knowledge is designed to help users navigate the framework and make sense of its various components. Common Knowledge concepts of the MITRE ATT&CK framework include the following:

Tactics: high-level objectives that adversaries aim to achieve during an attack. Examples of tactics include initial access, execution, persistence, privilege escalation and defense evasion.

Techniques: specific methods or procedures that adversaries use to accomplish the tactics. For example, the execution tactic comprises various techniques, such as Command-Line interface, scripting and execution through API.

Procedures: examples of how adversaries have applied a specific technique in specific situations. The MITRE ATT&CK framework does not document specific procedures for every technique.

Data sources: the awareness that different techniques and tactics leave traces of their activity in various data sources that can be used to develop detection strategies.

Mitigations: knowledge of countermeasures organizations can implement to defend against specific techniques.

Data model: how information is structured in ATT&CK, including relationships between TTPs.

Common Knowledge makes it easier for your security operations center (SOC) to apply the framework to threat detection, incident response and security planning. However, tactics and techniques vary based on an organization's specific platforms and environments.

The enterprise matrix is a fundamental component of the MITRE ATT&CK framework. It is a visual representation of adversarial behavior during cyberattacks. The matrix is organized in a tabular format, providing a structured way to understand and categorize known adversary behavior. Each cell in the matrix contains information about the relationships between tactics and techniques.

You can visit the official MITRE ATT&CK website to see the ATT&CK matrix, which includes the most up-to-date information on the specific techniques within the MITRE ATT&CK framework, their descriptions and any updates or additions made to the framework itself.

The MITRE ATT&CK for Cloud Matrix is an extension of the original MITRE ATT&CK framework that provides a detailed and structured understanding of the TTPs that adversaries may use within cloud environments, such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and other cloud service providers.

This matrix makes clear which aspects of security are the responsibility of the cloud service provider and which are the responsibility of the cloud customer. By outlining the data sources and logs that are relevant for detecting cloud-specific tactics and techniques, this matrix helps organizations understand which sources of data are crucial for threat hunting, threat detection and incident response in cloud environments.

Just like the original framework, MITRE ATT&CK for Cloud evolves to reflect changes in cloud technology, threat landscape and the emergence of new tactics and techniques.

The MITRE Engenuity ATT&CK evaluations, often referred to as simply ATT&CK evaluations, are a series of independent, third-party assessments conducted by MITRE Engenuity, a nonprofit organization distinct from MITRE Corporation. These evaluations aim to assess the effectiveness of various cybersecurity products and solutions in detecting and mitigating real-world adversary tactics and techniques, as outlined in the MITRE ATT&CK framework. The evaluations use real-world attack scenarios, tactics and techniques to assess the capabilities of cybersecurity products and solutions and evolve over time as threats change.

MITRE Engenuity ATT&CK Evaluations are vendor-neutral, meaning they do not endorse or promote specific security products. They provide objective assessments of how well products perform against known adversary behaviors, covering a wide range of product categories that include endpoint detection and response (EDR), network security and email security. The results of the evaluations are publicly available to the cybersecurity community, so organizations can make informed decisions about the effectiveness of security solutions.

The MITRE ATT&CK framework is especially relevant for vulnerability management, helping with the following security operations (SecOps) functions:

• Vulnerability assessments to identify potential vulnerabilities and attack vectors that adversaries might exploit.

• Vulnerability prioritization and incident response based on potential impact and the attack vectors, tactics and techniques used by adversaries.

• Risk assessments to gauge the potential consequences and the urgency of addressing them.

• Patch management and other security controls to address those vulnerabilities that could lead to the most critical consequences

• Develop custom detection rules and alerts to identify potential exploit attempts and post-exploitation activities related to known vulnerabilities.

• Reporting vulnerabilities to executive leadership or other stakeholders using MITRE ATT&CK to explain how vulnerabilities align with adversary tactics and objectives and convey the importance of mitigation.

MITRE's vast repository is foundational for developing Sumo Logic’s Cloud SIEM content. To maintain a clear overview of our coverage and real-world technique utilization, all our rules are meticulously aligned with MITRE. Our approach identifies the techniques that require enriched coverage based on the available log data and which techniques adversaries commonly deploy.

More specifically, the MITRE ATT&CK™ Coverage Explorer by Sumo Logic is a strategic cybersecurity tool that provides a comprehensive view of adversary TTPs covered by rules in our Cloud SIEM system. By mapping your detection capabilities to this matrix, you can identify areas of strength, uncover gaps in your defenses and prioritize enhancements based on the evolving threat landscape. Explore best practices for making the most of SIEM.

Learn more in our ultimate guide to SIEM.