Your Guide to MITRE ATT&CK Framework

Cybersecurity has become a routine activity for the majority of companies. Cyberattacks no longer generate the shock and horror they once did. They’re now just par for the course. Despite this natural development, the volume and severity continue to expand, bringing requirements for further cyber protection.

But cyberattacks don’t just target businesses. 60% of American households have experienced at least one cyberattack. 75% of small businesses have fallen foul of nefarious cyber criminals. In 2020, the global cybersecurity market was valued at $156.24 billion. In 2021, it was valued at $217.87 billion. Company managers are increasingly concerned with cyber vulnerabilities linked to their employees’ activity. 

The following article describes the MITRE ATT&CK framework, which has become one of the most successful defense against cybercrime today.

What is the MITRE ATT&CK framework?

In 2015, the MITRE Corporation, a US-government-funded research organization based in Bedford, MA, and McLean, VA, launched a framework to enhance internet cybersecurity. The company was initially established by the Massachusetts Institute of Technology (MIT) in 1958. It participated in various business projects for several organizations, including developing the AWACS airborne radar system. However, MITRE is not actually an acronym, and it has nothing to do with MIT. The name was created by James McCormack, an early board member of the organization, who thought the name provided a certain gravitas.

The framework was catchily-termed the MITRE ATT&CK, and its name is formed from the initial letters of Adversarial Tactics, Techniques, and Common Knowledge. Its objective was to identify, describe, and categorize the growing list of cyberattacks and enterprise network intrusions. It is a cybersecurity knowledge base of cyberattack tactics and techniques, all taken from events worldwide. Its purpose is to establish a common cybersecurity terminology while fortifying defenses again future cyber assaults.

The “CK” in ATT&CK means Common Knowledge. This refers to the recorded list of tactics and techniques employed by cybercriminals. CK refers to the list of procedures deployed by the framework. A similar cybersecurity term is “Tactics, Techniques, and Procedures,” or TTP. However, the use of CK to complete the acronym was selected for obvious reasons.

Company managers are increasingly aware of the requirement to train their staff on the potential risks of cyberattacks. 

ATT&CK covers a range of computer platforms and technologies from Windows and macOS, as well as on-premise and cloud networks that include Infrastructure as a Service (IaaS) and Software as a Service (SaaS). The framework also contains references to Office 365, Azure’s Active Directory, Google Workspace, and mobile devices operating on the Android and iOS platforms.

MITRE ATT&CK Techniques, Sub-techniques, and Procedures

The MITRE ATT&CK framework comprises a series of cyberattack matrices including:

• Pre-ATT&CK Matrix: Involves identification of the reconnaissance and weaponization stages of a cyberattack
• Enterprise Matrix: Covers cyberattack lifestyle beyond the identification stage
• Mobile: Same as the Enterprise Matrix, but for Mobile devices
• ICS: Relates to methods used by cybercriminals attempting to access networks that contain Industrial Control System (ICS) mechanisms

Beyond these initial stages, ATT&CK then breaks its analysis into Tactics, Techniques, and Procedures.

• Tactics: At this stage, ATT&CK outlines the goals of a specific cyberattack. Pre-attack matrix tactics differ significantly from the Enterprise, Mobile, and ICS matrices as they focus on a separate segment of the cyberattack life cycle.
• Techniques, Sub-techniques, and Procedures: Further levels of cyberattack analysis:
• Techniques: Define the method used by the cybercriminal to achieve a particular goal
• Sub-technique: On occasion, a technique may be sub-divided into sub-elements
• Procedures: Specific tools used in a cyberattack, including malware and threat actors.

How do you use the MITRE ATT&CK matrix?

The MITRE ATT&CK matrix is an array of procedures used by cybercriminals to access and compromise enterprise computer networks. Each procedure is defined as a specific “tactic” in the matrix. 

The pathways are aligned from the point of reconnaissance through identification and final exfiltration. A sample section of the matrix looks like this:

Figure 2. MITRE ATT&CK Matrix – Section

The MITRE ATT&CK Matrix enables an enterprise to fortify its cybersecurity efforts in several ways. These include:

• Red/Blue Teaming: The platform enables an enterprise to simulate attacks on its cyber defenses from both the attack (red) and defense (blue) perspectives.
• Analytics: Tools supplied by ATT&CK that provide collated and compiled data representing cyber vulnerabilities in an enterprise’s defenses.
• Gap Analysis: Robust analysis of areas of defensive gaps in an enterprise’s security protection.
• Adversary Emulation: Load data on adversaries into the platform to emulate specific attacks on an enterprise’s network.
• Cyberthreat Defense Enhancement: An enterprise can deploy a range of techniques to determine its lines of defense against cyberattacks from Advanced Persistent Threats (ATPs).
• SOC Assessment: Assessment of the effectiveness of an enterprise’s Security Operations Center (SOC) in managing cybersecurity threats and breaches. For more information on how to strengthen your SOC capabilities.

The Enterprise ATT&CK matrix currently contains 191 techniques and 385 sub-techniques. Each technique is provided with a 4-digit code—for example, “T002” refers to “Bypass User Account Control.”

These techniques illustrate how cybercriminals behave, such as the data they target and the hacking software they use. The framework also identifies which technologies cyber intruders deploy and the type of activities they regularly engage in.

The MITRE ATT&CK matrix can also be deployed for cloud networks in its ATT&CK for Cloud Matrix. The matrix includes elements of the broader enterprise matrix. Each matrix manages its own environment as on-premise networks are qualitatively different to networks hosted in the cloud. Standard local cyberattacks attack software and infrastructure maintained on the target organization’s premises. Cloud attacks will be focused on servers hosted by cloud service companies such as Amazon’s AWS, Google’s Cloud, and Microsoft’s Azure and Office 365.

Figure 3. MITRE Matrix for Cloud

How does MITRE ATT&CK compare to Lockheed Martin’s Cyber Kill Chain?

Lockheed Martin’s Cyber Kill Chain is a competitive system to the MITRE ATT&CK platform. While they may look similar in structure, Cyber Kill Chain operates on a seven-step procedure involving the following steps:

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and control
• Actions on objectives

While the Enterprise ATT&CK matrix contains the following 14 tactics:

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Command & Control
• Collection
• Exfiltration
• Impact

While each system is focused on the same overall process, the MITRE ATT&CK framework breaks its identified tactics down into greater detail. ATT&CK also specifies the techniques used in each tactic, while the Lockheed platform does not.

Increase awareness of cybersecurity threats and attack vectors with effective cyber awareness training

With each new cyberattack that hits the headlines, it may seem that cybercriminals have the upper hand. Recent technologies simply provide them with challenges that they will inevitably circumvent. 

However, the real picture is that there is change underway. Even home computer users are now aware of the risks of clicking on unusual links or responding to strange emails. With the dramatic rise of cybercrime, there has been an equivalent rise in awareness among individuals and enterprises. The battle against cybercrime is underway, and criminals can be beaten.

The MITRE ATT&CK framework provides a robust defense against future cybercrime. Along with the rapid pace of employee anti-cybercrime training, the criminals are running scared. Traditional pathways that they have used in the past no longer provide the rewards they once did.

CybeReady is devoted to raising company employee knowledge of cybercrime. Our mission is to make cybersecurity awareness easy, accessible, and effective for your enterprise. Using modern teaching methods combined with data science and automation, we can enable your organization to stay safe and embrace success.