What is the MITRE
ATT&CK Framework?
In 2013, MITRE created the MITRE ATT&CK framework to record attacker’s tactics and techniques derived from factual evidence. The framework is designed to be more than just a collection of facts; it is intended to be used as a tool to improve an organization's overall security. MITRE created ATT&CK as a methodology to describe and track the numerous tactics attackers employ to enter the network and exfiltrate data at various phases of a cyberattack. ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of various cyberattack strategies organized by the tactic.
MITRE ATT&CK Matrices
The
MITRE ATT&CK framework has three matrices:
|
ATT&CK for enterprise |
ATT&CK for mobile |
Pre-ATT&CK |
|
● In Windows, Mac, Linux, and cloud
systems, it focuses on hostile behavior. ● This matrix emphasizes network
defensive strategy by describing the tactics, techniques, and procedures
(TTPs) used by attackers once inside the network. |
● On the iOS and Android operating
systems, it focuses on malicious behavior. ● This included "network-based
effects," or attack methods that can be carried out without requiring
direct access to the device. |
● It focuses on adversarial behavior
that is "pre-exploited." ● It enables security teams to
accurately monitor and identify attackers’ exercises outside the confines of
the corporate network by assisting them in understanding how attackers
conduct reconnaissance and choose their point of entry. |
Core components of Att&CK Framework
●
MITRE ATT&CK
Tactics
The core components of the ATT&CK framework
are tactics, techniques, and sub-techniques. The MITRE
ATT&CK matrix contains a collection of methodologies used by adversaries to
reach a goal. In the ATT&CK matrix, these objectives are classified as tactics. The following adversary
strategies are classified in the most comprehensive edition of ATT&CK for
enterprise, which encompasses Windows, macOS, Linux, AWS, GCP, Azure, Azure AD,
Office 365, SaaS, and Network environments:
●
MITRE ATT&CK
Techniques
A technique explains one unique approach an adversary could attempt to achieve a goal. Each "tactics" category contains a plethora of techniques. MITRE ATT&CK now recognizes 185 organizational techniques and 367 sub-techniques.
●
MITRE
ATT&CK Procedures
Procedures are detailed descriptions of how an adversary intends to attain its target. It also represents common knowledge (CK) of ATT&CK.
MITRE ATT&CK vs. the
Cyber Kill Chain
In general, both techniques follow the same pattern: get in,
don't get discovered, and steal things. Both are models that define an
attacker's behaviors to achieve their goal. The major difference between MITRE
ATT&CK and Cyber Chain Kill is that In MITRE ATT&CK, an attack chain
has ten steps, but a cyber kill chain has seven steps to identify an attack.
MITRE ATT&CK, with the exception of Cyber Kill Chain,
delineates the approaches that can be employed in each stage, in addition to
providing more granularity in attack chain tactics.MITRE ATT&CK's Uses
The MITRE ATT&CK framework can aid a company in a variety of
ways. The following are some of the general advantages of using the MITRE ATT&CK
framework:
MITRE ATT&CK with InfosecTrain
For
individuals who want to improve their expertise in the field of cybersecurity,
InfosecTrain offers the MITRE ATT&CK training course, which can be
used to counter the technique of different cybersecurity threats.
