Who is MITRE?
MITRE is a non-profit research and development organization that works across industry verticals, academia, and federal, state, and local governments. In 2013, the organization set out to document common tactics, techniques, and procedures (TTPs) as part of one of its research projects.
What is MITRE ATT&CK Framework?
MITRE ATT&CK is an open-source framework that builds on the TTP knowledge base so cybersecurity teams can identify risks and prioritize mitigation activities. MITRE ATT&CK offers a matrix for tactics and techniques across:
- Enterprise
- Mobile
- Industrial control systems
In this blog, we’re focusing on the Enterprise matrix.
MITRE Tactics
Tactics are the reason an adversary wants to take a specific action. As malicious actors try to attack organizations, MITRE ATT&CK outlines the following tactics in its Enterprise section:
- Reconnaissance: Gathering information
- Resource Development: Establishing resources to support operations
- Initial Access: Getting into networks
- Execution: Running malicious code
- Persistence: Maintaining the foothold
- Privilege escalation: Gaining more access with higher-level permissions
- Defense evasion: Hiding in system to avoid detection
- Credential access: Stealing account names and passwords
- Discovery: Learning more about the environment
- Lateral movement: Moving through the environment
- Collection: Gathering data helps achieve end goal
- Command and control: Communicating with compromised systems to control them
- Exfiltration: Stealing data
- Impact: Manipulating, interrupting, or destroying systems and data
While these may look like actions, they are really the outcomes of the various techniques that threat actors use.
MITRE ATT&CK Techniques
The techniques are the technical actions that threat actors use to achieve their desired outcomes. In other words, while tactics are the why, techniques are the how.
ATT&CK outlines 188 techniques and 379 sub-techniques, all aligned to different tactics. For example, under the Enterprise tactic Reconnaissance, ATT&CK lists the following 10 techniques:
1. Active scanning: Probing infrastructure via network traffic
2. Gather victim host information: Learning about hosts to gain details like administrative data or configuration information
3. Gather victim identity information: Learning about identities like email addresses or credentials
4. Gather victim network information: Obtaining information about networks like administrative data, topology, or operations
5. Gather victim org information: finding out information about details like division or department names, business operations, or key employee roles and responsibilities
6. Phishing for information: Tricking targets into providing information, like credentials
7. Search closed sources: Using information from paid or unpaid threat intelligence sources including databases, the dark web, or cybercrime black markets
8. Search open technical databases: Obtaining information from online databases and repositories, like domain or certificate registrations
9. Search open websites/domains: Locating information online, like with social media, news sites, or hiring/contract sites
10. Search victim-owned websites: Gaining information about organizational structures through the company’s website
MITRE ATT&CK Mitigations
Finally, ATT&CK suggests preventive security strategies and types of tools that can help prevent a technique or sub-technique from successfully achieving the goal. It provides 43 Enterprise Mitigations and 13 Mobile Mitigations.
Under each of the different primary techniques, ATT&CK lists a series of sub-techniques which lists specific tools or strategies threat actors use as part of their attacks. For example, Account Use Policies can be used to mitigate the following sub-techniques that fall under T1110 Technique Brute Force:
- Password Guessing
- Password Spraying
- Credential Stuffing
MITRE ATT&CK Pre-compromise Mitigations
This category applies specifically to the Reconnaissance and Resource Development techniques. Since threat actors use these techniques prior to gaining access, they are more difficult to prevent. Detection capabilities focus on understanding “normal,” or baseline, behaviors within an environment and looking for abnormal activities.
Since the Reconnaissance and Resource Development tactics rarely engage actively with an organization’s environment, putting mitigations in place are more difficult.
For example, to mitigate the risks associated with Active Scanning, MITRE ATT&CK notes that efforts should focus on minimizing the amount and sensitivity of data available to external parties.
What is MITRE ATT&CK Mapping?
ATT&CK offers several different matrices that can help an organization map its security controls to the different tactics and techniques.
The ATT&CK matrices outline the different techniques and sub-techniques, organized by technology type. For example, under the Execution technique, it lists Command and Scripting Interpreter sub-techniques unique to Windows, MacOS, and Linux.
How is MITRE ATT&CK Useful?
To elevate proactive threat mitigation strategies, organizations turn to MITRE ATT&CK, a powerful framework that reveals their environments through the eyes of threat actors. Its adaptability makes it indispensable for a wide range of use cases.
Threat hunting
Threat hunters use ATT&CK to act like malicious actors when trying to find exploitable gaps in an organization’s defenses. They can align their plans to achieve specific goals, then follow the ATT&CK mapping of techniques to try to achieve them.
Some threat actors have “signatures,” a specific set of TTPs used as part of their attacks. If organizations are aligning their threat hunting capabilities to ATT&CK, they can also use the matrices to help test against known Indicators of Compromise (IoC) and reduce weaknesses in their defensive controls.
Security tool optimization
Organizations that run Red Team or Purple Team exercises can use the ATT&CK matrices to understand how well their security tools detect abnormal activity. This allows them to fine-tune their tools for better alerting and more robust security.
Detection and investigation
Security operations centers (SOCs) and incident response teams use the ATT&CK mapping as a way to investigate incidents more rapidly. A detection can tell them what activity occurred. By following the series of steps set out in the ATT&CK mappings, they can more rapidly investigate the incident, reducing key metrics like Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC).
Alert Logic MDR Mapped to MITRE ATT&CK
Fortra’s Alert Logic MDR solution rapidly detects and responds to threats both left and right of boom. Our comprehensive coverage ingests data from on-premises, multi-cloud, and hybrid environments. We use MITRE ATT&CK across our analytics, incident classification, dashboards, and reporting providing a familiar taxonomy which helps security teams make decisions regarding threat management.
See for yourself how we utilize MITRE ATT&CK by scheduling a live demo.
