The MITRE ATT&CK (pronounced "miter attack") framework is a free, globally accessible framework that provides comprehensive and up-to-date cyberthreat information to organizations looking to strengthen their cybersecurity strategies. The acronym ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge, and these are what the framework and accompanying ATT&CK knowledge base consist of.
Businesses can use the framework to evaluate their security methods, and cybersecurity vendors can use it to vet their products and services. The framework evaluation criteria are specific to each organization using it and focus on the details of their specific cybersecurity approach. The results of the evaluations are, therefore, noncompetitive; organizations cannot use results to gain a business advantage over other organizations that have been evaluated.
The framework and knowledge base were created and are curated by MITRE, a not-for-profit security research organization. The knowledge base is an ongoing project. It contains analyses based on real-world events that organizations can reference when developing threat models and methodologies, and it grows as organizations contribute their knowledge of cyberthreats to the knowledge base. The framework is informed by the knowledge base. MITRE aims to foster a stronger overall cybersecurity community with these free offerings.
Two broad use cases for the framework are penetration testing (pen testing) and cybersecurity service evaluation. In pen testing, organizations designate a red team -- much like MITRE did in its Fort Meade eXperiment (FMX) research project -- to simulate behavior and find vulnerabilities. Pen testers can use MITRE to learn how to accurately simulate behaviors so that they can eventually develop accurate defenses.
Cybersecurity vendors can also use MITRE's evaluations to determine the strength of their products and services. The evaluations provide objective insights into the use of specific commercial security products, offer a transparent analysis of a given product's capabilities and strengthen the cybersecurity community as a whole by strengthening vendors that develop products responsible for customer security across many industries.
Benefits of the MITRE ATT&CK framework
The broad benefits of the framework include the following:
- A more concrete account of adversarial behaviors.
- An account of not just threat indicators, but threat groups as well. Businesses can use MITRE to not only detect behaviors, but make educated guesses at who is performing them and track behaviors across different attacker groups. Its attack page features group-based info.
- Widely used and trusted across many industries.
- Takes a communal approach to threat reporting that ensures info is up to date and checked by the public, as well as MITRE.
Using the framework, a business can do the following:
- associate attack behavior to different groups;
- pen test its network;
- find vulnerabilities in its network and map ATT&CK methodologies to threats;
- discover network misconfigurations;
- share its cybersecurity knowledge with the broader community; and
- standardize disparate security tools and techniques to create a more cohesive security strategy.
How to use MITRE ATT&CK
There are a number of ways an organization can use MITRE ATT&CK to strengthen its cybersecurity strategies, including the following:
- Stay informed on attacker tactics and techniques using the threat matrix.
- Learn mitigation strategies post-attack.
- Learn how to prep a network pre-attack.
- Share observations to improve the overall community understanding.
- Evaluate cybersecurity products and services using MITRE's noncompetitive evaluation methodologies -- it offers a variety. This feature is mainly for cybersecurity vendors.
All of these resources are freely available on the ATT&CK website, and more information is available by contacting MITRE directly.
Tactics and techniques
Tactics and techniques are MITRE's two different ways of categorizing adversarial behavior. By MITRE's definition, a technique describes how adversaries achieve their objective and, sometimes, what they gain from achieving that objective. A tactic describes the objective, or why, of performing the attack.
Techniques show the information that attackers are after and the way they go about getting it. Tactics explain why they want it.
Multiple techniques can be used to achieve a tactical objective.
ATT&CK Enterprise Matrix
The ATT&CK Enterprise Matrix is a visualization of the relationship between attacker tactics and attacker techniques. It's essentially a large table, or matrix, available on the MITRE ATT&CK website. Each tactic or technique is clickable and leads to more detailed explanations of the term. Using this matrix, an organization can pinpoint the exact adversarial behavior it wants to learn more about for defense purposes, thanks to MITRE's use of consistent terminology to categorize threats.
Because multiple techniques can be used to achieve a given outcome, the Enterprise Matrix has multiple techniques in each tactic category.
The tactics are listed on the x-axis and the techniques on the y-axis.
One example combination is the following:
- Tactic = initial access. The goal of the attacker with this tactic is to gain access to the network.
- Techniques = drive-by compromise, spear-phishing link and trusted relationship, among others. The matrix lists all the known ways that an attacker can gain initial access.
The user can click one of the techniques under the initial access category to learn how an attacker would use each of them to gain initial access.
MITRE ATT&CK history
ATT&CK was launched by MITRE in 2013 to document common tactics, techniques and procedures that advanced persistent threats (APTs) used against Windows enterprise networks. It began as an effort to gather this data for a research project on detecting threats in enterprise networks post-compromise -- after they had broken in. The FMX project involved close observation of over 200 hosts on a closely monitored network segment. MITRE ran red team operations on this network, meaning it had designated teams to act like attackers using known techniques to penetrate the network. A blue team would then attempt to detect and mitigate these simulated attacks.
By simulating the complete cybersecurity landscape from both the attacker's and defender's perspective, MITRE was able to conclude on several key insights that it would use as the basis of its ATT&CK framework. These insights were the following:
- Focusing on adversarial behavior enables MITRE to develop behavioral analytics and better techniques for defense.
- Many existing cybersecurity lifecycle models were too abstract and not able to efficiently detect new threats.
- In order to work, threat behaviors and tactics must be based on real past observations of adversarial behavior.
- Terminology for describing tactics must be consistent across different adversarial groups to enable businesses to compare and contrast them.
By applying these principles in a controlled research setting, MITRE was able to verify that following them greatly improves threat detection capabilities of defending networks in a measurable way.
In 2015, in light of the project's success, MITRE decided to release the framework to the public. The framework has since grown to include threats to Mac OS X, Linux and mobile device operating systems (OSes).
In the past five years, MITRE has grown significantly and continues to do so.