An in-depth guide to the MITRE ATT&CK framework

Providing effective enterprise cybersecurity is a complicated and challenging undertaking. As such, business executives and cybersecurity teams need to utilize all their available resources to protect their IT systems from complex attacks.

Fortunately, the MITRE ATT&CK framework offers companies a free resource that can be used to develop stronger cybersecurity defenses. The framework is a valuable tool that helps cybersecurity teams secure business-critical systems and sensitive data assets.

This guide will provide an in-depth look at the MITRE ATT&CK framework and discuss how it can strengthen an organization’s cyber defenses. 

• What is the MITRE ATT&CK framework? 
• A brief history of MITRE and the MITRE ATT&CK framework
• What are the MITRE ATT&CK matrices?
• What are the MITRE ATT&CK data sources?
• What is the MITRE insider threat knowledge base? 
• MITRE ATT&CK mitigation and detection guidance
• How do organizations use the MITRE ATT&CK framework?
• Benefits and drawbacks of using the MITRE ATT&CK framework
• How does DLP use the MITRE ATT&CK framework?
• Final thoughts
• Frequently asked questions

Wh‎at is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is a free and globally accessible knowledge base designed to assist cybersecurity personnel in tracking the tactics and techniques employed by threat actors. 

By storing the methods used throughout the entire attack lifecycle, it’s not only an invaluable data repository but also an effective instrument for improving an organization’s security posture.

This adversarial perspective allows security professionals to understand better the actions taken and which type of defenses these actions try to subvert. 

In turn, this enables security teams to develop more effective defenses against potentially threatening actions.

Check out the video below to learn more about the MITRE ATT&CK framework from MITRE itself:

‎A‎ brief history of MITRE and the MITRE ATT&CK framework

MITRE is a chartered, nonprofit company founded in 1958 to provide engineering and technical guidance to the United States Air Force. 

One of the first projects MITRE engaged in was working with the Federal Aviation Administration (FAA) to develop a means of managing air traffic control, creating the National Airspace System. MITRE has since been involved in numerous other projects related to air traffic safety.

In 1999, MITRE and other security organizations created the Common Vulnerabilities and Exposures (CVE) directory to help improve cyber defense. 

This early work was a precursor to MITRE ATT&CK, developed in 2013. The MITRE ATT&CK knowledge base uses real-world observations to obtain information on the tactics and techniques used by threat actors.

The framework’s name is an acronym for the data it collects. The Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework was first released to the public in 2015 and is widely used today by many security teams to help safeguard against known and emerging threats.

MITRE ATT&CK initially focused on protecting Windows enterprise systems. Its scope has since been expanded, and the framework now addresses threats against Windows, macOS, Linux, mobile operating systems, and industrial control systems.

Three distinct versions of the MITRE ATT&CK framework are available to provide threat information and guidance for different IT environments. Each framework focuses on a specific IT system and its related devices.

• ATT&CK for Enterprise concentrates on information regarding threats to Windows, macOS, Linux, and cloud infrastructure.
• ATT&CK for Mobile provides information about iOS and Android mobile operating system threats.
• ATT&CK for ICS focuses on threat actors' activities when attacking an industrial control system (ICS).

Wh‎at are the MITRE ATT&CK matrices?

The MITRE ATT&CK matrices are the framework’s central artifacts, and separate matrices exist for each version. The matrices present information on threat actors' tactics and techniques when attempting to exploit a particular IT environment or device.

Each matrix is organized similarly, with a column for each tactic identified as an environmental threat. Columns have a variable number of rows containing a technique used to implement a threat tactic. 

Clicking on a tactic or procedure described in the matrix opens a page providing more detailed information about the item. 

Next, we’ll examine all three matrices, focusing on the enterprise matrix. The threat information within this matrix affects the IT environment of virtually all organizations.

The enterprise MITRE ATT&CK matrix

The enterprise matrix describes the following 14 tactics and associated techniques used by threat actors attempting to exploit on-premises and cloud computing environments. In many cases, methods are used to multiply tactics further. 

• Reconnaissance tactics are used to passively or actively collect information in preparation for future attacks. Ten techniques are listed, including active scanning, phishing, and gathering information on the victim’s network.
• Resource development looks at eight techniques threat actors employ when buying or stealing resources to use in a cyberattack. Techniques for resource development include compromising accounts, acquiring access to the infrastructure, and obtaining system capabilities.
• Initial access concerns the tactics used to gain a foothold in a network. The nine techniques defined include phishing, exploiting public-facing applications, and compromising external remote services.
• Execution discusses the tactics used in attempts to execute malicious applications or code on local or network-attached remote systems. Some of the 14 execution techniques are to exploit job or task schedulers, compromise native APIs, or deploy destructive software tools.
• Persistence focuses on tactics threat actors use to maintain a long-term presence in an IT network or environment. The matrix points to 19 techniques that promote persistence, including planting malicious initialization scripts, modifying authentication processes, and creating counterfeit accounts.
• Privilege escalation is a tactic cyber adversaries use to gain more powerful privileges to make changes or exploit the environment. The 13 techniques noted include manipulating access tokens, modifying domain permission policies, and process injection.
• Defense evasion covers threat actors' tactics to remain hidden and avoid detection once they gain environmental access. The 42 techniques described here are the most for any individual tactic. They include building images on host machines, modifying system registries, and exploiting an organization’s unused or unsupported cloud regions.
• Credential access lists 17 techniques that are used for malicious credential access. They include stealing unsecured credentials, intercepting multi-factor authentication processes, and brute force attempts to crack passwords.
• Discovery comprises the tactics used by threat actors to gain an understanding of system operation. The 31 learning techniques about an environment include browser information discovery, container and resource discovery, and network sniffing.
• Lateral movement discusses malicious entities' methods to move laterally through the environment. This type of movement is often a sign of an intrusion or an advanced persistent threat (APT). Nine techniques enable lateral movement, including internal spear phishing, highjacking remote service sessions, and exploitation of remote services.
• Collection defines the methods used to gather information from sources inside the organization. The 17 techniques include audio capture, hijacking browser sessions, and compromising data from cloud storage.
• Command and control discusses the methods a threat actor can use to communicate and control compromised systems. The 16 strategies to implement remote command and control include protocol tunneling, employing remote access software, and utilizing fallback channels.
• Exfiltration focuses on how data is stolen from an IT environment or network. The nine techniques defined include automated exfiltration, transferring data to a cloud account, and manipulating file transfer size limits.
• Impact speaks to the methods used to disrupt business operations or compromise data integrity. Thirteen techniques include data destruction, firmware corruption, and removing account access to critical systems.

 The mobile MITRE ATT&CK matrix

The mobile matrix defines 12 tactics used to threaten the security of mobile devices. Each tactic has associated techniques that threat actors use to attack mobile devices and operating systems.

Except for reconnaissance and resource development, all tactics in the enterprise matrix also exist in the mobile matrix. Techniques may be modified to address the differences in attacking a mobile or enterprise IT environment. 

The ICS MITRE ATT&CK matrix

The ICS MITRE ATT&CK matrix contains 12 tactics that threaten the industrial control systems responsible for the safe operation of essential infrastructure facilities. As with the other matrices, it details the techniques used by threat actors when employing these tactics. Three tactics deemed specific to ICS environments are included in the matrix.

• Evasion defines techniques an adversary uses to avoid security and defense mechanisms. They include changing a system’s operating mode, spoofing reporting messages, and installing a rootkit.
• Inhibit response function techniques prevent an organization from effectively responding to system failures or disruptions.
• Impair process control lists the methods used to manipulate, disable, and damage a facility’s physical control processes. Techniques include modifying control system parameters, compromising module firmware, and sending unauthorized command messages.

Wh‎at are the MITRE ATT&CK data sources?

Each of the three MITRE ATT&CK frameworks has associated data sources representing subjects or topics of information that logs or sensors can collect. A data source can also be a data component that identifies properties of a data source used to detect an ATT&CK technique.

MITRE ATT&CK defines 41 total data sources for the three frameworks. Some sources, such as application logs, are part of more than one framework. The following are examples of data sources related to each framework.

• Enterprise data sources - Windows Active Directory, certificates, cloud storage, cloud services, login sessions, and scheduled jobs. 
• Mobile data sources - Application vetting by external sources, network traffic, processes, and user interfaces. 
• ICS data sources - Windows Registry, operational databases, assets, and application logs.

Data sources provide the raw information to identify the threats defined in the ATT&CK matrices. Optimal use of data sources can help identify threats before they can cause damage to the environment. 

Wh‎at is the MITRE insider threat knowledge base?

Insider threats are one of the most pressing cybersecurity risks facing organizations today. Insider threats involve sophisticated tactics that are challenging to detect and prevent. SOCs and insider threat analysts must understand the technical mechanisms utilized by insiders and the controls that can mitigate these risks.

MITRE's Center for Threat-Informed Defense published the Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base to address this need. This comprehensive resource provides a central repository for aggregating and disseminating the tactics, techniques, and procedures insiders use across various organizations and sectors.

This knowledge is critical for insider threat analysts and SOCs in detecting, mitigating, and emulating insider actions on IT systems to prevent insider threats.  

Contributors to this knowledge base are instrumental in establishing the first community-sourced, cross-sector, multi-organizational body of insider threat data inspired by MITRE ATT&CK®.

The Reveal Platform by Next aligns with the MITRE Insider Threat Knowledge Base in several important ways to provide an integrated solution to defend against insider threats.

• Data exfiltration: Reveal monitors data movement across common exfiltration vectors to prevent unauthorized data leakage.
• Lateral movement: Reveal identifies unusual patterns such as privilege escalation and unauthorized access within an organization.
• Credential misuse: Reveal monitors user access and login patterns to identify potential security breaches.
• Anomaly detection: Leveraging machine learning algorithms, Reveal detects deviations from established norms in user behavior.
• Insider threat indicators: The Reveal platform correlates multiple indicators of compromise, enhancing threat detection and response.

Learn more about how Next aligns with the MITRE Insider Threat Knowledge Base in our recent article.

MI‎TRE ATT&CK mitigation and detection guidance

MITRE ATT&CK frameworks provide comprehensive mitigation sets that address specific techniques defined in the matrices. The frameworks also guide detecting the techniques and tactics used by threat actors. 

Mitigation and detection information is readily available directly from a matrix by clicking on a technique. 

We will use the Enterprise Matrix and its Persistence tactic as an example of the information available from the framework. Clicking on Account Manipulation provides the following information.

• A definition of the account manipulation technique is accompanied by a drop-down menu with links to five sub-techniques, such as device registration or additional cloud credentials.
• Persistence is listed as the tactic related to this technique.
• The affected platforms are listed. In this case, they are Azure AD, Google Workspace, IaaS, Linux, Network, Office 365, SaaS, Windows, and macOS.
• Additional information includes contributors to the page, its version, creation date, and last modification date.

After this preliminary information, the page provides examples of procedures that demonstrate the technique in action. These examples show the variety of ways a particular technique can be used to initiate a cyberattack. The general concepts displayed by these examples can help security teams identify similar issues in their environment.

The mitigations section follows procedure examples. Multiple mitigation strategies with links to detailed information are available as guidance for security teams or personnel. Mitigations for account manipulation include implementing multi-factor authentication and user account management.

Detection strategies follow mitigations and identify data sources and components helpful in detecting a malicious technique. In this case, specific log messages and Windows event IDs are provided as starting points for investigations by security teams.

Ho‎w do organizations use the MITRE ATT&CK framework?

Organizations can use the MITRE ATT&CK framework to assess and test their cybersecurity defenses. The following are ways a company can use the framework to improve cybersecurity.

• The framework provides the necessary information for a red team to replicate threatening behavior and perform penetration testing. Using procedure examples, testers can simulate threat actor behavior and develop more effective defenses for potential risks.
• The MITRE ATT&CK framework facilitates mapping and testing regulatory and compliance controls, making it easy to ensure all requirements are met. Threat actors often target valuable and sensitive regulated data resources.
• Organizations use the framework to obtain threat intelligence to supplement the information provided by security vendors. The framework can help security personnel identify suspicious behavior that would otherwise go unnoticed.
• Cybersecurity hardware and software vendors can use the framework to evaluate products and services. They can objectively evaluate how their offering addresses customers’ cybersecurity requirements.
• The real-world information contained in the MITRE ATT&CK framework offers an excellent training opportunity for cybersecurity analysts. The framework emulates the adversaries trying to compromise the environment that a security team must protect. 

Be‎nefits and drawbacks of using the MITRE ATT&CK framework

Organizations should consider the following benefits and potential drawbacks when deciding to use the MITRE ATT&CK framework to improve their cybersecurity posture. Using the framework provides benefits that include:

• Providing a comprehensive repository of threat actor behavior
• Connecting threat groups to threat indicators for more effective threat detection
• Offering sector-specific threat information
• Ensuring updated and verified information by enlisting data from the cybersecurity community

Several issues can impact the ability of an organization to use the MITRE ATT&CK framework effectively.

• The extensive and detailed data provided by the framework can be challenging for new users to assimilate. The volume of information can be overwhelming, especially for inexperienced security personnel.
• It can be difficult to find tools that support the framework and enable it to be used as a foundation for automated problem remediation.
• Companies cannot generate alerts on every issue defined in the framework because many potentially malicious activities play a legitimate role in supporting the IT environment.

Ho‎w does DLP use the MITRE ATT&CK framework?

A data loss prevention (DLP) software solution is a critical component of a comprehensive cybersecurity posture. A DLP platform can be instrumental in preventing the methods described in the MITRE ATT&CK framework that put valuable enterprise data resources at risk.

The Reveal Platform by Next protects a company from deliberate or accidental data breaches by automatically enforcing an organization’s data handling policy, and ensuring that threat actors cannot cause damage by misusing sensitive enterprise data.

To see how Reveal can help protect your organization’s sensitive data resources, talk to the data loss prevention experts at Next DLP, and book a demo to learn more.

Fi‎nal thoughts

The MITRE ATT&CK framework offers organizations a practical tool for understanding the risks threat actors pose to their IT environments. The MITRE ATT&CK matrices consolidate threat intelligence and present it in an organized way that can be used efficiently by cybersecurity teams and personnel. 

Companies that want to enhance their cybersecurity posture should learn how to use the MITRE ATT&CK framework to address the wide range of threats that can impact their businesses.

Fr‎equently asked questions

Where can an individual obtain training on MITRE ATT&CK framework usage?

The MITRE Corporation offers free training materials to help cybersecurity professionals understand the ATT&CK framework and use it effectively. Five training modules are available that consist of videos and associated exercises. 

The training regimen takes approximately four hours to complete, and provides users with an overview of the framework, along with examples of how to improve a company’s cybersecurity.

What steps are needed to map MITRE ATT&CK to cyber threat intelligence (CTI) reports?

The following steps enable the data available from the MITRE ATT&CK framework to be used in CTI reports.

1. Identify the behavior employed to compromise the environment.
2. Research the behavior by searching for additional information on the ATT&CK website.
3. Identify the tactics used in the exploit.
4. Identify techniques and sub-techniques used to conduct the attack.
5. Compare the results with those of other security analysts to gain a more complete perspective of your findings.

Why should an organization investigate the MITRE ATT&CK framework to improve its security?

The diversity of threat actor tactics and techniques consolidated in the framework provides security teams with an excellent foundation for addressing future attacks and understanding how successful attacks have been conducted. 

Efficient use of this foundation allows an organization to strengthen cyber defenses and address vulnerabilities that have been exploited before they can cause further damage to the IT environment.