MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is a framework, set of data matrices, and assessment tool developed by MITRE Corporation to help organizations understand their security readiness and uncover vulnerabilities in their defenses.

Developed in 2013, the MITRE ATT&CK Framework uses real-world observations to documents specific attack methods, tactics, and techniques. As new vulnerabilities and attack surfaces come to light, they are added to the ATT&CK framework, which thus is constantly evolving. In the past few years, the MITRE ATT&CK framework and its matrices have become an industry standard for both knowledge and remediation tools regarding attacker behavior.

ATT&CK matrices are utilized by a broad range of IT and security professionals including red teamers playing the role of attacker or competitor, threat hunters, and security product development engineers, threat intelligence teams, and risk management professionals.

Red teamers use the MITRE ATT&CK framework as a blueprint to help uncover the attack surfaces and vulnerabilities in corporate systems and devices, as well as to improve the ability to mitigate attacks once they occur by learning information. This includes attackers gained access, how they move within the affected network, and what methods are being used to evade detection. This toolset enables organizations to gain a better awareness of their overall security posture, identify and test gaps in defenses, and prioritize potential security gaps based on the risk they present to the organization.

Threat hunters use the ATT&CK framework to find correlations between the specific techniques that attackers are using against their defenses and use the framework to understand the visibility of attacks targeted at their defenses both at endpoints and throughout the network perimeter.

Security platform developers and engineers use MITRE ATT&CK as a tool to evaluate the effectiveness of their products, uncover previously unknown weaknesses, and model how their products will behave during the lifecycle of a cyberattack.

MITRE ATT&CK is an abbreviation for MITRE Adversarial Tactics, Techniques, and Common Knowledge. The MITRE ATT&CK framework is a curated repository that includes matrices that provide a model for cyberattack behaviors. The framework is generally presented in tabular form, with columns that represent the tactics (or desired outcomes) used during the life of an attack, and rows that represent of techniques that are utilized to achieve their tactical goals. The framework also documents technique usage and other metadata that is linked to individual techniques.

MITRE ATT&CK framework is an outgrowth of a MITRE experiment that emulated both attacker and defender to help understand how attacks happen and improve post-compromise detection using telemetry sensing and behavioral analytics. To better understand how well the industry is doing at detecting documented adversarial behavior they created the ATT&CK framework as a tool to categorize these behaviors.

There are currently four major matrices that comprise the ATT&CK framework. Pre-ATT&CK and ATT&CK for Enterprise both relate to attacks on enterprise infrastructure.

PRE-ATT&CK: Many of the activities (such as reconnaissance and resource development) that bad actors take before an enterprise is compromised are normally done outside of the organization’s visibility, and thus these pre-attack tactics and techniques are extremely difficult to detect at the time. For example, cyber-attackers may leverage information freely available on the internet, relationships the organization has with other already compromised organizations, or other methods to attempt access. PRE-ATT&CK lets defending organizations better monitor and understand these pre-attack activities that occur externally to their network perimeter.

Enterprise ATT&CK: ATT&CK for Enterprise provides the model that details the actions that cyber-attackers may take to compromise and execute their activities within an enterprise network. There are specific tactics and techniques in the matrix for a broad range of platforms including Windows, macOS, Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Networks, and Containers. The PRE-ATT&CK matrix originally was part of ATT&CK for Enterprise since it is also focused with attempts to compromise enterprise infrastructure. The Enterprise framework helps organizations prioritize their network defenses to focus on those that present the greatest risk to the specific enterprise.

Mobile ATT&CK: The mobile ATT&CK matrix describes tactics and techniques used to compromise both iOS and Android mobile devices. To this end, ATT&CK for Mobile builds upon NIST’s Mobile Threat Catalogue, and as of this writing catalogs a dozen tactics and over 100 techniques that have been used to impact mobile devices and achieve whatever nefarious objectives the bad actors wished to achieve. Additionally, ATT&CK for Mobile lists network-based effects – tactics and techniques that can be used without requiring access to the actual device.

ICS ATT&CK: The newest matrix in the ATT&CK family is the MITRE ATT&CK for Industrial Control Systems (ICS) matrix, which is similar to Enterprise ATT&CK except that it is targeted specifically at industrial control systems, such as power grids, factories, mills, and other organizations that rely on interconnected machinery, devices, sensors, and networks.

Each of the matrices includes detailed technical descriptions of each technique used for each tactic through the adversarial attack lifecycle, assets, and systems that each technique targets, and indicates mitigation and countermeasure approaches for each, the detection analytics utilized to uncover the technique, and examples of real-world usage.

When viewing the matrices, tactics are presented in a linear fashion describing the attack lifecycle, starting with the point of reconnaissance all the way to the final goal, whether that goal is exfiltration of information, encrypting files for purposes of ransomware, both, and other malicious action.

The main benefit of the ATT&CK framework is that organizations can gain an understanding of how adversaries operate, the steps they might plan to take to gain initial access, discover, move laterally, exfiltrate data.  This lets teams view activities from the attacker’s perspective which can lead to a richer understanding of motivations and tactics. Ultimately, organizations can leverage that understanding and knowledge to identify gaps in their security posture and improve threat detection and response by enabling teams to predict attacker’s next moves so remediation can occur quickly. It is often said in sports that the best defense is a good offense, and in cybersecurity, gaining an understanding of what the offense is deploying can greatly assist defense of the network, devices, and users.

Additionally, in the current work environment where there is a severe skills shortage in cybersecurity, the frameworks can help junior or newly hired security staff by giving them the knowledge and research tools they need to rapidly come up to speed on any given threat by leveraging the collective knowledge of all the security professionals before them who have contributed to the MITRE ATT&CK framework matrices.

As the ATT&CK matrices continue to grow in both number and size of each, they have become increasingly complex. The number of combinations and permutations of tactics and techniques in the framework, although incredibly thorough, can be overwhelming due to the sheer amount of data there is to digest and process.

For example, there are currently over 400 different techniques or attack patterns outlined in the fourteen tactics described in ATT&CK for Enterprise. Many of those techniques also contain sub-techniques that further increase the number of permutations. Many organizations have not automated the mapping of all that data to their current security infrastructure, which can be a formidable task.

A recent study by UC Berkely found that while nearly all organization use the framework to tag network events with various security products, not even half of respondents have automated the security policy changes that are indicated by the framework.

Other challenges include difficulty correlating cloud-based and on-premises events or the inability to correlate events from mobile devices and endpoints.

A recent report from the US Center for Cybersecurity and Infrastructure Security Agency (CISA) offers a list of best practices for organizations to utilize the MITRE ATT&CK framework to map attacks to remediation and protection techniques. Although the study found that large enterprise organization were adopting the framework, the majority of users do not believe their current security products can detect all the known threats in the ATT&CK matrices relating to their infrastructure.