Comprehensive Guide on MITRE ATT&CK Framework
Hey guys Ashish this side. In this article, we’ll take a tour of “The MITRE ATT&CK Framework”, So let’s hop into it.
What is the Mitre ATT&CK Framework?
MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. It was created by Mitre Corporation and released in 2013.
The MITRE ATT&CK framework is developed by MITRE, a non-profit organization funded by the Government of the U.S. The ATT&CK Framework is a cybersecurity knowledge base of adversary tactics and techniques based on real-world observations.
This framework is helpful in various aspects of cybersecurity. It helps organizations to strengthen their threat intelligence and thereby improve their defences against attacks.
The ATT&CK contains the core components:
- Tactics — Referring to short-term, adversary goals during an attack.
- Techniques — Contains different means through which adversaries may achieve tactical goals.
- Documentation of usage and techniques adopted by the adversary.
The MITRE ATT&CK framework comes in three iterations:
- ATT&CK for Enterprise: It focuses on the behaviour of adversaries in Windows, Mac, Linux, and Cloud Environments.
- ATT&CK for Mobile: It focuses on the behaviour of adversaries in iOS and Android environments.
- ATT&CK for ICS: It focuses on the behaviour of adversaries while operating within the ICS network.
Understanding the MITRE ATT&CK Matrix:
The MITRE ATT&CK matrix consists of a set of techniques used by adversaries to accomplish their goals. Those objectives are referred to as ‘Tactics’ in the ATT&CK matrix.
Tactics are the core of the ATT&CK Framework and represent the underlying motive behind an ATT&CK technique.
1. Enterprise MATRIX
Currently, the MITRE ATT&CK Enterprise Framework consists of 14 easy-to-understand tactics which are as follows:
1. Reconnaissance: The adversary gathers information to be used in further operations.
2. Resource Development: The adversary establishes resources which can be used to support the operation.
3. Initial Access: The adversary tries to get into the network.
4. Execution: The adversary tries to run a malicious code.
5. Persistence: The adversary tries to maintain their foothold.
6. Privilege Escalation: The adversary tries to gain a higher level of privilege by exploiting any existing vulnerability.
7. Defence Evasion: The adversary tries to escape detection. For example, using trusted processes to hide malware
8. Credential Access: The adversary tries to access usernames and passwords.
9. Discovery: The adversary tries to figure out the environment, to figure out further attacks.
10. Lateral Movement: The adversary moves through the environment, using legitimate credentials to pivot through multiple systems
11. Collection: The adversary gathers data of interest as per the attack objective.
12. Command and Control: The adversary communicates with compromised systems to control them.
13. Exfiltration: The adversary steals the gathered data.
14. Impact: The adversary changes, interrupt, or destroys systems and data.
2. Mobile matrix
The MITRE ATT&CK mobile framework also consists of 14 tactics that are similar to the Enterprise framework. They are as follows:
1. Initial Access: The adversary tries to get into your device.
2. Execution: The adversary tries to run malicious code.
3. Persistence: The adversary tries to maintain a foothold.
4. Privilege Escalation: The adversary tries to gain higher levels of permission.
5. Defence Evasion: The adversary tries to avoid detection.
6. Credential Access: The adversary tries to access credentials which can be used to access resources.
7. Discovery: The adversary tries to get an idea about the environment.
8. Lateral Movement: The adversary tries to move through the environment.
9. Collection: The adversary tries to collect data of their interest.
10. Command and Control: The adversary tries to communicate with compromised devices.
11. Exfiltration: The adversary tries to steal data.
12. Impact: The adversary tries to manipulate, interrupt, or destroy your devices and data.
13. Network effects: The adversary tries to intercept or manipulate the network to or from a device.
14. Remote Service Effects: The adversary tries to control the device using remote service.
Conclusion:
MITRE ATT&CK is a detail-oriented and cross-referenced repository of knowledge about actual adversary groups and their known behaviour. It also tells us about the strategies, tactics, and methods used by adversaries.
Reference:
