MITRE ATT&CK

ITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognized cybersecurity framework that provides a comprehensive knowledge base of adversary behavior based on real-world observations. It is used by security teams, threat hunters, SOC analysts, and red teams to improve cybersecurity defense and response.

Key Components of MITRE ATT&CK

MITRE ATT&CK is structured into three primary matrices, each covering different environments:

Enterprise ATT&CK – Covers tactics, techniques, and procedures (TTPs) for attacks against Windows, macOS, Linux, cloud, containers, network infrastructure.
Mobile ATT&CK – Focuses on threats targeting Android and iOS devices.
ICS ATT&CK – Specialized for Industrial Control Systems (ICS), used in critical infrastructure like energy, manufacturing, and water systems.

MITRE ATT&CK Framework Structure

The framework is organized into Tactics, Techniques, and Procedures (TTPs):

1. Tactics (The “Why” – Goals of an Attack)

Tactics represent high-level attack goals that adversaries aim to achieve. Examples include:

Initial Access – Gaining entry into a system (e.g., phishing, exploiting vulnerabilities)
Execution – Running malicious code (e.g., PowerShell, JavaScript)
Persistence – Maintaining long-term access (e.g., backdoors, scheduled tasks)
Privilege Escalation – Gaining higher permissions (e.g., exploiting vulnerabilities, credential dumping)
Defense Evasion – Avoiding detection (e.g., obfuscation, disabling security tools)
Credential Access – Stealing authentication credentials (e.g., keylogging, brute-force attacks)
Discovery – Gathering information about the system and network (e.g., network scanning, process discovery)
Lateral Movement – Expanding control across the network (e.g., RDP, SMB, pass-the-hash)
Collection – Gathering sensitive data (e.g., keylogging, screen capture)
Exfiltration – Stealing data from the environment (e.g., FTP, cloud services)
Impact – Destroying or disrupting operations (e.g., ransomware, DDoS)

2. Techniques (The “How” – Methods Used by Attackers)

Techniques describe the specific ways adversaries achieve their goals (tactics). Examples include:

Phishing (T1566) – Sending malicious emails to gain access
Spearphishing Attachments (T1566.001) – Sending weaponized document files
PowerShell (T1059.001) – Using PowerShell to execute malicious commands
Credential Dumping (T1003) – Extracting credentials from memory (e.g., using Mimikatz)
Process Injection (T1055) – Injecting code into legitimate processes for stealth

3. Procedures (The “Real-World” – Implementation of Techniques)

Procedures are actual real-world implementations of techniques by threat actors or malware families. Examples:

APT29 (Cozy Bear) using spear-phishing (T1566) to deliver custom malware.
TrickBot using credential dumping (T1003) to harvest Windows credentials.

Use Cases of MITRE ATT&CK

Threat Detection & Hunting – SOC teams can map detected behaviors to ATT&CK techniques.
Incident Response – Helps in forensic analysis by tracking adversary activity.
Red Teaming & Penetration Testing – Guides adversary simulation to improve security posture.
Security Tool Evaluation – Validates how well tools detect and mitigate known attack techniques.
Threat Intelligence & Mapping – Security researchers can correlate attacks with known threat actors.

MITRE ATT&CK & Security Tools

MITRE ATT&CK is integrated into various cybersecurity tools such as:

SIEMs (Splunk, ELK, QRadar, Microsoft Sentinel)
EDR/XDR solutions (CrowdStrike, Microsoft Defender, SentinelOne, Carbon Black)
Threat Intelligence Platforms (Recorded Future, Mandiant, ThreatConnect)
Purple Teaming tools (Atomic Red Team, Caldera, Red Canary)