What Is MITRE ATT&CK?
 

It’s often said that to protect against cyberattacks, you must think like a cyberattacker. But just how do cyberattackers think? That's where the MITRE ATT&CK tool provides value.

MITRE ATT&CK is a type of adversary-based framework — one designed to help security teams understand how attacks are perpetrated by detailing them from a cybercriminal’s point of view. Adversary-based frameworks help security teams survey the situation from the “bad guy’s” point of view throughout the lifecycle of an attack and then apply data from their own email security, network monitoring, and other tools to develop threat models and cybersecurity methodologies. 

As reported in Mimecast’s State of Email Security 2022 (SOES) report, 2021 was the worst year on record for cybersecurity with the average cost of a data breach topping $4 million. Organizations can use the MITRE ATT&CK framework to help ensure that they have the right protections in place — be they people, technologies, or processes. 

MITRE ATT&CK: Inside the Matrix

The ATT&CK acronym in MITRE ATT&CK stands for “adversarial tactics, techniques, and common knowledge.” The MITRE ATT&CK knowledge base lives up to its name by breaking down — in granular detail — the steps that advanced persistent threat (APT) groups take to execute cyberattacks, based on real-world observations. 

MITRE, a non-profit organization that develops national security solutions for U.S. government agencies, released the ATT&CK framework in 2013. It is an open framework, free and globally accessible, delivering on MITRE’s self-described mission to “solve problems for a safer world — by bringing communities together to develop more effective cybersecurity.”[1] 

The MITRE ATT&CK model is set up as a matrix, with customized matrices available for Windows, MacOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, networks, and containers. Each comprehensive matrix comprises tactics, techniques, and procedures across all stages of an attack, from reconnaissance to impact. 

• Tactics describe the “whys” of an attack: the reasons a cybercriminal would take a certain action. A cybercriminal will perform reconnaissance, for example, to gather information that can be used for future operations. The MITRE ATT&CK matrix specifies tactics for enterprise, mobile, and industrial control systems (ICS). 
• Techniques explain the general “hows” of an attack. Also categorized by enterprise, mobile, and ICS, techniques outline the actions an attacker may take to deliver on a tactical goal. The matrix also provides sub-techniques. For example, the matrix includes 10 reconnaissance techniques, including active scanning, whereby attackers gather information that can be used to target victims. Under the active scanning technique, the matrix describes sub-techniques, such as vulnerability scanning (perusing application configurations to see if any align with available exploits).
• Procedures outline the explicit ways cybercriminals are implementing techniques and sub-techniques, identifying specific tools and malware and the groups that have used them. The matrix may note under the vulnerability scanning sub-technique, for example, that China-based threat group Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j exploits.[2]

MITRE ATT&CK vs. Cyber Kill Chain

MITRE ATT&CK is not the only adversary-based framework available. The Lockheed Martin Cyber Kill Chain framework, introduced in 2011, describes the seven phases of an attack, while the MITRE ATT&CK framework covers 14 tactics along with techniques, sub-techniques, and procedures.[3]

SANS-Institute-certified instructor Jorge Orchilles noted in a blog that the higher-level Cyber Kill Chain model can be useful when talking to non-security practitioners about how a particular attack occurred, but is not as comprehensive as MITRE ATT&CK.[4] He added that MITRE ATT&CK is the “current industry standard and most used framework for understanding and communicating how attacks work.” 

How Does the MITRE ATT&CK Framework Help an Enterprise?

The primary purpose of the MITRE ATT&CK framework is to help companies develop threat models and methodologies, but it offers several other benefits. Enterprises can use the model to:

• Identify security gaps. Armed with this knowledge of the hows and whys of attacks, enterprises can determine whether they have the right people, products, and processes in place to fend off or even prevent them. Noting spear phishing as a technique attackers use to gain systems access, enterprises would want to make sure they have appropriate protections in place, such as a secure email gateway.
• Inform cybersecurity training. Insight from the ATT&CK matrices helps companies refine ongoing cybersecurity awareness initiatives as cybercriminals evolve their approaches. Mimecast’s Security Awareness Training also aligns with the MITRE ATT&CK framework to measure user risk based on real-world attacks. 
• Improve penetration testing and threat hunting. The ATT&CK framework provides a better understanding of the threat landscape that pen testers and threat hunters can use to simulate or anticipate attacks. 
• Stay current. The framework provides up-to-date information about threat actors, tools, and targets, which can help enterprises identify specific vulnerabilities.

Best Practices for Using MITRE ATT&CK

Because the MITRE ATT&CK framework is so all-encompassing, it may be intimidating. But there are resources to help make the most effective and efficient use of the MITRE ATT&CK framework.

• MITRE provides a guide for first-time users of the framework.[5] 
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers best practices for mapping adversary behavior to MITRE ATT&CK techniques.[6]
• MITRE’s ATT&CK Navigator is a web-based tool for annotating and exploring specific tactics and techniques.[7]

The Bottom Line

The MITRE ATT&CK framework enables private and public sector organizations, across industries and company sizes, to understand how and why attacks are perpetrated from the attacker's perspective. Companies can use the framework to map their own cyberthreat intelligence to real-world attack behavior, identify gaps in security coverage, and align security strategy and tools with the current threat environment. Visit Mimecast’s Threat Intelligence Hub, which also includes MITRE ATT&CK among the many threat intelligence tools it uses to helps customers analyze cyberattack campaigns, monitor evolving threat landscapes, and enhance cybersecurity defenses.

[1] “MITRE ATT&CK,” MITRE

[2] “MITRE ATT&CK Active Scanning: Vulnerability Scanning,” MITRE

[3] “Cyber Kill Chain,” Lockheed Martin

[4] “Cyber Kill Chain, MITRE ATT&CK and Purple Team,” SANS Institute

[5] “Getting Started with ATT&CK,” MITRE

[6] “Best Practices for MITRE ATT&CK Mapping,” CISA

[7] “MITRE ATT&CK Navigator,” MITRE