MITRE ATT&CK Framework

MITRE ATT&CK Framework

2,500 years ago, Sun Tzu wrote about the art of war: “He who knows the enemy and himself will not be in danger in a hundred battles.” This certainly applies to cybersecurity. Knowledge about how hackers and other cyber criminals work gives you an edge in your information security. You also get to know yourself better.

MITRE ATT&CK is an extensive knowledge base of tactics, techniques and procedures (TTPs) used by cybercriminals in their attacks. All this knowledge serves as a basis for the development of specific threat models and methodologies in virtually all sectors of our society. According to MITRE, attack is the best form of defense. A strong red team makes the blue team better at detecting and stopping break-ins and attacks.

In 2013, MITRE started documentation to better defend against attacks on Windows corporate networks. The documentation has since been expanded to include macOS, iOS, Android, and Linux behaviors. The focus of the knowledge base is not on the tools and malware that adversaries use, but on how they interact with systems during an operation. The information is relevant to both the red and blue teams of an organization.

The matrix

The ATT&CK matrix is probably the best known part of ATT&CK. It is often used to represent things like defensive coverage of an environment, detection capabilities in security products, and results of an incident or red team involvement. The matrix visualizes the relationship between tactics and technology and takes you on the 'journey of the hacker', as it were. This starts, for example, with exploration and goes from initial access to implementation, persistence to information collection, exfiltration and impact. At each step, the matrix lists the techniques used. MITRE has worked out some twenty matrices in detail, for the various operating systems, but also the cloud, specifically for Office 365 and for mobile.

Cyber Threat Intelligence

Another important part of ATT&CK is the Cyber Threat Intelligence (CTI). ATT&CK documents behavioral profiles of hostile groups, based on publicly available reporting. This can be used to find out which groups use which techniques and which forms of defense are most effective. It is precisely by documenting all incidents and all attack collectives and by concentrating on the technology itself that ATT&CK can create this overview.

MITRE  ATT&CK is available free of charge to any person or organization. It is used today by government organizations, the financial industry, healthcare, retail, and technology industries, among others. With this framework you can stop an attack at an early stage. It also aligns well with NIST's cybersecurity framework. Both frameworks emphasize the importance of an active red team. Because… every organization with a red team has an alert blue team. A blue team without a red team is basically in the dark.