Pocket Guide to the MITRE ATT&CK Framework
The Mitre ATT&CK framework classifies attacker actions during the lifecycle of a cyberattack.
It helps organizations answer a crucial question: how well can we defend against attacker tactics, techniques, and procedures during various phases of an attack?
This kind of framework is powerful; however, it is also lengthy. And like cyberattacks, it can be complex. That’s why we created this mini-guide to the Mitre ATT&CK Framework. We’ll keep it simple and hit the highlights.
What does ATT&CK stand for?
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). This video explains more about the framework:
How was the MITRE ATT&CK framework created?
The framework originated as part of a cybersecurity research project. The organization explains what kind.
“MITRE started ATT&CK in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks.”
The framework now maps to a large number of technologies. It includes enterprise IT systems covering Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers).
It also covers cloud systems and Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office 365, Azure Active Directory (Azure AD), and Google Workspace. And in 2022, it will continue to build out its ATT&CK mapping to mobile devices.
MITRE Mobile Lead Jason Ajmo says expanding mobile threat mapping is crucial because of the record level of work on smartphones and tablets.
“The same detection and mitigation approaches used in enterprise PC environments often don’t work in the mobile environment, and alternate approaches have to be leveraged.”
Also, in 2022, MITRE will introduce something called “Campaigns.” It will update TTPs on specific and recent attack campaigns. Like the rest of the framework, it bases these updates on publically available threat intelligence.
What is the Enterprise ATT&CK Matrix?
MITRE created an ATT&CK matrix that lists phases of an attack, followed by possible techniques and sub techniques attackers use within each stage. The enterprise matrix documents 14 phases of the cyberattack lifecycle.
What are the 14 ATT&CK phases of a cyberattack?
Here are the 14 phases of an enterprise attack lifecycle. The links take you to more detailed information about the techniques in that particular attack stage. We will leave it at that. Remember, this is a pocket guide!
- Resource Development
- Initial Access
- Privilege Execution
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
How do you get started with ATT&CK?
Many organizations use the framework to help improve security operations, threat intelligence, and security architecture. So where do you start with something this significant?
For one thing, consider a Network Detection and Response (NDR) platform that integrates ATT&CK mapping into alerts.
For example, LiveAction ThreatEye combines behavioral analysis with streaming machine learning to detect advanced threats. It automatically creates risk scored and MITRE ATT&CK labeled alerts for your SOC. This increases clarity around a threat, helps teams prioritize response, and saves the most valuable resource in SecOps: time.
And here is a second idea for getting started.
MITRE created a helpful, getting started blog series that gives an overview of how to use ATT&CK at different levels of sophistication for four use cases. These use cases include Threat Intelligence, Detection and Analytics, Adversary Emulation, Red Teaming, and Assessments and Engineering.