MITRE ATT&CK Framework explained

March 27, 2020  |  Marcus Carey

What is the MITRE ATT&CK?

The MITRE ATT&CK framework is abuzz in the cybersecurity industry lately, and its utility has a lot of professionals excited. The ATT&CK framework predecessor was the Cyber Kill Chain developed by Lockheed-Martin in 2011.

ATT&CK incorporates what MITRE calls Tactics and Techniques to describe adversarial actions and behaviors. Techniques are specific actions an attacker might take, and tactics are phases of attacker behavior. At Threatcare, we’ve watch the steady adoption of the ATT&CK framework over the years. We’ve also seen innovative cybersecurity professionals use the framework in ways that have surprised the MITRE team.

ATT&CK incorporates the 11 Tactics listed below, and each Tactic has numerous Techniques.

MITRE ATT&CK Tactics:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

Top Five Use Cases

(in no particular order)

- Red Team

There have been several attempts to standardize Red Team tactics and techniques for years. The ATT&CK framework doesn’t address everything a red team should do but is a major step in the right direction. The framework has standardized the terminology used among Red Teamers, helping make Red Teams more effective, especially across large organizations. Red teams also have the ability to carry out real-world scenarios using ATT&CK as a guide, making both training and operations more effective.

- Blue Team

On the defense side of the house, the ATT&CK framework helps Blue Teams better understand what attackers are doing in a concise, comprehensive way. This allows them to better determine what mitigation to put in place on the network. And, as with Red Teams, ATT&CK can act as a standardized method for training.

- Vendor Bake-Offs

Until recently, there wasn’t a standardized way to evaluate security products. Now, with ATT&CK, organizations can test security products in a structured, methodical way.

Additionally, certain products are aligned to the ATT&CK Tactics, giving organizations visibility into potential overspending on products that have the same basic functionality. For instance, DLP should prevent Exfiltration Tactics, and Proxies should prevent Delivery Tactics. But do they successfully do this? And which vendor does it better?

- Breach and Attack Simulation (BAS)

If you’re not familiar with BAS, check out a primer on it here. Although BAS is a new category of cybersecurity tools, the ATT&CK framework has validated its need. Similarly to vendor bake-offs as mentioned above, MITRE ATT&CK can help your organization determine which BAS tool to implement.

At Threatcare, we’ve built ATT&CK Tactics and Techniques into our products and have been working closely with their team to ensure alignment.

- Remediation of Security Gaps

Given all of the above information, it should hopefully come as no surprise that your organization can build a solid understanding of how it can detect and defend its networks by comprehensively testing against the ATT&CK Tactics and Techniques. More insight into attacker behavior means better remediation of gaps and operational capabilities.

Conclusion

At the end of the day, cybersecurity is all about reducing risk. Some people are skeptical about ATT&CK, and I get it. It’s not intended to be a silver bullet, but it does provide some much-needed structure for cybersecurity professionals to more effectively do their jobs.

Share this with others

Tags: mitre

Get price Free trial