What is MITRE ATT&CK Framework?

Created by MITRE Cyber Security in 2013, the MITRE ATT&CK Framework is a detailed knowledge base that documents the tactics and techniques used by attackers based on evolving, real world observation. By providing an up-to-date compendium of attacker behavior, the MITRE ATT&CK Framework has become an invaluable tool for organizations seeking to bolster their cyber defenses.

MITRE ATT&CK Framework

Created by MITRE Cyber Security in 2013, the MITRE ATT&CK Framework is a detailed knowledge base that documents the tactics and techniques used by attackers based on evolving, real world observation. By providing an up-to-date compendium of attacker behavior, the MITRE ATT&CK Framework has become an invaluable tool for organizations seeking to bolster their cyber defenses.

To effectively protect a security environment, it’s critically important to develop intelligence that tracks the behavior of attackers. By documenting their tactics and techniques, defenders can make adjustments and greatly improve their odds of protecting key assets. When this process is undertaken collectively, the power of a maintaining a detailed attacker knowledge base becomes even more pronounced.

This is the principle behind the MITRE ATT&CK Framework, a curated compendium of attacker tactics and techniques (the acronym behind the framework stands for “Adversarial Tactics, Techniques and Common Knowledge”). The MITRE ATT&CK Framework allows security professionals to collectively catalogue attack intelligence, collaborate in a shared vocabulary and make informed decisions about where to allocate resources, how to counter threats and how to assess risk.

This framework can be best visualized as a living and evolving collection of knowledge that is based upon millions of observed attacks on enterprise environments. The framework uses a matrix structure that is similar to the periodic table; 11 tactics are listed in horizontal columns, while hundreds of techniques are laid out underneath those 11 column headers.

The tactics deal with the question of “how?” For example, “how are attackers escalating permissions or exfiltrating data?” The 11 tactics listed within the

MITRE ATT&CK Framework include:

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Exfiltration
• Impact

Under each tactic are a variety of techniques that have been observed in the wild. These techniques may include detailed descriptions of how they are leveraged and why defenders should pay close attention, though not all descriptions are especially prescriptive in nature. Techniques are based on examples, and linked articles within the framework often describe how the technique was leveraged. The techniques within the MITRE ATT&CK Framework also describe what defenders need to know in terms of mitigation and detection.

Why is the MITRE ATT&CK Framework So Valuable?

In addition to providing a comprehensive resource for tracking malicious techniques, the MITRE ATT&CK Framework also gives defenders a common working language to discuss the threat landscape. While there are other options for sharing threat intelligence, the framework offers one that is both standardized and globally accessible.

Because it’s virtually impossible to devote an equal amount of attention to every attack vector, the MITRE ATT&CK Framework can also be used to help prioritize detection efforts based on impact level or probability. The framework can also play a key role in risk assessment. MITRE ATTACK simulation is often relied on to define the scope or strategy of red team exercises or penetration testing, and help with post-test scoring.

The MITRE ATT&CK Framework can also be used to specifically track adversary techniques that are especially relevant for specific industries — a benefit that is particularly useful when deciding where to allocate resources and devote attention.

In addition to continually incorporating new information about attacker behavior, the MITRE ATT&CK Framework is also continuously being refined and upgraded to help security professionals access and use the knowledge base more efficiently and effectively.

In Conclusion

The MITRE Enterprise ATT&CK Framework is a critically important tool for organizations seeking to remain one step ahead of attackers. By providing a curated and comprehensive list of tactics and techniques, the MITRE ATT&CK model has given defenders a blueprint for identifying threats, assessing risk and taking steps to mitigate those threats.