Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

MITRE ATT&CK Framework: Everything You Need to Know

Data Security, IT Pros

MITRE ATT&CK computer screen with cog symbols

MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.

Since its inception in 2013, ATT&CK has become one of the most respected and most referenced resources in cybersecurity. ATT&CK is a knowledge base of hacking techniques you can use to defend your network from cybersecurity threats. To know ATT&CK is to understand your enemy.

Use the menu below to jump to the most relevant section:

 MITRE ATT&CK vs. Cyber Kill Chain

MITRE ATT&CK vs. cyber kill chain list

In general terms, both systems follow the same pattern – get in, don’t get caught, steal stuff. The primary difference between the two is that the ATT&CK matrix is more a list of techniques by tactics, and doesn’t propose a specific order of operations.

The Cyber Kill Chain, is a well-defined sequence of events: The Red Team (the pentesting term for attackers) move from reconnaissance to intrusion and so on in that order. Conversely, the Red Team uses ATT&CK techniques from different tactics at different times of the scenario depending on the situation. An ATT&CK scenario could start with a Hardware Addition from the Initial Access tactic, then jump to Bypass User Account Control from the Privilege Escalation tactic and go back to the Execution tactic to run PowerShell.

ATT&CK defines the following tactics used in a cyberattack:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Exfiltration
  11. Command and Control

The Cyber Kill Chain is a tad shorter:

  1. Reconnaissance
  2. Intrusion
  3. Exploitation
  4. Privilege Escalation
  5. Lateral Movement
  6. Obfuscation/ Anti-forensics
  7. Denial of Service
  8. Exfiltration

MITRE ATT&CK Matrices

ATT&CK is a matrix of hacking techniques by tactics. If you want to learn how the Red Team stays hidden during an infiltration, look at the Defense Evasion category, and pick one of the techniques in that column and click the link for more information.

There are several different matrices:

  • PRE-ATT&CK Matrix includes techniques used for reconnaissance, target identification, and attack planning.
  • Windows includes techniques used to hack all flavors of Windows.
  • Linux includes techniques used to hack all flavors of Linux.
  • MacOS includes techniques used to hack MacOS.
  • Mobile ATT&CK matrix includes techniques used to attack mobile devices.

The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. At the time of this writing, there are 245 techniques in the Enterprise model. MITRE regularly updates ATT&CK with the latest and greatest hacking techniques that hackers and security researchers discover in the wild.

Tactics and Techniques for MITRE ATT&CK

MITRE ATT&CK tactics and techniques

MITRE calls the top level category ‘tactics.’ Each column under a tactic includes a list of ‘techniques’ that aim to achieve that tactic.

To best utilize ATT&CK, the Red Team develops a strategy to link together several techniques from different columns to test the defenses of their target. The Blue Team (the pentesting term for defenders)  needs to understand the tactics and techniques in order to counter the Red Team’s strategy.

It’s a game of chess, but the pieces are ATT&CK techniques instead of knights and bishops. Each side needs to make specific moves, counter, build a defense, and anticipate the next techniques in play.

For example, a Red Team strategy might look something like the numbered list shown below.

Clicking any of the links to the techniques below takes you to a page with a short explanation of the technique, a list of example programs, along with mitigation and detection tips:

  1. The Red Team infects the target with malware using Replication Through Removable Media
  2. With the malware in place, the attackers have access to a computer on the network, and they use PowerShell to search for privileged accounts.
  3. When the Red Team finds a privileged account target, they will use an Exploitation for Privilege Escalation to gain access to the account
  4. With access to a privileged account, the attacker uses the Remote Desktop Protocol to access other machines on the network to find data to steal.
  5. The Red Team collects and exfiltrates data back to home base. They could use data compression to collect the sensitive files and then pass the data back home using an Exfiltration Over Alternative Protocol technique.

To deal with our example scenario, the Blue Team needs to be able to detect file access to a removable media device or detect the malware the attacker deploys. They will need to detect the PowerShell execution and know that it’s not just an administrator doing regular work. The Blue Team also needs to detect the stolen privileged account’s access to sensitive data and exfiltration. These techniques are difficult to catch and correlate in the majority of monitoring systems.

The Red Team usually comes out on top, just like real hackers.

MITRE ATT&CK Uses

MITRE ATT&CK uses

We already discussed how the Red Team uses ATT&CK techniques to plan a scenario to test network defenses, but how else can you use ATT&CK?

  • Use ATT&CK to plan your cyber security strategy. Build your defense to counter the known techniques and equip your monitoring to detect evidence of ATT&CK techniques in your network.
  • ATT&CK is a reference for Incident Response (IR) teams. Your IR team can use ATT&CK to determine the nature of the threats you are encountering and methods to mitigate the threat.
  • Your IR team can use ATT&CK as a reference for new cybersecurity threats, and plan ahead.
  • ATT&CK can help you assess your overall cybersecurity strategy and close any gaps that you discover.

Benefits of ATT&CK for Red Teams

Another excellent resource for the Red Team in the ATT&CK repository is the Group Directory. The group directory is a listing of known hacker groups along with a listing of the tools and techniques they used to infiltrate their targets.

For example, the entry for the group Rancor lists techniques they used in their attack: Command-Line Interface, Remote File Copy, Scheduled Task, etc. Beside each technique, there is a short description of how Rancor used that technique. There is also a list of software they used – certutil, DDKONG, PLAINTEE, and Reg.

With the Groups Directory, Red Teams have everything they need to create dozens of different real-world scenarios for Blue Teams to counter.

MITRE ATT&CK Best Practices

MITRE ATT&CK best practices

Here are some points to consider as you use ATT&CK as part of your overall data security plans:

  • Use the real world software and scenarios from the Groups list. If you can’t protect against the known threats, there is no way you can stop the unknown threats.
  • Socialize and share ATT&CK techniques as a common language for your security teams.
  • Identify gaps in your defenses with the ATT&CK matrices and implement solutions for those gaps.
  • Never assume that since you can defend against a technique in one way, you won’t get dinged by a different implementation of that technique. Just because your Anti-Virus catches “Mimikatz,” don’t assume it will also catch “tnykttns” – or whatever variant of Mimikatz comes out next.

Challenges When Using ATT&CK

  • Not every behavior that matches an ATT&CK technique is malicious. File Deletion, for instance, is a listed technique under Defense Evasion – which makes total sense. But how are you going to discern normal file deletes from an attacker’s attempts to evade detection?
  • Similarly, some ATT&CK techniques are difficult to detect even on a good day. Brute Force attacks are fairly easy to detect if you know what to look for. Exfiltration over Alternative Protocol, like a DNS tunnel, can be quite difficult to detect even if you are looking for it. The ability to discover difficult to find techniques is key to your long-term data security strategy.

MITRE ATT&CK Today

ATT&CK is one of the most complete and definitive resources of hacker techniques available today. Security professionals increasingly talk about cyberattack techniques in ATT&CK terms, and they are building defenses and choosing software based on the MITRE ATT&CK models.

Updates to ATT&CK

MITRE makes regular updates to ATT&CK: keep up with their blog for all the latest news.

Most recently, MITRE has released a software certification process. Software companies can become certified by MITRE based on their ability to detect ATT&CK techniques.

ATT&CK Projects and Resources

MITRE and other third-party developers use ATT&CK to help the Red and Blue Teams implement their pentesting and defensive efforts:

  • Caldera is MITRE’s automated attach technique emulation tool
  • Cascade is MITRE’s Blue Team automation toolset
  • Attack Navigator is a web application you can use to make notes and track your ATT&CK status
  • Oilrig is Palo Alto’s Adversary Playbook built on the ATT&CK model.
  • MITRE’s Cyber Analytics Repository is a separate project from ATT&CK that tracks detailed information about how to detect techniques.

Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the Hash, Pass the Ticket, and Brute Force.  Varonis threat models use the same language as ATT&CK so you can easily reference both resources when you need to research cyberattacks.

Want to see ATT&CK techniques in action – and learn how to stop them?

Check out the Live Cyberattack Lab where our IR team runs ATT&CK techniques and see how Varonis detects those techniques in real time.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.