What is a MITRE ATT&CK?

MITRE ATT&CK^® explained

With an aggressive-sounding name that brings to mind cyberattacks or ransomware, the MITRE ATT&CK^® is actually similar to a “shield” against cyberattacks. Created by The MITRE Corporation, a private, not-for-profit company that provides engineering and technical guidance for the United States Air Force, “MITRE ATT&CK^® is a [free] globally-accessible knowledge base of adversary tactics and techniques based on real-world observations”.¹

The ATT&CK acronym stands for “Adversarial Tactics, Techniques and Common Knowledge, which is the basis for the framework and accompanying ATT&CK knowledge base”.² A resource that helps enterprises to strengthen their cybersecurity strategies, ATT&CK is often leveraged for the “development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community”.¹

The MITRE ATT&CK^® framework is leveraged “across multiple fields and disciplines, including intrusion detection, threat hunting, red teaming, security engineering, threat intelligence and risk management”.²

• Intrusion detection - A system that monitors network traffic for anything suspicious and sends out alerts when any suspicious activity is detected.
• Threat hunting - The process that cybersecurity experts leverage when looking for signs of potential breaches or existing breaches instead of responding to alerts indicating that a breach has already occured.
• Red teaming - A practice used to evaluate the strength and effectiveness of security strategies that applies an adversarial approach to rigorously assessing plans, policies, systems, and assumptions.
• Security engineering - The process of incorporating security controls into an information system, making the security control an essentail part of that system's operational capabilities.
• Threat intelligence - Data that is collected, processed, and analyzed to understand a threat actor's motives, targets, and attack behaviors
• Risk management - The process of leveraging risk management methods to manage IT threats.

The framework and knowledge base continue to grow as organizations leverage it and then add their own knowledge of cyberthreats to the knowledge base. Contributions like these helpshelp to inform the framework and to foster a stronger overall cybersecurity community online.  MITRE notes that “with the creation of ATT&CK, [MITRE] is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity”.¹  

History of the MITRE ATT&CK^®

Cybersecurity is one of MITRE’s focus areas, and the company has stated that cybersecurity research is in the public interest. MITRE has a 50-plus-year history of creating cybersecurity tools, standards, and similar content to benefit the expanded information technology and cybersecurity communities.

In 2013, MITRE launched ATT&CK “to gather this data for a research project on detecting threats in enterprise networks post-compromise, such as after adversaries had broken in, and to document common tactics, techniques and procedures that advanced persistent threats used against Windows enterprise networks”.²

“The [initial ATT&CK] framework has its roots in work MITRE was carrying out for a sponsor organization. The company had asked MITRE to help improve its ability to detect adversaries within its IT environment [that] would require understanding of how adversaries behave once they breach the enterprise perimeter”.³

Creating a testing environment that was named the Fort Meade eXperiment (FMX), MITRE leveraged the company’s network environment to perform “adversary emulation tests that mimicked the behaviors cybercriminals had undertaken in historic attacks”.³

“MITRE ran red team operations on this network, meaning it had designated teams to act as attackers using known techniques to penetrate the network. A blue team then attempted to detect and mitigate these simulated attacks.  By simulating the complete cybersecurity landscape from perspective of both the attacker's and the defender's perspective, MITRE formulated the following key insights that it uses as the basis of its ATT&CK framework:

• Focusing on adversarial behavior enables MITRE to develop behavioral analytics and better techniques for defense.
• Many existing cybersecurity lifecycle models were too abstract and unable to efficiently detect new threats.
• To work, threat behaviors and tactics must be based on real past observations of adversarial behavior.
• Terminology for describing tactics must be consistent across different adversarial groups to enable businesses to compare and contrast them”.²

On Halloween (October 31) 2023, MITRE ATT&CK v14 launched as “a release so hauntingly powerful that it [would] send a chill down the spine of even the most formidable adversaries”³ with “detection enhancements, ICS assets, and mobile structured detections”.⁴

In addition to ATT&CK, MITRE also offers of frameworks including Engage™, D3FEND™, and CALDERA™ and many other cybersecurity tools. These frameworks and tools all support MITRE’s cybersecurity focus and efforts to help increase global cyber defense by providing vital information to thwart network intruders, build resiliency against future attacks, and develop assurance to overcome possible vulnerabilities.

Benefits of the MITRE ATT&CK^®

The MITRE ATTACK® framework helps enable threat-informed cyber defense for anyone who leverages it as a resource. It is freely available, so anyone from the cybersecurity product and service community to governments and to the private sector can use it to develop specific threat models and methodologies.

Yasar and Lutkevich offer cite several broad benefits that of the MITRE ATTACK® framework offers:

• Offers a concrete account of adversarial behaviors.
• Provides an account of threat indicators as well as threat groups. Businesses can use MITRE to detect behaviors, make educated guesses about who is performing them and track behaviors across different attacker groups. Its attack page features group-based info.
• Includes sector-specific threat information that's widely used and trusted across many industries.
• Provides a communal approach to threat reporting that ensures info is up to date and checked by the public as well as MITRE.
• Improves an organization's security posture as it aligns its security strategies with the tactics and techniques outlined in the framework.

Using the framework, a business can do the following:

• Associate attack behavior to different groups.
• Pen test its network.
  • Also known as a penetration test or ethical hacking, a pen test is an authorized simulated cyber attack on a computer system used to test the security of the system. This is different from a vulnerability assessment.
• Find vulnerabilities in its network and map ATT&CK methodologies to threats.
• Discover network misconfigurations.
• Share its cybersecurity knowledge with the broader community.
• Standardize disparate security tools and techniques to create a more cohesive security strategy.²

Resources

1. MITRE ATT&CK^®, The MITRE Corporation, 2023.
2. Mitre ATT&CK framework, Kinza Yasar and Ben Lutkevich, TechTarget, December 2023.
3. MITRE ATT&CK at Seven: The Seven Biggest Milestones, AttackIQ, 31 May 2022.
4. ATT&CK v14 Unleashes Detection Enhancements, ICS Assets, and Mobile Structured Detections, Amy L. Robertson, Medium, 31 October 2023.