What Is The MITRE Framework, and Why Does It Matter?

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a curated knowledge base for cybersecurity professionals.

Summary: As businesses take a more offensive stance against cyberattacks, there is a growing emphasis on documenting and emulating adversarial behavior. As a curated knowledge base and model for cyber behavior, the MITRE ATT&CK framework is being widely adopted to enhance intrusion detection and prevention, threat hunting, security engineering, and more.

Recent years have seen a major shift from primarily reactive and defensive security measures to more proactive and offensive ones. This trend is born of the understanding that one needs to think like an attacker to catch an attacker. The increasingly widespread adoption of the industry-leading MITRE ATT&CK framework is a testament to that development.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a curated knowledge base and model used by red teamers, threat hunters, and other security experts to understand better how adversaries work by illustrating the actions they are likely to have taken to compromise a system. The framework can also assist with auditing by helping security experts gauge the resilience of their environments against current attack vectors.

Understanding the MITRE ATT&CK matrix

The MITRE ATT&CK matrix is a comprehensive set of techniques adversaries use when pursuing a specific objective. The framework categorizes the objectives as tactics. The techniques and tactics are presented in a similar format to the periodic table of elements, with each column outlining each phase of the attack chain from reconnaissance to impact. In turn, the columns then detail the various techniques that adversaries use during each tactic, along with sub-techniques where available.

Here is an overview of the 14 tactics:

• Reconnaissance: The adversaries gather information to help them plan for future attacks, such as information about the target individual or organization.

• Reconnaissance gathering: Deploying the resources necessary to support operations, such as data mining and other listening tools.

• Initial access: Trying to access the network using targeted social engineering attacks or exploiting known vulnerabilities.

• Execution: Trying to run malicious code on a local or remote system, such as using a remote access tool to run a PowerShell script.

• Persistence: Experimenting with staying connected to the target system, such as by altering system configurations in the case of advanced persistent threats (APTs).

• Privilege escalation: Trying to gain higher-level permissions by exploiting any vulnerabilities in elevation control mechanisms.

• Defense evasion: Trying to avoid detection during the attack, such as disabling or uninstalling security and monitoring software.

• Credential access: Attempting to steal user account credentials using activities such as brute-force attacks or keyloggers.

• Discovery: Learning more about the target’s environment by exploring the internal network by discovering user accounts and cloud storage objects.

• Lateral movement: Trying to move laterally through the target’s environment by exploiting remote services or leveraging internal spear phishing.

• Collection: Trying to gather data to pursue their goals, such as by hijacking browser sessions or obtaining system logs or memory dumps.

• Command and control: Pursuing communication with compromised systems to control them through connection proxies and data obfuscation.

• Exfiltration: Trying to steal data from the target via physical or wireless mediums or by exfiltrating data from cloud storage objects.

• Impact: Trying to destroy systems and data to compromise the operational integrity of the business, such as by installing ransomware.

What are the business benefits of implementing the framework?

The MITRE ATT&CK framework helps organizations in several ways by providing three different matrices from which they can pick. The primary matrix is intended for use in typical business operational environments. It focuses on pre-exploit adversarial behavior, namely reconnaissance, and resource development. Other matrices include tactics and techniques specific to mobile device compromise, with separate ones for Android and iOS devices. Finally, there is a matrix specialized for deployment across industrial control systems.

The benefits of implementing the appropriate framework for a given use case include the ability to emulate adversarial behavior and, in doing so, enhance the development of threat hunting capabilities and auditing. The framework also plays an important role in red teaming by providing a baseline for adversarial behavior. Another common use case for the framework is using it as a basis for evaluating an organization’s current defensive capabilities and levels of preparedness against APTs and other threats. It is instrumental in carrying out security operations center (SOC) assessments.

The importance of aligning training with a standardized framework

While the MITRE ATT&CK framework is not the only one of its kind, it has become well-established as an industry leader in the areas of proactive and defensive cybersecurity. Security leaders should consider aligning their training and skills development programs with the framework. After all, the Mitre Corporation, which maintains the framework, is a prominent supporting organization of US government agencies involved in aviation, defense, healthcare, and homeland security. As such, it adheres to the highest standards to counter some of the most pervasive cyber threats of modern times.

*Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team *progress.