MITRE ATT&CK Framework
MITRE ATT&CK is a globally recognized framework that catalogs the tactics, techniques, and procedures (TTPs) of cyber adversaries based on real-world observations.
What Is MITRE ATT&CK
A knowledge base developed by the MITRE Corporation that documents adversary behaviors across 14 tactics and 193+ techniques, based on thousands of real incidents. It is constantly updated with newly observed TTPs.
The 14 ATT&CK Tactics
- Reconnaissance: Gathering information about the target
- Resource Development: Acquiring infrastructure and tools
- Initial Access: Entry point into the victim's network
- Execution: Running malicious code
- Persistence: Maintaining persistent access
- Privilege Escalation: Obtaining elevated permissions
- Defense Evasion: Avoiding detection and analysis
- Credential Access: Stealing credentials
- Discovery: Exploring the compromised environment
- Lateral Movement: Moving between systems
- Collection: Gathering data of interest
- Command and Control: Communicating with C2 infrastructure
- Exfiltration: Stealing data from the network
- Impact: Manipulating, disrupting, or destroying systems
ATT&CK Matrices
- Enterprise: Windows, Linux, macOS, Cloud, and Network environments
- Mobile: Android and iOS
- ICS: Industrial Control Systems and SCADA
Practical Applications
1. Detection Mapping
Map SIEM rules, IDS signatures, and EDR detections against ATT&CK techniques to identify coverage gaps. Tools like CALDERA and DeTT&CT help with visualization.
2. Threat Hunting
Use specific techniques as the basis for hunting hypotheses. Example: hunt for T1055 (Process Injection) through analysis of suspicious handles and memory allocations.
3. Red Team Emulation
Simulate the TTPs of specific APT groups (e.g., APT29) to validate defensive controls. Atomic Red Team provides a library of automated tests by technique.
4. Incident Analysis
Documenting adversary behavior using ATT&CK IDs facilitates intelligence sharing and correlation with known campaigns.
Ecosystem Tools
- ATT&CK Navigator: Interactive matrix visualization, coverage heatmaps
- CALDERA: Automated adversary emulation platform
- Atomic Red Team: Library of ATT&CK technique tests
- DeTT&CT: Mapping and scoring of data sources and detections
- ATT&CK Powered Suit: Chrome extension for quick analysis
- MITRE Cyber Analytics Repository: Pseudocode for detections
APT Groups and Campaigns
ATT&CK documents 140+ adversary groups along with their characteristic TTPs. Examples:
- APT29 (Cozy Bear): Spear phishing, WMI, PowerShell, Living off the Land
- APT28 (Fancy Bear): Zero-days, credential dumping, C2 via HTTP
- Lazarus Group: Custom malware, destructive attacks, cryptocurrency theft
Control Mapping
Each ATT&CK technique has documented mitigations. Example for T1003 (Credential Dumping):
- M1027: Password Policies (MFA, long passwords)
- M1028: Operating System Configuration (LSA Protection)
- M1043: Credential Access Protection (Credential Guard)
- M1026: Privileged Account Management (limit domain admins)
Data Sources
ATT&CK specifies the data sources required to detect each technique:
- Process monitoring
- File monitoring
- Network traffic
- Authentication logs
- Windows Event Logs
- PowerShell logs
SIEM Integration
Modern SIEMs (Splunk, Sentinel, Chronicle) offer pre-built dashboards with ATT&CK mapping. They let you visualize detection coverage and prioritize use case development based on the most critical techniques or those with gaps.
Limitations
- Descriptive framework, not prescriptive - it does not tell you what to do
- Focus on post-exploitation, less coverage of network attacks
- Variable granularity between techniques
- Does not cover every variant of each technique
Final Recommendations
MITRE ATT&CK should be integrated into every aspect of a security program: threat intelligence, detection engineering, hunting, red teaming, and incident response. Start by mapping current detections, identify critical gaps, and prioritize developing coverage for the techniques most prevalent in your industry.
