MITRE ATT&CK Framework

MITRE ATT&CK is a globally recognized framework that catalogs the tactics, techniques, and procedures (TTPs) of cyber adversaries based on real-world observations.

What Is MITRE ATT&CK

A knowledge base developed by the MITRE Corporation that documents adversary behaviors across 14 tactics and 193+ techniques, based on thousands of real incidents. It is constantly updated with newly observed TTPs.

The 14 ATT&CK Tactics

  1. Reconnaissance: Gathering information about the target
  2. Resource Development: Acquiring infrastructure and tools
  3. Initial Access: Entry point into the victim's network
  4. Execution: Running malicious code
  5. Persistence: Maintaining persistent access
  6. Privilege Escalation: Obtaining elevated permissions
  7. Defense Evasion: Avoiding detection and analysis
  8. Credential Access: Stealing credentials
  9. Discovery: Exploring the compromised environment
  10. Lateral Movement: Moving between systems
  11. Collection: Gathering data of interest
  12. Command and Control: Communicating with C2 infrastructure
  13. Exfiltration: Stealing data from the network
  14. Impact: Manipulating, disrupting, or destroying systems

ATT&CK Matrices

  • Enterprise: Windows, Linux, macOS, Cloud, and Network environments
  • Mobile: Android and iOS
  • ICS: Industrial Control Systems and SCADA

Practical Applications

1. Detection Mapping

Map SIEM rules, IDS signatures, and EDR detections against ATT&CK techniques to identify coverage gaps. Tools like CALDERA and DeTT&CT help with visualization.

2. Threat Hunting

Use specific techniques as the basis for hunting hypotheses. Example: hunt for T1055 (Process Injection) through analysis of suspicious handles and memory allocations.

3. Red Team Emulation

Simulate the TTPs of specific APT groups (e.g., APT29) to validate defensive controls. Atomic Red Team provides a library of automated tests by technique.

4. Incident Analysis

Documenting adversary behavior using ATT&CK IDs facilitates intelligence sharing and correlation with known campaigns.

Ecosystem Tools

  • ATT&CK Navigator: Interactive matrix visualization, coverage heatmaps
  • CALDERA: Automated adversary emulation platform
  • Atomic Red Team: Library of ATT&CK technique tests
  • DeTT&CT: Mapping and scoring of data sources and detections
  • ATT&CK Powered Suit: Chrome extension for quick analysis
  • MITRE Cyber Analytics Repository: Pseudocode for detections

APT Groups and Campaigns

ATT&CK documents 140+ adversary groups along with their characteristic TTPs. Examples:

  • APT29 (Cozy Bear): Spear phishing, WMI, PowerShell, Living off the Land
  • APT28 (Fancy Bear): Zero-days, credential dumping, C2 via HTTP
  • Lazarus Group: Custom malware, destructive attacks, cryptocurrency theft

Control Mapping

Each ATT&CK technique has documented mitigations. Example for T1003 (Credential Dumping):

  • M1027: Password Policies (MFA, long passwords)
  • M1028: Operating System Configuration (LSA Protection)
  • M1043: Credential Access Protection (Credential Guard)
  • M1026: Privileged Account Management (limit domain admins)

Data Sources

ATT&CK specifies the data sources required to detect each technique:

  • Process monitoring
  • File monitoring
  • Network traffic
  • Authentication logs
  • Windows Event Logs
  • PowerShell logs

SIEM Integration

Modern SIEMs (Splunk, Sentinel, Chronicle) offer pre-built dashboards with ATT&CK mapping. They let you visualize detection coverage and prioritize use case development based on the most critical techniques or those with gaps.

Limitations

  • Descriptive framework, not prescriptive - it does not tell you what to do
  • Focus on post-exploitation, less coverage of network attacks
  • Variable granularity between techniques
  • Does not cover every variant of each technique

Final Recommendations

MITRE ATT&CK should be integrated into every aspect of a security program: threat intelligence, detection engineering, hunting, red teaming, and incident response. Start by mapping current detections, identify critical gaps, and prioritize developing coverage for the techniques most prevalent in your industry.