MITRE ATT&CK® Framework

Jan 25, 2021

Cybersecurity

MITRE ATT&CK is a knowledge base that helps model cyber adversaries' tactics and techniques—and then shows how to detect or stop them.

- [Narrator] It's been reported that once an organization
is breached, adversaries typically lurk on networks
for months before being detected.
How did they get in?
How are they moving around?
What are they doing?
So, where do you start?
MITRE's ATT&CK framework describes
how adversaries penetrate networks
and then move laterally, escalate privileges,
and generally evade your defenses.
ATT&CK looks at the problem from the perspective
of the adversary.
What goals they are trying to achieve,
and what specific methods they use.
ATT&CK organizes adversary behaviors
into a series of tactics, specific technical objectives
that an attacker wants to achieve.
Some examples of tactics include defensive evasion,
lateral movement, and exfiltration.
Within each tactic category,
ATT&CK defines a series of techniques.
Each technique describes one way an adversary
may try to achieve that objective.
There are multiple techniques within each tactic
because adversaries may use different methods based
on their own expertise or things like the availability
of tools, or how your systems are configured.
Each technique to find an attack
includes a description of the method used by the adversary,
the systems or platforms it applies to,
and where known,
what specific adversary groups
use this technique.
Techniques also describe ways to mitigate the behavior,
along with any published references
to the technique being employed.
ATT&CK helps you understand how adversaries might operate
so you can plan how to detect or stop that behavior.
Armed with this knowledge,
you can better understand the different ways
an adversary prepares for launches
and executes their attacks.
Another important use
of ATT&CK is to help you detect an adversary's actions.
The ATT&CK framework includes resources designed
to help you develop analytics
that detect the techniques used by an adversary.
ATT&CK also maintains a library
of information about selected adversary groups
and the campaigns they've conducted.
And since ATT&CK is based on real-world observations,
it allows you to correlate specific adversaries
and the techniques they've used.
Because adversaries often use different techniques
to attack different platforms and technologies,
the ATT&CK framework is divided into a series
of technology domains.
Domains currently covered by ATT&CK include,
enterprise networks with Windows
and Linux operating systems and mobile devices.
The ATT&CK framework can help your organization
better understand the techniques specific adversaries
are likely to use.
Information you can use to evaluate your defenses
and strengthen them where it matters most.
MITRE is building a community around ATT&CK
so that experts in different domains
and technologies can come together to refine
and extend the knowledge contained in the framework.
And because MITRE is a not-for-profit organization operating
in the public interest,
we can provide a conflict-free environment
to create collect, share, and manage this information,
making it available to everyone.
Learn more about ATT&CK and what else we're doing
in cyber threat intelligence.
MITRE, We solve problems for a safer world.