The MITRE ATT&CK® Framework

The MITRE ATT&CK^®Framework

MITRE ATT&CK^® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK^® framework is a knowledge base that documents cyber adversary tactics and techniques based on real-world observations. The framework aims to improve the ability to detect how an adversary compromised a system after the initial breach has occurred by illustrating the steps an adversary may have taken. The framework can help an organization determine how the adversary got in, how they moved around, and how they were able to exfiltrate data.

The framework is broken down into tactics, techniques, and sub-techniques, with the techniques and sub-techniques having mitigation measures, detection methods, and procedure examples.

The framework has 14 main tactics:

1. Reconnaissance: gathering information to plan future operations
2. Resource Development: establishing resources to support operations
3. Initial Access: trying to gain access to the network
4. Execution: trying to run malicious code
5. Persistence: trying to maintain their foothold
6. Privilege Escalation: trying to gain higher-level permissions
7. Defense Evasion: trying to avoid being detected
8. Credential Access: stealing accounts names and passwords
9. Discovery: trying to figure out the environment
10. Lateral Movement: moving through the environment
11. Collection: gathering data of interest
12. Command and Control: communicating with compromised systems to control them
13. Exfiltration: stealing data
14. Impact: manipulating, interrupting, or destroying systems and data

Each tactic has techniques and sub-techniques which can be seen in the screenshot of the framework below:

Organizations can use this framework for not only discovery, but to also identify any security flaws that may be present. Each technique lists mitigation measures that can be taken to minimize the risk of the technique being mitigated, allowing an organization to implement security policies that are designed to prevent an adversary from performing certain actions. For example, under the Privilege Escalation tactic, the Domain Policy Modification technique is listed. Mitigations include Audit, Privileged Account Management, and User Account Management. The Audit mitigation states to identify and correct Group Policy Object (GPO) permission abuse opportunities, and by doing this you limit the permissions users have so if an adversary were to gain access to that account, they would have less opportunity to take advantage of those privileges. If an organization does not audit user permissions, they can take the necessary steps to ensure an audit is done on a recurring basis to limit the privileges users have and limit the privileges an adversary may gain access to.