Defining & Understanding the MITRE ATT&CK Framework

The MITRE ATT&CK framework is a collection of hacker goals and techniques. The MITRE Corporation developed and maintains this database of knowledge.

The ATT&CK name is an acronym, which stands for "adversarial tactics, techniques, and common knowledge."

Let's explain what this database contains, and we'll outline how you can use this information to keep your company's resources safe and sound.

MITRE ATT&CK Framework Breakdown

What if you had a constantly updated list of all the things your enemies wanted to do to you? And what if that list also contained information about how they planned to harm you?

In 2013, officials at the MITRE Corporation decided to answer that question through the FMX research projectopens in a new tab. They collected data on attacks happening on enterprise networks, and they tested various defense mechanisms to see if they worked. In time, the database became so robust and valuable that the team decided to share their knowledge with the wider world. The MITRE ATT&CK matrix was born.

Information within the matrix is shared in table format. Links let you dig deeper into the research, and you can check back regularly to see how a threat changes with time.

The matrix is broken down into two crucial areas.

Tactics: Why do adversaries take a specific step? What do they hope to achieve? MITRE officials call these motivation factors "tactics."
Techniques: What do adversaries do to meet their goals? What specific steps do they take? MITRE officials call these plans "techniques."

Understanding the MITRE terminology takes time and a little practice. But it's worth the effort. As MITRE ATT&CK research grows in popularity, IT professionals tend to slip the words into conversations about the threats they face. The more you know about how the research progresses, the better you can join in these talks.

MITRE ATT&CK Tactics&

Every tactic answers the question "Why?" Think of them as the motivations that drive attackers to do what they do.

The team at MITRE has 14 of them identified for people working within an enterprise environment. We'll link to the specific MITRE page dedicated to that attack, so you can dig into the research and understand each tactic and how things change with time.

Recognized enterprise tactics include:

Resource developmentopens in a new tab. Your adversary wants to ensure that attacks progress successfully. If the attacker has plenty of tools available, this hack and the next one coming could be even more effective.
Reconnaissanceopens in a new tab. Your attacker wants to gather information about you, either passively or actively, so the attack is driven by data and more likely to succeed.
Initial accessopens in a new tab. Your attacker wants to enter your environment successfully and gain a toehold that can be exploited as the attack deepens.
Executionopens in a new tab. Your attacker wants to take control by running code on either a local system or a remote version.
Persistenceopens in a new tab. The hacker wants to stay in place, even if you restart the system, change credentials, or otherwise try to secure your environment.
Privilege escalationopens in a new tab. Your hacker wants to do more than be a simple user of the network. The hacker wants more privileges, so they can follow through on objectives.
Defense evasionopens in a new tab. The hacker wants to stay hidden, even if you're searching for an intruder with security software.
Credential accessopens in a new tab. The adversary wants to steal credentials, including usernames and passwords, that could be sold or used later.
Discoveryopens in a new tab. Your intruder wants to know more about your system setup and your network, so the next step moves smoothly.
Lateral movementopens in a new tab. Your hacker wants to enter and control any remote systems you have on your network.
Collectionopens in a new tab. Your intruder wants to gather yet more information about both you and your resources.
Command and controlopens in a new tab. Your adversary wants to communicate with systems on your network. Preferably, the person can control these systems too.
Exfiltrationopens in a new tab. The hacker wants to steal data and push it out of your system.
Impactopens in a new tab. Your adversary wants to limit your availability or manipulate your processes.

If you're working in a mobile environment, the tactics are much the same. But two new tacticsopens in a new tab appear on this list that don't apply to enterprise situations. They are:

Network effects. Your adversary wants to intercept or manipulate traffic heading to or leaving a device.
Remote service effects. A hacker tries to either control or monitor a device with remote services.

Think of these tactics as a hacker wish list. Follow them in sequence, and you'll understand just what someone wants to do when they enter your environment and how each step follows on the last. You might start to understand why stopping an attack in the early stages is so crucial.

MITRE ATT&CK Techniques

What steps must your adversary take to achieve hacking goals? These actions are techniques.

In the MITRE ATT&CK matrix, techniques are grouped using the same methodology that governs tactics. That means two sets exist: one for enterprise environmentsopens in a new tab and one for mobile environmentsopens in a new tab.

Dig into this data, and you'll understand just what your attacker plans to do, along with the tools and technology required to get the job done.

3 Ways to Use the MITRE ATT&CK Matrix

Plenty of data awaits you, if you choose to dig into the MITRE website. And the information changes regularly, so you'll need to check back often to understand how hackers are altering their work.

Why should you bother with the hassle? You could use the data to:

Evaluate. How well would your tools stand up to a prominent hacker approach? Are new things happening that you never planned for?
Prioritize. Every security system could stand a touch of improvement. Where should you get started? Understanding the current landscape could help you spot the biggest vulnerabilities you must patch.
Track. How is the security landscape changing? What are your known adversaries doing? You can watch this data within the database.

In general, the MITRE team helps to share threat intelligence and lessons learned, so you can do your job even better. It's worthwhile to enter the matrix from time to time, so you'll know just what to do next to stay ahead of intruders.

Looking for even more information about current threats? We have a webinar devoted to real-time security intelligence worth your time. Check it out.