Defining & Understanding the MITRE ATT&CK Framework
The MITRE ATT&CK framework is a collection of hacker goals and techniques. The MITRE Corporation developed and maintains this database of knowledge.
The ATT&CK name is an acronym, which stands for "adversarial tactics, techniques, and common knowledge."
Let's explain what this database contains, and we'll outline how you can use this information to keep your company's resources safe and sound.
MITRE ATT&CK Framework Breakdown
What if you had a constantly updated list of all the things your enemies wanted to do to you? And what if that list also contained information about how they planned to harm you?
In 2013, officials at the MITRE Corporation decided to answer that question through the FMX research project. They collected data on attacks happening on enterprise networks, and they tested various defence mechanisms to see if they worked. In time, the database became so robust and valuable that the team decided to share their knowledge with the wider world. The MITRE ATT&CK matrix was born.
Information within the matrix is shared in table format. Links let you dig deeper into the research, and you can check back regularly to see how a threat changes with time.
The matrix is broken down into two crucial areas.
- Tactics: Why do adversaries take a specific step? What do they hope to achieve? MITRE officials call these motivation factors "tactics."
- Techniques: What do adversaries do to meet their goals? What specific steps do they take? MITRE officials call these plans "techniques."
Understanding the MITRE terminology takes time and a little practice. But it's worth the effort. As MITRE ATT&CK research grows in popularity, IT professionals tend to slip the words into conversations about the threats they face. The more you know about how the research progresses, the better you can join in these talks.
MITRE ATT&CK Tactics&
Every tactic answers the question "Why?" Think of them as the motivations that drive attackers to do what they do.
The team at MITRE has 14 of them identified for people working within an enterprise environment. We'll link to the specific MITRE page dedicated to that attack, so you can dig into the research and understand each tactic and how things change with time.
Recognised enterprise tactics include:
- Resource development. Your adversary wants to ensure that attacks progress successfully. If the attacker has plenty of tools available, this hack and the next one coming could be even more effective.
- Reconnaissance. Your attacker wants to gather information about you, either passively or actively, so the attack is driven by data and more likely to succeed.
- Initial access. Your attacker wants to enter your environment successfully and gain a toehold that can be exploited as the attack deepens.
- Execution. Your attacker wants to take control by running code on either a local system or a remote version.
- Persistence. The hacker wants to stay in place, even if you restart the system, chan