It's been reported that once an organization is breached, adversaries typically lurk on networks for months before being detected. How did they get in? How are they moving around? What are they doing? So, where do you start?
MITRE's ATT&CK framework describes how adversaries penetrate networks and then move laterally, escalate privileges, and generally evade your defenses. ATT&CK looks at the problem from the perspective of the adversary. what goals they are trying to achieve, and what specific methods they use. ATT&CK organizes adversary behaviors into a series of tactics, specific technical objectives that an attacker wants to achieve. Some examples of tactics include defense evasion, lateral movement, and exfiltration.
Within each tactic category, ATT&CK defines a series of techniques. Each technique describes one way an adversary may try to achieve that objective. There are multiple techniques within each tactic because adversaries may use different methods based on their own expertise or things like the availability of tools or how your systems are configured. Each technique defined in ATT&CK includes a description of the method used by the adversary, the systems or platforms it applies to, and where known what specific adversary groups use this technique.
Techniques also describe ways to mitigate the behavior, along with any published references to the technique being employed. ATT&CK helps you understand how adversaries might operate so you can plan how to detect or stop that behavior. Armed with this knowledge, you can better understand the different ways an adversary prepares for, launches, and executes their attacks.
Another important use of ATT&CK is to help you detect an adversary's actions. The ATT&CK framework includes resources designed to help you develop analytics that detect the techniques used by an adversary. ATT&CK also maintains a library of information about selected adversary groups and the campaigns they've conducted.
And since ATT&CK is based on real-world observations, it allows you to correlate specific adversaries and the techniques they've used. Because adversaries often use different techniques to attack different platforms and technologies, the ATT&CK framework is divided into a series of technology domains. Domains currently covered by ATT&CK include enterprise networks with Windows and Linux operating systems and mobile devices. The ATT&CK framework can help your organization better understand the techniques specific adversaries are likely to use, information you can use to evaluate your defenses, and strengthen them where it matters most. MITRE is building a community around ATT&CK so that experts in different domains and technologies can come together to refine and extend the knowledge contained in the framework.
And because MITRE is a not-for-profit organization operating in the public interest, we can provide a conflict-free environment to create, collect, share, and manage this information, making it available to everyone. Learn more about ATT&CK and what else we're doing in Cyber Threat Intelligence. MITRE.
We solve problems for a safer world.