What is the MITRE ATT&CK framework? What is the benefit of using the MITRE ATT&CK framework?

Most of us might have heard the term MITRE ATT&CK framework while reading about technical articles, attack groups, etc. MITRE ATT&CK framework is a collection of knowledge bases that help in tracking attacker groups along their life cycle to improve an organization’s security posture.

We will understand what the MITRE ATT&CK framework is and what is the benefit of using the MITRE ATT&CK framework in this article.

What is an APT Group?

Before we start to understand what the MITRE ATT&CK framework is, we should know what an APT group is. APT or Advanced Persistent Threat is a broad term used to describe stealthy hacker groups, which can be national or state-sponsored, that hack into a network and remain undetected for a very long period. These groups have great resources, time, and techniques to intrude into a network on a large scale which helps them remain un-noticed.

What is the Pyramid of Pain?

The building block of the MITRE ATT&CK framework is the TTP or tactic techniques and procedures. To understand what TTP is, we should be familiar with the concept of the pyramid of pain developed by David Bianco. This represents the attack vectors in the order of ease in detecting the vector and the amount of impact on the threat actor.

This diagram shows us that these indicators have a temporary value that eventually fades over time- except for the TTP. In simple words, an attacker can easily change the Hash value, IP address, etc., over a period of time as the pyramid goes up, and the difficulty of altering the indicator also increases. We should remember an attacker is still a human. It becomes almost impossible for an attacker to change the behavior of the attack or, in other words, TTP.

What is TTP?

TTP stands for tactics, techniques, and procedure is an effective method to learn about malicious activities and to identify them.

What is the MITRE ATT&CK framework?

The MITRE ATT&CK™ framework consists of a matrix of tactics and techniques used by threat-hunting, defense, and red teamers to classify the attacks and proactively hunt for the presence of any attackers in an organization and calculate the risk of the organization.

This framework aims to effectively improve post-compromise detection of an attacker by representing what steps/actions would have been taken or is planning to take next by the adversary. We can use the matrix to identify what stage the attack is identified and trace it. How the attacker got access? How they moved around? All these answers we can obtain with the help of a knowledge base, and this help in analyzing the security risk posture of an organization. This help in prioritizing the risk level and improving the existing standards.

Introduction to MITRE ATT&CK

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) was initially developed in 2013 by the MITRE corporation, which is a not-for-profit to support US government agencies. ATT&CK was officially released in May 2015 and is still modified and updated since.

Mitre tracks multiple APT groups and updates their behaviors based on real-time activity in the matrix. Basically, there are three flavors of Mitre ATT&CK

There are 14 tactics covered in Mitre ATT&CK for enterprise, and tactics explain the intent of the attacker by explaining their specific objective. So tactics are categorized based on objectives.

Below are the 14 tactics

The technique explains the method or way how the attacker reaches the above-mentioned objectives. So many techniques are mentioned under each tactic since the attacker’s techniques vary with tools, skillset, etc.

MITRE ATT&CK currently identifies 379 sub-techniques and 188 techniques for the 14 tactics for the enterprise.

Procedures give a detailed description of how the attacker plans to achieve the objective.

Every tactic, technique, and the procedure has a code to identify them easily. For e.g., T1566 indicates phishing in MITRE ATT&CK. This will make reporting incidents much more efficient.

You can access the MITRE framework here. Free training is also provided on the website for an in-depth understanding of MITRE.

What is the benefit of using the MITRE ATT&CK framework?

MITRE ATT&CK is a boon to security researchers. It helps in tracking down adversaries, thus helping in preventing damage to the organization.

ATT&CK is the knowledge base for learning the behavior of threat actors. This helps security researchers to identify and cross-verify the presence of threat actors. I believe this article helps in understanding what the MITRE ATT&CK framework is and what is the benefit of using the MITRE ATT&CK framework. In the upcoming article, we will discuss in depth How we can use the MITRE ATT&CK framework for threat hunting. 

Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: