Table of Contents
  • Home
  • /
  • Blog
  • /
  • What is the MITRE ATT&CK framework? What is the benefit of using the MITRE ATT&CK framework?
January 9, 2024

What is the MITRE ATT&CK framework? What is the benefit of using the MITRE ATT&CK framework?

How Can We Use The Mitre Attck Framework For Threat Hunting And How To Hunt Apt Groups Using The Mitre Attck Framework

Most of us might have heard the term MITRE ATT&CK framework while reading about technical articles, attack groups, etc. MITRE ATT&CK framework is a collection of knowledge bases that help in tracking attacker groups along their life cycle to improve an organization’s security posture.

We will understand what the MITRE ATT&CK framework is and what is the benefit of using the MITRE ATT&CK framework in this article.

What is an APT Group?

Before we start to understand what the MITRE ATT&CK framework is, we should know what an APT group is. APT or Advanced Persistent Threat is a broad term used to describe stealthy hacker groups, which can be national or state-sponsored, that hack into a network and remain undetected for a very long period. These groups have great resources, time, and techniques to intrude into a network on a large scale which helps them remain un-noticed.

What is the Pyramid of Pain?

The building block of the MITRE ATT&CK framework is the TTP or tactic techniques and procedures. To understand what TTP is, we should be familiar with the concept of the pyramid of pain developed by David Bianco. This represents the attack vectors in the order of ease in detecting the vector and the amount of impact on the threat actor.

This diagram shows us that these indicators have a temporary value that eventually fades over time- except for the TTP. In simple words, an attacker can easily change the Hash value, IP address, etc., over a period of time as the pyramid goes up, and the difficulty of altering the indicator also increases. We should remember an attacker is still a human. It becomes almost impossible for an attacker to change the behavior of the attack or, in other words, TTP.

What is TTP?

TTP stands for tactics, techniques, and procedure is an effective method to learn about malicious activities and to identify them.

  1. Tactics– This defines the adversary’s tactical objective or the ‘why’ a particular action is done.

  2. Techniques – Techniques define ‘how’ the adversary reaches the tactical objective.

  3. Procedures – explains the steps in detail on how to perform the actual implementation of the techniques.

What is the MITRE ATT&CK framework?

The MITRE ATT&CK™ framework consists of a matrix of tactics and techniques used by threat-hunting, defense, and red teamers to classify the attacks and proactively hunt for the presence of any attackers in an organization and calculate the risk of the organization.

This framework aims to effectively improve post-compromise detection of an attacker by representing what steps/actions would have been taken or is planning to take next by the adversary. We can use the matrix to identify what stage the attack is identified and trace it. How the attacker got access? How they moved around? All these answers we can obtain with the help of a knowledge base, and this help in analyzing the security risk posture of an organization. This help in prioritizing the risk level and improving the existing standards.

Introduction to MITRE ATT&CK

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) was initially developed in 2013 by the MITRE corporation, which is a not-for-profit to support US government agencies. ATT&CK was officially released in May 2015 and is still modified and updated since.

Mitre tracks multiple APT groups and updates their behaviors based on real-time activity in the matrix. Basically, there are three flavors of Mitre ATT&CK

  • Enterprise ATT&CK 

  • Mobile ATT&CK – Adversary behavior on mobile attacks

  • PRE-ATT&CK – Pre-compromise behavior of attackers 

There are 14 tactics covered in Mitre ATT&CK for enterprise, and tactics explain the intent of the attacker by explaining their specific objective. So tactics are categorized based on objectives.

Below are the 14 tactics

  • Reconnaissance

  • Resource development

  • Initial access

  • Execution

  • Persistence

  • Privilege escalation

  • Defense evasion

  • Credential access

  • Discovery

  • Lateral movement

  • Collection

  • Command and Control

  • Exfiltration

  • Impact

The technique explains the method or way how the attacker reaches the above-mentioned objectives. So many techniques are mentioned under each tactic since the attacker’s techniques vary with tools, skillset, etc.

MITRE ATT&CK currently identifies 379 sub-techniques and 188 techniques for the 14 tactics for the enterprise.

Procedures give a detailed description of how the attacker plans to achieve the objective.

Every tactic, technique, and the procedure has a code to identify them easily. For e.g., T1566 indicates phishing in MITRE ATT&CK. This will make reporting incidents much more efficient.

You can access the MITRE framework here. Free training is also provided on the website for an in-depth understanding of MITRE.

What is the benefit of using the MITRE ATT&CK framework?

MITRE ATT&CK is a boon to security researchers. It helps in tracking down adversaries, thus helping in preventing damage to the organization.

  • Real-world observations – MITRE ATT&CK is created by learning and observing adversaries in real-time, which help in providing a more practical approach for hunting threat actors.

  • It is free, open, and accessible globally.

  • One of the main benefits of ATT&CK is it unifies or creates a common language for security researchers worldwide.

  • Cyber intelligence will be strengthened with the help of ATT&CK.

  • Help in conducting a security gap analysis and improve existing policies/infra.

  • Communication is easier and more efficient.

ATT&CK is the knowledge base for learning the behavior of threat actors. This helps security researchers to identify and cross-verify the presence of threat actors. I believe this article helps in understanding what the MITRE ATT&CK framework is and what is the benefit of using the MITRE ATT&CK framework. In the upcoming article, we will discuss in depth How we can use the MITRE ATT&CK framework for threat hunting. 

Thanks for reading this post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr,  Medium & Instagram, and subscribe to receive updates like this. 

Read More:

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription