MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework that outlines various phases of threat actors’ attack lifecycles and their target platforms. This framework categorises malicious cyberattacks and provides specific strategies for defending against them. This guide will help you understand MITRE ATT&CK.
Table of Contents
Structure of MITRE ATT&CK
The ATT&CK framework consists of tactics and techniques and their documented usage. Tactics refer to an attack’s short-term, premeditated objectives, while techniques describe the methods used to achieve these objectives.
Origins of MITRE ATT&CK
MITRE ATT&CK originated in 2013 from MITRE’s Fort Meade Experiment (FMX). Researchers simulated attacker and defender behaviours during this experiment to enhance post-compromise threat detection through telemetry sensing and behavioural analysis.
Iterations of MITRE ATT&CK
Over the years, the framework has evolved through several iterations, each improving and expanding on the previous versions:
| Iteration | Year | Description |
|---|---|---|
| ATT&CK v1 | 2015 | Introduced with 12 tactics and 76 techniques. |
| ATT&CK v2 | 2016 | Expanded to 15 tactics and 150 techniques. |
| ATT&CK v3 | 2017 | Implemented a more structured approach, grouping techniques by purpose, such as initial access, execution, or exfiltration. |
| ATT&CK v4 | 2018 | It included new tactics and techniques related to cloud environments and mobile devices and introduced a sub-matrix to understand threat actor techniques better. |
| ATT&CK v5 | 2019 | Included new tactics and techniques related to cloud environments and mobile devices, and introduced a sub-matrix for better understanding of threat actor techniques. |
| ATT&CK v6 | 2020 | Added tactics and techniques relevant to containerized environments and other emerging technologies. |
| ATT&CK v7 | 2021 | Introduced techniques related to ransomware, supply chain attacks, and other emerging threats. |
Versions of MITRE ATT&CK
MITRE ATT&CK framework versions cater to different focus areas. ATT&CK for:
Enterprise: Focuses on traditional enterprise networks, covering tactics and techniques used to gain access, move laterally, and exfiltrate data from these networks.
Mobile: Targets mobile devices, including smartphones and tablets, and covers tactics and techniques for compromising these devices and stealing sensitive data.
ICS: Concentrates on Industrial Control Systems (ICS) used in managing critical infrastructure such as power grids, water treatment facilities, and transportation systems. It covers tactics and techniques for compromising ICS systems and disrupting critical infrastructure.
Example Scenario: E-commerce Website Attack
Consider an e-commerce website where an attacker aims to steal customer data and credit card information. Initially, the attack begins with the attacker gaining initial access by sending a phishing email to an employee. The email tricks employees into clicking a malicious link and installing malware on their computers. Once the malware is in place, it uses PowerShell to execute scripts, thereby gaining control of the employee’s machine.
The attacker creates a new user account with administrative privileges to maintain access. Furthermore, seeking higher-level privileges, the attacker exploits a system vulnerability. To avoid detection by antivirus software, the attacker obfuscates their malware. With control over the system, the attacker next uses tools to extract login credentials, thus gaining access to the network. They then proceed to scan the network to identify other vulnerable systems.
Using the stolen credentials, the attacker accesses other systems within the network and collects sensitive data, including customer information and credit card details, from databases. The collected data is exfiltrated through an encrypted command and control (C2) channel. Finally, the attacker destroys logs and other forensic evidence to cover their tracks, leaving the e-commerce website compromised and its data stolen.
Wrapping Up
MITRE ATT&CK is an invaluable resource for understanding and defending against cyber threats. Organizations can better protect their systems and data from adversaries by staying informed about the evolving tactics and techniques outlined in this framework. Leveraging the insights and strategies provided by MITRE ATT&CK is essential for maintaining robust cybersecurity defences.
References
MITRE ATT&CK website: https://attack.mitre.org/
