The MITRE ATT&CK Framework was created by MITRE in 2013 to document attacker tactics and techniques based on real-world observations. This index continues to evolve with the threat landscape and has become a renowned knowledge base for the industry to understand attacker models, methodologies, and mitigation.
Successful and comprehensive threat detection requires understanding common adversary techniques, which ones may especially pose a threat to your organization, and how to detect and mitigate these attacks. With that said, the volume and breadth of attack tactics make it nearly impossible for any single organization to monitor every single attack type—never mind catalog and translate those findings in a constructive way to anyone outside of their organization.
For these reasons, MITRE has developed the ATT&CK framework. ATT&CK, which is an acronym for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques. These techniques are indexed and break down into detail the exact steps and methods that hackers use, making it easy for teams to understand the actions that may be used against a particular platform. To go a step further, MITRE also incorporates cyber-threat intelligence documenting adversary group behavior profiles to document which attack groups use which techniques.
The ATT&CK matrix structure is similar to a periodic table, with column headers outlining phase in the attack chain (from Initial Access all the way to Impact). The rows below them detail specific techniques. Framework users can further explore any of the techniques to learn more about the tactics, platforms exploited, example procedures, mitigation, and detections.
The ATT&CK Framework is widely recognized as an authority on understanding the behaviors and techniques that hackers use against organizations today. It not only removes ambiguity and provides a common vocabulary for industry professionals to discuss and collaborate on combating these adversary methods, but it also has practical applications for security teams.
Some key use cases for the MITRE ATT&CK framework include:
Even the most well-resourced teams cannot protect against all attack vectors equally. The ATT&CK framework can offer a blueprint for teams for where to focus their detection efforts. For example, many teams may begin by prioritizing threats earlier in the attack chain. Other teams may want to prioritize specific detections based on techniques used by attacker groups that are especially prevalent in their respective industries. By exploring the techniques, targeted platforms, and risk, teams can educate themselves to help inform their security plan, then leverage the MITRE ATT&CK framework to track progress over time.
The MITRE ATT&CK framework can also be valuable in evaluating current tools and depth of coverage around key attack techniques. There are different levels of telemetry that might be applicable to each detection. In some areas, teams may decide they need high confidence in depth of detection, while a lower level of detection may be acceptable in other areas. By defining the threats that are a priority for the organization, teams can evaluate how their current coverage stacks up. This can also be useful in red-teaming activities; the matrix can be used to define the scope of a red teaming exercise or pentest, and then as a scorecard during and after the test.
Many organizations may want to prioritize tracking specific adversary group behaviors that they know are of particular threat to their industry or vertical. The ATT&CK framework is not a static document. MITRE continues to evolve the framework as threats emerge and evolve, making it a useful source of truth to track and understand the movements of hacker groups and the techniques they use.