biplog

Introduction to MITRE ATT&CK Framework

#masters_thesis

October 22, 2024

MITRE ATT&CK Framework Logo

MITRE ATT&CK Framework Logo

The MITRE ATT&CK framework is one of the most comprehensive and widely used tactical threat intelligence standards available today. It models an adversary's behavior across different attack phases and prominent technology domains.

The framework covers three primary technology domains:

  • Enterprise (common operating systems and cloud services)
  • Mobile (Android and iOS)
  • Industrial Control Systems (ICS)

Within these domains, threat intelligence is organized in a hierarchy of Tactics, Techniques, and Procedures (TTPs). Figure 1 illustrates this hierarchical relationship.


Figure 1: Hierarchy of Tactics, Techniques and Procedures in MITRE ATT&CK Framework

Understanding ATT&CK in Action

When carrying out an attack, adversaries carefully plan and execute various actions over time, each bringing them closer to a successful breach. For example, in a data theft attack, an adversary might perform following actions:

  1. Gather intelligence about the target.
  2. Scan for devices in the network.
  3. Send phishing emails to gain initial access.
  4. Escalate privileges.
  5. Move laterally within the organization.
  6. Exfiltrate sensitive data.

These adversarial actions can be categorized into TTPs and analyzed using the MITRE ATT&CK framework.

Tactics

Tactics represent the "why" behind an adversary's actions—their objectives in an attack. For example, the Discovery tactic includes techniques used to gather insights about an organization's environment.

The MITRE ATT&CK framework (version 15.1) consists of a total of 40 tactics:

  • Enterprise: 14 tactics
  • Mobile: 14 tactics
  • ICS: 12 tactics

Techniques

Techniques describe "how" an adversary achieves their objective and "what" they gain by doing so. While tactics define high-level goals, techniques provide specific methods used to accomplish them.

For instance, within the Discovery tactic, an adversary may use different techniques to gather information about:

  • Valid user accounts
  • Cloud infrastructure
  • Network services
  • Software in use

A single tactic can have multiple techniques, and a technique can belong to more than one tactic.

Sub-Techniques

Some techniques are further broken down into sub-techniques, which detail the specific ways an adversary executes a technique.

For example, the Account Discovery technique has four sub-techniques:

  • Local Account
  • Domain Account
  • Email Account
  • Cloud Account

Not all techniques have sub-techniques, but sub-techniques always belong to a specific technique. Techniques and sub-techniques have unique identifiers:

  • Techniques: Txxx (e.g., T1087)
  • Sub-techniques: Txxx.yyy (e.g., T1087.001)

These identifiers are also referred to as TTP IDs.

Procedures

Procedures are real-world examples of how adversaries execute techniques and sub-techniques. The MITRE ATT&CK framework provides a table of procedure examples for most techniques and sub-techniques. Each example includes the adversary, campaign, or software used and describes how the technique was executed. Typically, these descriptions are one sentence description of adversary actions.

Here are two procedure examples for technique Account Discovery (T1087):

  1. FIN13 enumerated all users and their roles from a victim's main treasury system.
  2. ShimRatReporter listed all non-privileged and privileged accounts available on the machine.

Use Cases of the MITRE ATT&CK Framework

The MITRE ATT&CK framework is widely used by security professionals for preventing, detecting, and mitigating cyberattacks. Some key use cases include:

1. Adversary Emulation

Security teams use ATT&CK to simulate an adversary’s attack process against an organization. It plays a crucial role in red team vs. blue team exercises, helping organizations assess their threat detection and mitigation capabilities.

2. Identifying Defensive Gaps

Organizations leverage ATT&CK to measure gaps in their security infrastructure, identifying blind spots in monitoring, vulnerabilities in systems, and potential attack vectors. It also helps Security Operations Centers (SOCs) evaluate their ability to detect, analyze, and respond to intrusions.

3. Cyber Threat Intelligence (CTI) Enrichment

ATT&CK is valuable in CTI enrichment, where behavioral attack patterns are correlated with technical and unstructured threat intelligence. This includes indicators of Compromise (IoCs), information on specific adversaries, and malware analysis

My thesis work explores this use case by mapping unstructured threat intelligence in CTI reports with TTPs to enrich cybersecurity defense strategies.

Biplab Gautam

Disclaimer: This article on MITRE ATT&CK is an extract from my Master's thesis work CTI Extraction using Large Language Models. Feel free to write me an email if you are interested more on this.

References

  1. B.E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” in Technical report. The MITRE Corporation, 2018.

  2. W. Xiong, E. Legrand, O. Åberg, and R. Lagerström, “Cyber security threat modeling based on the mitre enterprise att&ck matrix,” Software and Systems Modeling, vol. 21, no. 1, pp. 157–177, 2022.

Other articles
Contact Me

biplab.gautam.9@gmail.com

Write me an email if you have any feedback or any questions.

Thank you voyager 🚀 for spending some precious minutes of your life 🤿 in my thought dumps 💩.

Follow me at:

Copyright - reserved by author.

Feel free to use the content for any non-commercial purposes by giving credit to the author.
And if you have further ideas about collaboration, just send me an email 🛫