Foundations of Operationalizing MITRE ATT&CK
Update: 2022
This short class present in what situations and contexts the MITRE ATT&CK framework can be used for.
MITRE
MITRE is a non-profit organization that focus on research and development in the area of cybersecurity. The two majors contributions of MITRE to the security world are:
CVE - Common Vulnerabilities and Exposures
MITRE ATTA&CK framework
ATTA&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
Tactics, Techniques and Procedures
There are major differences between Tactics, Techniques and Procedures (TTPs). As TTPS are the core of the MITRE ATT&CK framework it is important to distinguish these concepts.
Tactics are the technical goals that attackers want to achieve, Techniques are the method used by the attacker to achieve their goals while Procedures are technical implementations of Techniques. It has to be noted that a single Technique can be used for multiple Tactics.
Example from a daily life scenario
Tactics: Stay healthy
Techniques: Do physical exercise, adopt a healthy diet, wear a face mask.
Procedures: preparing a salad for diner, building a gym at home, buying a face mask box.
MITRE ATT&CK Framework
As previously said, MITRE ATT&CK focuses on TTPs. MITRE has a collection of Techniques that are split into several Tactics.
Tactics | Definition |
---|---|
Initial access | All techniques to get a foothold in a network or environment. |
Execution | Execution of code (locally or remotely) on victim systems or networks. |
Persistence | To keep access to the networks or systems even if some actions cut off the access (restarts, change credentials, etc.). |
Privilege Escalation | Gain a high level access over a network or system |
Defense Evasion | Techniques used to avoid detection by the Blue Team |
Credential Access | Techniques used to retrieve credentials (usernames/passwords) |
Discovery | To gain knowledge on the system and internal network |
Lateral Movement | Techniques to move across the network |
Collection | To gather information relevant to the adversary's objectives. |
Command and Control | Techniques used to control the victim network remotely |
Exfiltration | To exfiltrate data from the network |
Impact | To disrupt businiess activities or threat data integrity |
Threat Intelligence
MITRE ATT&CK can be used for any threat intelligence activities.
For example, we can search for more information about a specific APT group's techniques, software and tactics via the Groups section. Moreover, the Navigator help users to have a better overview of the Techniques matrix. We can search for any techniques associated with a specific APT groups or software using the filtering feature.
We may be interested in knowing more about APT groups targeting a specific industry. For example, we may want to know more about techniques and software associated with APT group that are targeting financial institution. MITRE ATT&CK framework can help us with this task.
For a more mature organizations, a group of analysts may be in charge of reviewing the past incident reports and try to map the attacker's behaviors to the MITRE ATT&CK listed Tactics, Techniques and Procedures. MITRE encourage analysts to share and compare their conclusions together since two analysts can end up with two different analysis of a same behavior.
The main goal of doing Threat Intelligence is to better inform the Blue Team to implement a better defense solution.
Last updated