MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base used by cybersecurity experts, but do you really know what it is and why it matters? Read on to learn everything you need to know about this important security tool.
What is the MITRE ATTACK Framework?
While “MITRE ATTACK” refers to the knowledge base, “MITRE ATTACK” refers to its framework. The MITRE ATTACK framework is a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations” (MITRE) used for threat modeling language. The objective of ATTACK is to provide a common language for describing attacker behavior and to serve as a foundation for developing specific threat models and methodologies.
The framework is designed for cybersecurity practitioners at all organizational levels, from analysts to executives. Practitioners can use it to inform decisions about detection, prevention, and response strategies. Additionally, the ATTACK framework can be used to benchmark an organization’s security posture against specific adversaries, measure the effectiveness of security controls, and assess gaps in defenses (VMWare, 2022).
The MITRE ATTACK framework consists of three layers (Trellix):
- Tactics: the actions used by an adversary to accomplish their objectives
- Techniques: the specific methods or tools employed by an adversary to execute a tactic
- Procedures: the detailed steps taken by an adversary to carry out a technique
The framework is organized by tactics, which are grouped into categories based on their purpose. Each category contains techniques attackers can use to achieve the associated tactic. For each technique, there is a description of the procedure that an adversary may use to carry it out.
Is MITRE a Threat Model?
What Technologies Does ATTACK Apply To?
- Operating systems: Windows, Linux, macOS
- Mobile devices: Android, iOS
- Cloud providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP)
- Virtualization platforms: VMware, Xen
- Container platforms: Docker, Kubernetes
- Industrial control systems (ICS): Siemens Simatic WinCC, GE Proficy iFix
Is MITRE ATT&CK Open Source?
ATTACK is not itself open source, but the information contained within it is freely available to anyone. Anyone can use the ATTACK knowledge base to help improve their security posture (CyberArk, 2021).
There are many ways to use MITRE ATTACK. One popular way is to create what are called “attack simulations.” In an attack simulation, defenders try to stop an adversary using known techniques from ATTACK. These simulations help defenders practice their responses to real-world threats and learn about any gaps in their defenses.
How Many Tactics and Techniques are There in MITRE ATTACK?
The current version of MITRE ATTACK includes nine tactics and more than 100 techniques. But that doesn’t mean there are only nine ways to attack a system or that there are only 100 techniques in existence. There are many more than that.
Some common techniques include malware infection, social engineering, password guessing, SQL injection, and denial-of-service attacks. As attackers find new ways to exploit systems and people, new techniques are being created.
How Does MITRE ATTACK Help Security Operations?
The MITRE ATT&CK Matrix: Tactics and Techniques
The objective of the ATTACK matrix is to better equip defenders to anticipate attacker behavior, identify gaps in their defenses, and implement mitigation strategies. The matrix and MITRE ATT&CK techniques have been widely adopted within the cybersecurity community and are used by practitioners across various industries.
The attack MITRE matrix consists of tactics grouped into three categories: initial access, execution, and persistence. Each tactic represents a high-level action that an attacker may take to gain access to a system or maintain access to a system. For each tactic, one or more associated MITRE ATT&CK techniques describe how an attacker may execute that tactic.
What Are Some Use Cases of the MITRE ATTACK Matrix?
One common use case for the matrix is identifying which assets within an organization are most critical and need to be protected. This can help prioritize security spending and ensure that the most critical assets are adequately defended. Additionally, the matrix can be used to assess an organization’s current security posture and identify gaps (Walkowski, 2021).
The MITRE ATTACK matrix can also be used to create “playbooks” for different types of attacks (Anderson, 2020). These playbooks can be used to help incident response teams rapidly identify and respond to attacks. Additionally, the playbooks can train staff on how to respond to various types of attacks.
Finally, threat intelligence analysts can use the matrix to track and analyze trends in MITRE attack techniques. This information can then be used to develop better defenses against future attacks.
Why Should an Ethical Hacker Know MITRE ATTACK?
If you’re in the security field, it’s essential to be aware of the MITRE ATTACK framework. This is a comprehensive knowledge base of cyberattack techniques that can be used to help plan and defend against real-world threats. Learn from a ethical hacking course to get training in essential skills.
EC-Council’s Certified Ethical Hacker course – the C|EH program is the most comprehensive ethical hacking course available today. The C|EH curriculum covers all the topics in the MITRE ATTACK framework, making it the ideal training ground for anyone looking to get started in cybersecurity or take their career to the next level.
To learn more about our C|EH course and how we can help you become a certified ethical hacker, contact EC-Council today!
References
Anderson, E. (2020, December 10). MITRE ATTACK for ICS Matrix: What it is and how it’s used. Industrial Defender. https://www.industrialdefender.com/blog/mitre-attack-for-ics-what-it-is-how-its-used
CyberArk. (n.d.) MITRE ATTACK Framework. CyberArk. http://www.cyberark.com/what-is/mitre-attack/
Mitre. (n.d.) MITRE ATTACK. https://attack.mitre.org/
Trellix. What is the MITRE ATTACK framework? https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html
VMWare. (n.d.) What is MITRE ATTACK? https://www.vmware.com/no/topics/glossary/content/mitre-attack.html
Walkowski, D. (2021, June 10). MITRE ATTACK: What it is, how it works, who uses it and why. F5 Labs. https://www.f5.com/labs/articles/education/mitre-attack-what-it-is-how-it-works-who-uses-it-and-why