MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a knowledge base describing cybercriminal tactics and techniques based on real-world observations.
The MITRE Corporation created the knowledge base in 2013. The project’s purpose is to develop a structured matrix of cybercriminal techniques to facilitate cyberincident response.
MITRE ATT&CK matrices
Information in the MITRE ATT&CK knowledge base is presented in the form of matrices. Each matrix comprises a table in which column headings correspond to tactics used by cybercriminals (that is, the main stages of a cyberattack or preparation for it), and the contents of the cells correspond to the techniques for implementing these tactics. So, for example, whereas MITRE ATT&CK classifies data collection as a tactic, automated collection and data from removable media are techniques.
The MITRE ATT&CK matrices make up three groups:
- Enterprise — tactics and techniques used against companies in the course of an attack. This group includes both a summary matrix and individual matrices with tactics and techniques for cyberattacks on specific operating systems and cloud services.
- Mobile — tactics and techniques used to attack mobile devices running iOS or Android.
- ATT&CK for ICS — tactics and techniques used to attack industrial control systems.
In addition to the matrices, the MITRE ATT&CK knowledge base provides lists of techniques and malicious tools used by well-known APT groups. Furthermore, the MITRE ATT&CK website details some basic methods for strengthening corporate protection.
MITRE ATT&CK in practice
Infosec experts use the MITRE ATT&CK matrices for the following tasks:
- Analysis of existing protection to assess robustness against real threats and improve the security of the company’s infrastructure. The MITRE ATT&CK matrices help determine the techniques to which company resources are vulnerable so as to plan the elimination of the most critical issues, as well as the techniques, which are well detected by security solutions. For Kaspersky solutions, Mitre Att&ck coverage is depicted here.
- Timely incident response. Using the MITRE ATT&CK matrices, investigators can determine the stage of the attack and what measures need to be taken in the first instance.
- Cyberincident investigation. The MITRE ATT&CK matrices can be used to quickly establish at what stage the attack was detected and where to look for signs of penetration.
- Attack attribution. From the list of techniques used by certain cybercriminals, it is possible to determine the most likely perpetrator.
- Analysis of cybercriminal activity. The MITRE ATT&CK matrices allow infosec teams to trace the evolution of tactics and techniques employed by well-known APT groups.
- Information exchange. The single structured system for describing cyberattacks lets specialists from different fields find a common language and exchange information.