MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a knowledge base describing cybercriminal tactics and techniques based on real-world observations.
The MITRE Corporation created the knowledge base in 2013. The project’s purpose is to develop a structured matrix of cybercriminal techniques to facilitate cyberincident response.
MITRE ATT&CK matrices
Information in the MITRE ATT&CK knowledge base is presented in the form of matrices. Each matrix comprises a table in which column headings correspond to tactics used by cybercriminals (that is, the main stages of a cyberattack or preparation for it), and the contents of the cells correspond to the techniques for implementing these tactics. So, for example, whereas MITRE ATT&CK classifies data collection as a tactic, automated collection and data from removable media are techniques.
The MITRE ATT&CK matrices make up four groups:
- PRE-ATT&CK — tactics and techniques used to prepare for a cyberattack.
- Enterprise — tactics and techniques used against companies in the course of an attack. This group includes both a summary matrix and individual matrices with tactics and techniques for cyberattacks on specific operating systems and cloud services.
- Mobile — tactics and techniques used to attack mobile devices running iOS or Android.
- ATT&CK for ICS — tactics and techniques used to attack industrial control systems.
In addition to the matrices, the MITRE ATT&CK knowledge base provides lists of techniques and malicious tools used by well-known APT groups. Furthermore, the MITRE ATT&CK website details some basic methods for strengthening corporate protection.
MITRE ATT&CK in practice
Infosec experts use the MITRE ATT&CK matrices for the following tasks:
- Analysis of existing protection to assess robustness against real threats and improve the security of the company’s infrastructure. The MITRE ATT&CK matrices help determine the techniques to which company resources are vulnerable so as to plan the elimination of the most critical issues.
- Timely incident response. Using the MITRE ATT&CK matrices, investigators can determine the stage of the attack and what measures need to be taken in the first instance.
- Cyberincident investigation. The MITRE ATT&CK matrices can be used to quickly establish at what stage the attack was detected and where to look for signs of penetration.
- Attack attribution. From the list of techniques used by certain cybercriminals, it is possible to determine the most likely perpetrator.
- Analysis of cybercriminal activity. The MITRE ATT&CK matrices allow infosec teams to trace the evolution of tactics and techniques employed by well-known APT groups.
- Information exchange. The single structured system for describing cyberattacks lets specialists from different fields find a common language and exchange information.