MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a knowledge base describing cybercriminal tactics and techniques based on real-world observations.

The MITRE Corporation created the knowledge base in 2013. The project’s purpose is to develop a structured matrix of cybercriminal techniques to facilitate cyberincident response.

MITRE ATT&CK matrices

Information in the MITRE ATT&CK knowledge base is presented in the form of matrices. Each matrix comprises a table in which column headings correspond to tactics used by cybercriminals (that is, the main stages of a cyberattack or preparation for it), and the contents of the cells correspond to the techniques for implementing these tactics. So, for example, whereas MITRE ATT&CK classifies data collection as a tactic, automated collection and data from removable media are techniques.

The MITRE ATT&CK matrices make up three groups:

  • Enterprise — tactics and techniques used against companies in the course of an attack. This group includes both a summary matrix and individual matrices with tactics and techniques for cyberattacks on specific operating systems and cloud services.
  • Mobile — tactics and techniques used to attack mobile devices running iOS or Android.
  • ATT&CK for ICS — tactics and techniques used to attack industrial control systems.

In addition to the matrices, the MITRE ATT&CK knowledge base provides lists of techniques and malicious tools used by well-known APT groups. Furthermore, the MITRE ATT&CK website details some basic methods for strengthening corporate protection.

MITRE ATT&CK in practice

Infosec experts use the MITRE ATT&CK matrices for the following tasks:

  • Analysis of existing protection to assess robustness against real threats and improve the security of the company’s infrastructure. The MITRE ATT&CK matrices help determine the techniques to which company resources are vulnerable so as to plan the elimination of the most critical issues.
  • Timely incident response. Using the MITRE ATT&CK matrices, investigators can determine the stage of the attack and what measures need to be taken in the first instance.
  • Cyberincident investigation. The MITRE ATT&CK matrices can be used to quickly establish at what stage the attack was detected and where to look for signs of penetration.
  • Attack attribution. From the list of techniques used by certain cybercriminals, it is possible to determine the most likely perpetrator.
  • Analysis of cybercriminal activity. The MITRE ATT&CK matrices allow infosec teams to trace the evolution of tactics and techniques employed by well-known APT groups.
  • Information exchange. The single structured system for describing cyberattacks lets specialists from different fields find a common language and exchange information.

Related Posts