The MITRE ATTACK Framework, also stylized as ‘ATT&CK’, is an important asset in the modern battle against cybersecurity threats. In order to take full advantage of all that this framework has to offer. It is necessary to understand its implications as well as its features and benefits. In this article, we’ll explore the mitre attack framework and the top five things that you need to know about it.
For the uninitiated, here is a quick rundown of five main things you need to know. So, why do they matter in the current era.
It helps us understand how cybercriminals think
One of the primary purposes of this framework is to enable security specialists to unpick what makes hackers tick.
The ‘attack’ aspect of the name stands for Adversarial Tactics. Techniques and Common Knowledge, and essentially represent the idea. That this MITRE ATTACK framework gives users a way of working out not just how attacks are being carried out, but why.
It lets us evaluate security products (ATT&CK)
Another advantage of this framework is that it gives businesses and end-users a way to work out. Whether or not a particular cybersecurity product is up to scratch.
Looking into the MITRE ATT&CK results proffered by various vendors lets you make decisions. When procuring packages, and gives you a point of comparison against which different solutions can be online.
Obviously, you need to be able to interpret these results, which can be a bit hard. But the fact that such evaluation is possible is positive for organizations of all sizes using the MITRE ATTACK framework.
It’s founded on data from real events
The knowledge base forms the foundation of this framework (ATT&CK). So, is something that anyone can contribute to if they have relevant data to share. And most importantly. It contains documentation of actual attacks in which the tactics and techniques of cyber adversaries have in use.
This lets you look at real-world examples of attacks throughout their entire lifecycle. Extrapolate suitable strategies and responses from this. They say defense is the best form of attack, and the framework certainly upholds this idea.
MITRE ATTACK framework relies on insights gleaned from successful breaches to determine attacker behavior
In ideal circumstances, every organization would be able to deal with cyber threats. Before they break through the security measures that have in place. However, since this is not always an option, the MITRE ATTACK framework sets out to explore. So, learn from the things that hackers get up to once they are inside mission-critical systems.
This is all in the name of improving breach detection because there have many instances in which attackers have had unfettered access to systems for days, weeks, or even months before their presence notification, which is something every business wants to avoid.
Furthermore, this framework gives its practitioners a means of categorizing the different approaches which adversaries might use and using their findings to pinpoint the precise vulnerabilities in their existing strategies so that these flaws can be up.
A Quick Reference Table You Can Copy for ATT&CK
Use this table as a starter map. It pairs common tactics with example techniques, quick wins for detection, and an action you can take this month.
| Tactic | Example Technique | Quick Detection Win | Action This Month |
|---|---|---|---|
| Initial Access | Phishing For Credentials | Alert on unusual OAuth consent grants and new inbox rules | Add identity provider logs to your SIEM and set a weekly review of grants |
| Persistence | Registry Run Keys Or Startup Folder | Watch for new autoruns created by non admin users | Baseline autoruns in Finance workstations and alert on drift |
| Privilege Escalation | Exploitation For Privilege Escalation | Monitor kernel driver loads and unsigned drivers on endpoints | Turn on and tune driver load telemetry in endpoint protection |
| Defense Evasion | Obfuscated Or Compressed Files And Information | Flag compressed archives created in sensitive directories | Add a rule for new zip or 7z files in interesting places like temp folders during off hours |
| Credential Access | OS Credential Dumping | Detect LSASS access by non allowed processes and abnormal handle requests | Enable protected process light for LSASS where possible and write a handle access analytic |
| Lateral Movement | Remote Services And Pass The Hash | Alert on unexpected Service Control Manager activity and admin shares access | Deploy privileged access workstations and segment admin protocols |
| Collection | Screen Capture Or Clipboard | Monitor suspicious use of screen capture utilities on servers | Remove unnecessary desktop utilities from servers and enforce allow lists |
| Command And Control | Application Layer Protocol | Detect long lived outbound sessions to rare domains | Add a rarity model to outbound DNS and HTTP traffic from servers |
| Exfiltration | Exfiltration Over Unencrypted Non C2 Channel | Alert on large uploads to file sharing outside approved vendors | Enumerate allowed destinations and block the rest at the proxy |
| Impact | Data Encrypted For Impact | Watch for mass file rename events and unusual shadow copy deletions | Test recovery time by restoring a sample share from backups |
MITRE ATTACK framework covers a range of operating environments and platforms
There are a number of subsections within the MITRE ATTACK framework that allows for the majority of the most widely present OS ecosystems to be. This includes the likes of Windows, Mac OS, and Linux, as well as mobile devices running iOS and Android.
Furthermore, cloud-powered environments are also factored into the framework, which means it really can be applied to almost any enterprise-grade solution, whether it is hosted in-house or handled remotely.
There is a lot more to learn about this framework, but hopefully, you now have a taste for what it can do and will explore it further as a result.
