The Strategic Guide to the MITRE ATT&CK Framework

Who is MITRE?

Before diving into the framework, let's take a high-level look at MITRE and why they have quickly become an influential player in the security practitioner’s toolkit.

The MITRE corporation is a federally funded research organization that has financed projects for ethical hackers (“red teams”) to document how to detect and defend against malicious cyber activity (“blue teams”).

In 2011 the defense contractor, Lockheed Martin, applied the military concept of the “kill chain," which defines the structure of an attack in conventional warfare, to create the Cyber Kill Chain framework used to defend computer networks. They observed that just like in conventional warfare, cyber-attacks occur in phases, and when combined, can be expressed as an attack lifecycle.  In this representation, attacks can be disrupted through controls established at each phase of the lifecycle. The Cyber Kill Chain is linear, which assumes the attack lifecycle will follow an ordered sequence of seven steps: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and finally Actions on Objectives.

(image by Medium)

 In 2013, the MITRE Corporation built onto Lockheed’s work and created the MITRE Enterprise ATT&CK framework, which describes cyber-attack lifecycles within matrices of Tactics, Techniques and Procedures (TTPs). The ATT&CK framework assumes that the attacker has already gained initial access, and thus maps to the last four steps (starting with “exploitation”) of the Cyber Kill Chain. Assuming the exploit has already occurred natively enriches the defenses of organizations implementing Zero Trust Network Architectures (ZTNA). Each step has a clearly defined objective, from passive reconnaissance up to and including data exfiltration (e.g. data breach) or data destruction (e.g. ransomware).

MITRE’s focus on post-exploitation detection has led to innovative threat hunting based on attack behaviors rather than attack signatures. These adversarial behaviors collectively make up the MITRE ATT&CK framework. ATT&CK stands for: Adversarial Tactics, Techniques & Common Knowledge.

What is ATT&CK?

MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  Within this knowledge base, the ATT&CK Enterprise framework is a foundation for the development of specific threat models and methodologies for the most common operating systems and corporate environments. Within Enterprise ATT&CK, behaviors are expressed as TTPs (Tactics, Techniques, and Procedures). Prior to ATT&CK, threat hunting was a search for bitwise pattern matches (think AV and IDS signatures) or residual artifacts known to have been associated with malicious activity referred to as Indicators of Compromise (IOCs).  Modeling attack behaviors as TTPs allows for threat hunting based on patterns with common behaviors associated with advanced threat actors who are known to use sophisticated techniques.  These attack behaviors are better detected when the hunt does not make assumptions that the attacker will follow a strict linear sequence.

(a sampling of the tactics and techniques that represent the MITRE ATT&CK^® Matrix for Enterprise)

The tactic is the adversary’s objective for utilizing techniques and procedures during that step. Tactics constitute the “why” of each step in the attack lifecycle.  "Tactics serve as useful contextual categories for individual techniques and cover standard, higher-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data."

Techniques represent the "how" of each tactic in the attack lifecycle.  Each technique includes information relevant to red teams for understanding the nature of a technique.  Multiple techniques are often used within each tactic.  Take the example of an adversary that needs to move beyond initial access to the network.  Now they need access to privileged user credentials in order to begin lateral movement.  Both “Credential Access” and “Lateral Movement” are ATT&CK tactics, because they represent objectives at various steps within the attack lifecycle.   Those objectives will be carried out with techniques such as brute force password cracking for Credential Access, or remote service session hijacking for lateral movement. 

What differentiates ATT&CK from other evaluation frameworks?

The MITRE ATT&CK framework is dynamic and flexible.  Combined with its rapid adoption, MITRE welcomes contributions from the cybersecurity and threat intelligence communities to keep the framework updated with the latest TTPs. Although ATT&CK built on the Cyber Kill Chain, the Cyber Kill Chain has several blind spots that the MITRE ATT&CK framework addresses:

Attack source: The Cyber Kill Chain assumed all threats originated outside the protected network and the attack passed through a perimeter defense, such as a firewall. The ATT&CK framework assumes the adversary has already penetrated edge defenses, and as such, aligns with modern (ZTNAs).

Attack sequence: The Cyber Kill Chain assumed all attacks would follow an ordered sequence of steps. The ATT&CK framework allows for the complexity associated with advanced threat tactics which may not follow an ordered sequence.

Attack detection: The Cyber Kill Chain assumes the perimeter firewall is in the sequence of all attacks and to that extent all attacks can be thwarted at the perimeter. The ATT&CK framework largely assumes initial infiltration will eventually be, or has already been successful, and that initial detection and blocking of threats may be from within the protected network.  Since exploitation has already occurred, the ATT&CKs goal is about reducing the The Mean Time to Detection (MTTD).  MTTD, is also referred to as the adversary’s “dwell time” undetected in the environment.

Attack groups: Within the ATT&CK framework, threat actors are assigned a unique identifier (common name) which is mapped to threat groups known to exhibit certain common behaviors. The Cyber Kill Chain has no such designation. For example, the ATT&CK group name APT29 is a set of behaviors commonly associated with the Russian hacker group “Cozy Bear," which is thought to be responsible for the hack of the DNC in 2016. The behaviors are openly published and free for anyone to use.  So, when using MITRE ATT&CK for threat hunting, caution should be exercised so as not to assume the origin of the attack based solely on the attack behaviors. 

Firstly, MITRE is considered vendor-agnostic and does not compete with or endorse any vendor solution. Since MITRE collaborates with vendors during the evaluations, MITRE is effectively the "red team," while the vendor providing detection and response to MITRE is the "blue team."  When red teams collaborate with blue teams, the result is a “purple team."  Purple teams go beyond identifying vulnerabilities and working based on their initial assumptions. Instead, they test controls in real time by simulating the type of approach that intruders are likely to utilize in an actual attack.

For vendor evaluations, tests are limited to a finite set of behaviors within a specific operating environment or terrain (the latest endpoint evaluation was called APT29 since it mimicked behaviors associated with the APT29 threat group).

Rather than attempting to score the product’s detection capabilities, MITRE’s evaluation focused on articulating how detections occur by assigning each step to one of six required “main detection categories” which are optionally assigned one of seven “modifiers” for a total of 13 possible categorizations for each step in the test. The detection category is a quality designation, not a score in the traditional sense. For example, a product may detect behaviors that reveal the quality of the vendor’s detection and response.  Again, the evaluation focuses on articulating how these detections occur, rather than assigning scores to vendor capabilities.

MITRE evaluations use the ATT&CK framework to simulate attack scenarios that security vendors must then detect as quickly as possible. Security teams can use the results of these evaluations to assess their solution options against a common standard, evaluate key visibility points within their programs, and determine the strength of their detection coverage and strategies.

In addition to offering a common language for cyber defenders, ATT&CK provides a foundation for red teams and penetration testers. This gives defenders a frame of reference when identifying adversarial behaviors.

K logix’s Department of Internal Research agnostically evaluates information security market segments to help customers determine the best fit technology solution for their specific business and technical requirements. K logix analyzed and integrated MITRE ATT&CK data into their evaluation of the Endpoint security marketspace.

K logix wrote a script to parse through MITRE’s testing data in order to cross-compare Endpoint security vendors’ performances. Our results compare vendors’ abilities across the ten tactics. We then weigh the importance of each tactic based on a strong defense in depth approach to provide a total coverage score for each vendor. 

The third iteration of our vendor-neutral endpoint analysis looked at leading endpoint vendors and determined which products:

1. Fit with the current and future threat landscape

2. Addressed changing IT infrastructures

3. Scored highest and lowest in mobility, efficacy, device management, performance, interoperability, and more

4. Aligned with the MITRE ATT&CK framework - based on K logix’s custom script to parse through MITRE’s testing data and cross-compare vendors’ performances

Contact one of our experts to see the results.