MITRE ATT&CK® Framework: Defined and Outlined

According to the MITRE website, “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” Basically, this deep catalog of hackers’ tools of the trade is a fount of cybersecurity knowledge. The ATT&CK® framework can lay the foundation for offensive and defensive strategies in cybersecurity.

The ATT&CK® Gold Standard

Developed by MITRE, a non-profit think tank that manages federally funded research and development centers (FFRDCs), the open source ATT&CK® framework is becoming the gold standard for cybersecurity strategy. The acronym stands for Adversarial Tactics, Techniques & Common Knowledge.

The framework has undergone several iterations but continues to seek to be as comprehensive of a paradigm for understanding and cataloging cyber threats as is possible. MITRE actively seeks contributions to the framework from practitioners to keep it current and just released a beta-version with sub-techniques this year. Three matrices are available: Enterprise ATT&CK®, Pre-ATT&CK®, and Mobile ATT&CK®.

The 12 MITRE ATT&CK® Tactics

The ATT&CK® Framework consists of 12 tactics. These are often considered the “why” part of the equation. Each tactic represents an objective that the attacker wishes to achieve in their current step of compromise (ex: achieving “Initial Access” to a network, server, etc.). These 12 tactics are defined and outlined below (to see official definitions and additional information, visit MITRE’s website here):

Initial Access: Techniques that use various entry vectors to gain their initial foothold within a network.
Execution: Techniques that result in adversary-controlled code running on a local or remote system.
Persistence: Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off access.
Privilege Escalation: Techniques adversaries use to gain higher-level permissions on a system or network.
Defense Evasion: Techniques that adversaries use to avoid detection throughout their compromise.
Credential Access: Techniques for stealing credentials like account names and passwords.
Discovery: Techniques an adversary may use to gain information about the system and internal network.
Lateral Movement: Techniques adversaries use to enter and control remote systems on a network.
Collection: Techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.
Command and Control: Techniques adversaries use to communicate with systems under their control within a victim network.
Exfiltration: Consists of techniques that adversaries may use to steal data from your network.
Impact: The techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Why the ATT&CK® Framework is Valuable

The ATT&CK matrices serve public and private enterprises as foundations of knowledge for modeling threats and methodologies. PlexTrac CEO, Dan DeCloss says, “We love to reference the MITRE ATT&CK® framework because it breaks everything down based on the attack lifestyle, which, at the end of the day, is what we are really trying to do—identify issues that crop up in each of those different tactics.”

All that collected and aggregated information gives both red and blue teams extensive knowledge to plan assessments, and knowledge is power. But effectively using the power available in the ATT&CK® knowledge base takes work. PlexTrac helps manage and aggregate the data produced when following the ATT&CK® framework so teams can better collaborate. Using PlexTrac with MITRE ATT&CK® can take cybersecurity team to the next level with a purple teaming paradigm.