Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

November 2, 2022

The Mitre ATT&CK Framework Demystified

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

Join us as we unravel the mystery of the Mitre ATT&CK framework. Learn what it is, how it’s organized and how it can help you protect your digital assets. We will discuss the design and applications of this cybersecurity knowledge base.

What is the Mitre ATT&CK Framework?

ATT&CK stands for Adversarial Tactics Techniques and Common Knowledge framework. ATT&CK started as a way for another Mitre project to document cyber threat behavior. 

The cybersecurity community needed a knowledge base for accessing credible attack behavior and consolidated information about cyber advisory tactics, techniques, and objectives. With that in mind, Mitre ATT&CK was born. Today, ATT&CK’s framework of matrices, submatrixes, tactics, and techniques provides the context of over 400 cybercriminal behaviors, all described through the cyber threat actor’s point of view. 

ATT&CK’s Defining Characteristics

At its core, Mitre ATT&CK’s philosophy can be broken down into three main concepts that shape its design and usage. All 3 concepts are the foundation of ATT&CK’s goals for the framework. 

Within the concepts are also Mitre’s most important aspects of their code of ethics; 1) information is free, and 2) available on a global scale. 

ATT&CK defines three characteristics as Adversarial Perspective, Empirical Use, and Abstraction. 

1. The Adversarial Perspective:

The framework approaches cyber threat behaviors from the point of view of the advisory, making it one of the world’s most valuable vaults of cybersecurity information. This is key to understanding cyber threats. Understanding the adversary’s motivations, objectives, and context allow cybersecurity programmers to develop cutting-edge digital perimeter security. This defends digital assets during an active attack and helps create protocols that anticipate and thwart attacks before they succeed in a data breach. 

2. Empirical Use Examples: All Data Sources Must Be Real:

ATT&CK’s framework of cybercriminal behaviors are developed from real-world sources and events. Nothing is theoretically based and instead relies on information gathered from experiences. These experience sources include:

      • Social media
      • Open source code and data
      • Threat intelligence reports
      • Webinars, conference presentations, and other publications
      • Malware samples
      • Community contributions

ATT&CK then uses this information to describe real-world examples of cybercriminal behaviors. These examples are listed at the end of each pathway within the ATT&CK framework. 

3. Abstraction:

The ATT&CK framework calls this ‘Abstraction,’ which is a complicated way of referring to how information is filtered by the framework. 

Part of the concept of abstraction involves adapting a common language to refer to adversarial actions, objectives, techniques, and tactics. The other part is the unique way the framework matrix is designed and categorized, which allows for ease of use.

How To Navigate The Framework

The framework is complex by the sheer number of variables to account for within 400 cybercriminal techniques. Though the language used in the matrix can limit people who aren’t cybersecurity professionals, developers, and defenders, the framework can be learned with practice. 

Cybercriminal activities are divided into tiers of groups and subgroups.

Matrices and Submatrices

It is easiest to navigate the framework via the ATT&CK framework’s three main matrices. They are Enterprise, Mobile, and Industrial Control Systems or ICS. 

1. Enterprise:

The Enterprise Matrix is the most extensive collection of cyber advisory behaviors and techniques, with 218 different tactics. The matrix refers to cyberthreat actions directed at operating systems such as Windows, macOS, Linux, and PRE. It also addresses cloud services like Office 364, Azure, and Google Workspace. The last significant submatrix in the Enterprise Matrix includes workspace and network infrastructure devices. 

2. Mobile:

The Mobile Matrix is the second-largest matrix, which refers to device access and networks that affect devices on both Android and IOS platforms. 

3. Industrial Control Systems or ICS:

Industrial Control Systems encompass network and cloud systems utilized by any private sector industry that isn’t necessarily branded. The ICS Matrix is essentially very similar in its submatrixes to the Enterprise Matrix, but major submatrixes aren’t named. 

Tactics and Techniques

Within each submatrix are lists of tactics used by cybercriminals. Some common tactics are initial access, execution, and privilege escalation. However, each matrix and submatrix will include different tactics that are used. 

Within each tactic, there are several techniques listed. It’s easy to confuse tactics and techniques due to their interchangeable nature in everyday language. However, the significant difference between the two terms is that ‘tactic’ refers to the advisory’s objective and ‘technique’ refers to their method.

Procedural Examples

Within each technique are several examples of this exact pathway used by a cyber adversary. These are real-world examples that are constantly updated as events unfurl.

Mitre Att&ck Framework Example

It’s easy to get lost navigating the ATT&CK framework in concept alone. Below is an example of an actual pathway within the framework that shows how this complex structure works. 

  1. Matrix-Enterprise
    • Submatrix- Windows OS
      • Tactic – Initial Access
      • Technique – Drive-by Compromise
      • Procedural Example – Andariel Watering Hole Attacks

Applications of the Mitre ATT&CK Framework

The leading cybersecurity protocols, management software, and network initiatives can benefit from the knowledge the ATT&CK framework contains. The adversarial perspective is becoming the most beneficial point of view for creating a cybersecurity perimeter that protects against and anticipates attacks. 

Randori uses resources like the Mitre ATT&CK Framework in external surface management techniques like black box testing and red teams. Discover your vulnerabilities HERE.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.