What is MITRE ATT&CK?
MITRE ATT&CK
MITRE ATT&CK™ (Adversarial Tactics, Techniques & Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. (1)
MITRE ATT&CK consists of 3 matrices; Pre-Att&CK, Enterprise Att&CK and mobile. Together, they comprise an end to end attack chain that dives deep into adversaries’ actions to help security analysts accelerate detection and response. At each step of the way, threat data informs the chain – real threat reports, not speculation – with the focus being on adversaries’ behavior, not the tools they use.
PRE-ATT&CK:
A set of tactics, techniques and common knowledge that focuses on Adversary behavior outside of the Enterprise. Focuses on Recon, Weaponize and Deliver stages of an attack.
ENTERPRISE ATT&CK:
A set of tactics, techniques and common knowledge that focuses on Adversary behavior inside of the Enterprise. Focuses on Exploit, Control, Execute and Maintain stages of an attack.
MOBILE-ATT&CK:
A set of tactics, techniques and common knowledge that focuses on Adversary behavior inside of the Enterprise, predominantly focusing on the mobile environment. Focuses on Exploit, Control, Execute and Maintain stages of an attack.
Benefits of the MITRE ATT&CK framework:
- Structures/organizes adversary techniques, tools and protocols (TTPs) analysis
- Actor-centric description
- Roadmap to simulate ‘real-world’ adversary attacks
- Provides an initial attempt re: how vendor technology defends against attacks
- Kickstart red/blue/purple teams and hunting efforts
- Part of an 8 framework ‘bigger picture’ roadmap from Mitre
Example use cases for the ATT&CK framework:
- Gap analysis of current defenses to improve security posture
- Detection of heavily used techniques so analysts can prioritize what to look for
- Information sharing of observed behaviors on the network among security teams
- Mapping of tactics and techniques to related data within the environment for threat hunting
- Tracking the evolution of tactics, techniques, and procedures (TTP) over time and building adversary profiles
- Adversary emulation for red team/blue team exercises
THREATQ AND MITRE ATT&CK
ThreatQ’s deep integration with MITRE ATT&CK is designed to automate the creation of relationships between inbound data in the ThreatQ platform and MITRE ATT&CK Techniques. It is a flexible integration that enables a user to map external sources of data to individual MITRE ATT&CK techniques. Once mapped, ThreatQ will automatically associate both events and indicators to the assigned Techniques. A user may then leverage ThreatQ Investigations and use the relevant MITRE ATT&CK Technique as the starting point for the investigation. Learn More.