What is the MITRE ATT&CK Framework?

The MITRE ATT&CK® framework is a knowledge base of tactics and techniques designed for threat hunters, defenders and red teams to help classify attacks, identify attack attribution and objectives, and assess an organization's risk. Organizations can use the framework to identify security gaps and prioritize mitigations based on risk.

History of the MITRE ATT&CK Framework

MITRE is an unbiased, nonprofit organization based in Bedford, Massachusetts, and McLean, Virgina that was established with the purpose of providing engineering and technical guidance to the federal government. Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is the acronym form of the framework that was developed as part of a MITRE research project that began in 2013.

MITRE kicked off the ATT&CK framework project in 2013 to document the tactics, techniques and procedures (TTPs) that advanced persistent threat (APT) groups use against enterprise businesses. It was created out of a need to describe adversary TTPs that would be used by a MITRE research project called FMX.

The objective of FMX was to investigate how endpoint telemetry data and analytics could help improve post-intrusion detection of attackers operating within enterprise networks. The ATT&CK framework was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language that both offense and defense could use to improve over time.

As of 2015, MITRE ATT&CK was freely available for download to the public, and today it helps security teams in organizations of all sectors gain a deeper understanding of the threats at play and secure their systems against them. While MITRE ATT&CK was originally developed to address threats against Windows enterprise systems, it is now also applicable to Linux, macOS, mobile, cloud, network, containers and industrial control system (ICS) applications.

What Is MITRE Engenuity?

In collaboration with private companies, MITRE Engenuity is an organization that addresses public interest challenges in cybersecurity, infrastructure resilience, healthcare effectiveness and next-generation communications. In its first initiative, MITRE Engenuity brings together security experts from leading organizations to strengthen cyber defense by gaining a deeper understanding of cyber adversaries.

To improve organizations' resilience to known adversary behavior, MITRE Engenuity uses the ATT&CK® knowledge base to evaluate cybersecurity products based on three criteria:

• Giving end users objective insight into the functionality of participating security products
• Enabling participants to see the true capabilities of their security products
• Enhancing the capabilities of participants

There is no competitive analysis in these evaluations. Rather than providing a "winner," they illustrate how each vendor approaches threat defense within the context of ATT&CK. There is no universal way to analyze, rank or score solutions. Their evaluation methodologies are publicly available, and the results are publicly released. They are continually evolving and extending their methodologies and content to ensure a fair, transparent and useful evaluation process.

What are MITRE Engenuity ATT&CK Evaluations?

It is up to vendors to determine how to detect and protect potential adversary behavior. MITRE Engenuity requires that vendors provide proof of detection, although they may not share all detection details publicly. Vendors may not disclose all detection details in public results. Our responsibility is to abstract the data using categories and discuss the products similarly using the information they provide us.

To determine the appropriate category for a detection, MITRE Engenuity captures supporting evidence in the form of screenshots and notes taken during the evaluation. A detection or protection can be classified into two types: "Main" and "Modifier." The main category designation of each detection varies based on the amount of context that is provided to the user, and the modifier category designation can help describe the event in greater detail as well.

Categories Utilized by MITRE Engenuity for Detection:

In March of 2022, fourth-round attack evaluations were released, focusing on Wizard Spider and Sandworm threat actors. Wizard Spider is a financially motivated criminal group that has been a threat to major corporations, including hospitals, since August 2018. Sandworm is a destructive Russian threat group that carried out attacks in 2015 and 2016 against UK electrical companies and is well known for the 2017 NotPetya attacks.

Turla is an internationally recognized threat group that has been active since at least the early 2000s. Worldwide, it has infected more than 45 countries. Known targets of the organization include government agencies, diplomatic missions, military groups, and research and media organizations. Turla uses both open-source and in-house tools to maintain operational security, including a command-and-control network and a variety of open-source and sophisticated techniques.

According to MITRE Engenuity, this latest round of evaluations showed significant product growth by vendors, including Palo Alto Networks, with emphasis on threat-informed defense capabilities and further prioritization of the ATT&CK framework. Further information on the evaluation results can be found here.

Dive deeper into the topic of ATT&CK Matrix for Enterprise.

What Are Tactics in the MITRE ATT&CK Framework?

Tactics represent the “why” of an ATT&CK technique or subtechnique. Adversarial tactics represent the attacker's goal or the reason for performing an action. For example, an adversary may want to achieve credential access.

There are 14 tactics in the Enterprise ATT&CK Matrix:

What Are MITRE Techniques and How Many Are There?

Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. The MITRE ATT&CK Matrix contains a set of techniques adversaries use to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix.

The Enterprise ATT&CK Matrix is a superset of the Windows, macOS and Linux matrices. The 2022 version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Subtechniques, 135 Groups, 14 Campaigns and 718 Pieces of Software. MITRE regularly updates the techniques discovered and provides a list of new enterprise campaigns and changes.

What Are Subtechniques?

Subtechniques are more specific descriptions of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.

What Are Procedures in the MITRE ATT&CK Framework?

Procedures are the specific implementations that adversaries use for techniques or subtechniques. To better illustrate this, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in the ATT&CK framework as techniques observed in the wild in the "Procedure Examples" section of the technique pages.

What Is the Difference Between Subtechniques and Procedures?

Subtechniques and procedures describe different things in ATT&CK. Subtechniques are used to categorize behavior, and procedures are used to describe the "in the wild" use of techniques. Furthermore, since procedures are specific implementations of techniques and subtechniques, they may include several additional behaviors in how they are performed.

For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering PowerShell, Credential Dumping and Process Injection used against LSASS.

Benefits of MITRE ATT&CK Framework

The MITRE ATT&CK Framework provides several benefits for organizations. One of the primary benefits is its ability to help organizations stay up-to-date with the latest threats and attack techniques. The framework is regularly updated with new techniques and tactics as they emerge, ensuring that organizations are aware of the latest threats and can take proactive steps to mitigate them.

The framework also helps organizations improve their overall security posture and reduce risk. By using the framework, organizations can identify and prioritize the most relevant threats and develop effective countermeasures. This helps organizations focus their resources where they are most needed, reducing the risk of a successful attack.

Challenges of Implementing the MITRE ATT&CK Framework

While the MITRE ATT&CK Framework is a powerful tool for enhancing cybersecurity, implementing it can be challenging. One of the primary challenges is the need for proper training and expertise in using the framework. Additionally, the framework requires a significant investment of time and resources to implement effectively.

However, organizations can overcome these challenges by partnering with a cybersecurity expert who can provide training and guidance on using the framework. By working with an expert, organizations can ensure that they are using the framework effectively and maximizing its benefits.

ATT&CK Technologies

The MITRE ATT&CK Framework is not a technology or software application, but rather a knowledge base and framework that describes these tactics, techniques, and procedures (TTPs)used by threat actors to carry out attacks.

The framework can be applied to any technology or software application that may be targeted by attackers, including but not limited to operating systems, applications, network devices, and cloud services. By understanding the techniques and tactics used by attackers, organizations can develop effective countermeasures and improve their overall security posture.

ATT&CK Technologies can include the following:

• Enterprise IT systems covering Windows, macOS, Linux
• Network infrastructure devices (network)
• Container technologies (containers)
• Cloud systems covering infrastructure as a service (IaaS)
• Software as a service (SaaS)
• Office 365
• Azure Active Directory (Azure AD)
• Google Workspace
• Mobile devices covering Android and iOS

How Can I Use ATT&CK?

The ATT&CK Matrix illustrates all known tactics and techniques in an easily comprehensible manner. In each column, individual techniques are listed at the top and attack tactics are displayed at the bottom. See the Getting Started page for resources on how to start using ATT&CK. Also, check out the Resources section of the website and the blog for related projects and other material.

ATT&CK takes the form of a matrix in which each attack sequence is composed of at least one technique per tactic, and a complete attack sequence can be assembled by working from left to right (Initial Access to Command and Control). Multiple techniques may be used for a single tactic. If a spear phishing exploit employs both an attachment and a link, for instance, the attacker may try both at the same time.

ATT&CK can be used in several ways to help security operations, threat intelligence and security architecture.

Some of the primary use cases are:

• Adversary Emulation
• Red Teaming
• Behavioral Analytics Development
• Defensive Gap Assessment
• SOC Maturity Assessment
• Cyberthreat Intelligence

MITRE Engenuity ATT&CK evaluations provide assessments for participating vendors to identify areas for improvement, including updating prevention, detection and response rules that inform cybersecurity policies. While this exercise does not provide overall comparison scores or ranking, it provides a vendor-agnostic summary of the various methodologies employed by security practitioners for identifying and preventing sophisticated attack campaigns.

Learn more about the MITRE ATT&CK framework and evaluations with Palo Alto Networks Cortex XDR.

More Information on MITRE

For further information on the ATT&CK framework, visit MITRE.org. Check out the ATT&CK Navigator tool to help you navigate, annotate and visualize ATT&CK techniques.

About MITRE Engenuity

MITRE Engenuity ATT&CK Evaluations are paid for by vendors and are intended to help vendors and end users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CK framework. MITRE developed and maintains the ATT&CK knowledge base, which is based on real-world reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defend­ers in industry and government to find gaps in visibility, defensive tools and processes as they evaluate and select options to improve their network defense.

MITRE Engenuity makes the methodology and resulting data publicly available so other organizations may benefit and conduct their own analysis and interpretation. The evaluations do not provide rankings or endorsements.

The MITRE ATT&CK Framework and Cortex XDR

Cortex XDR helps to stop modern attacks by applying AI and behavioral analytics to endpoint, network, cloud and third-party data. It unifies prevention, detection, investigation and response in one platform for unrivaled security and operational efficiency. Cortex XDR provides industry-leading coverage of MITRE ATT&CK techniques and consistently demonstrates stellar performance in independent industry testing, including the MITRE Engenuity ATT&CK Evaluations.

MITRE ATT&CK Framework FAQs

What are the benefits of using MITRE ATT&CK?

Using MITRE ATT&CK enables organizations to:

1. Better understand threats and adversary behavior
2. Develop effective security strategies and detections
3. Prioritize and focus security investments
4. Measure security efficacy
5. Share information about threats and defenses

How is MITRE ATT&CK structured?

MITRE ATT&CK is organized around the phases of an attack, from initial access to post-compromise activities. Each phase is divided into a series of techniques and tactics used by adversaries to achieve their objectives.

How can I use MITRE ATT&CK?

Organizations can use MITRE ATT&CK to develop threat models, evaluate security tool efficacy, develop detection strategies and prioritize security investments. Additionally, it can be used to share threat and defense information between organizations.

Is MITRE ATT&CK only for large enterprise organizations?

No, MITRE ATT&CK can be used by any organization regardless of size or industry. It is a valuable resource for security professionals to better understand the techniques and tactics used by adversaries.

Does MITRE ATT&CK only focus on malware?

No, MITRE ATT&CK includes a comprehensive matrix of tactics and techniques used by attackers, as well as the corresponding detections and mitigations. These include both malware and non-malware-based attack techniques.