MITRE ATT&CK in Cyber Threat Intelligence
MITRE ATT&CK (pronounced “attack”) is a knowledge base of adversary tactics and techniques. ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. It’s useful for many aspects of InfoSec, including CTI.
The ATT&CK Matrix
The ATT&CK Matrix shows tactics as columns, and techniques as rows. What are tactics, techniques, and procedures (TTPs)?
- Tactics: Adversary’s technical goals, such as
Reconnaissance or Credential Access. - Techniques: Adversary’s methods to achieve tactics. For example, to achieve the tactic of Reconnaissance, an adversary can use the techniques Phishing for Information and/or Search Open Websites/Domains.
- Sub-techniques: More specific, lower-level methods fitting under their parent technique. For example, the Phishing for Information technique has the sub-techniques Spearphishing Service, Spearphishing Attachment, and Spearphishing Link.
- Procedures: Adversary’s specific implementations of techniques. For example, the technique Phishing for Information has a procedure example of APT28 has used spearphishing to compromise credentials.
Procedures and sub-techniques sound similar, but they’re different. Sub-techniques are used to categorize behavior; procedures are used to describe how the techniques are used in the wild. Procedures are more specific than sub-techniques, because they’re specific implementations of techniques and sub-techniques, and may include additional behaviors in how they’re performed.
When you view the ATT&CK Matrix, you can click tactics, techniques, and sub-techniques to view the corresponding pages.
The page for each tactic shows a description and list of associated techniques.
The page for each technique or sub-technique shows the following details:
- ID: unique identifier for the technique or sub-technique (sometimes called T-codes, because they start with a “T”)
- Sub-techniques (if any)
- Procedure Examples (if any): specific examples of how adversaries have used the technique
- Mitigations: how to defend against the technique
- Detection: how to detect the technique
- References: additional info about the technique
There are several ATT&CK matrices. The main categories are Enterprise, Mobile, and ICS. Within Enterprise are several matrices, including Windows, Linux, SaaS, Network, and more. Within Mobile are matrices for Android and iOS.
ATT&CK Tactics
These tactics are covered in the Enterprise ATT&CK matrix. They appear roughly in the order in which they’d be used in an attack.
- Reconnaissance: gathering info to plan future operations
- Resource Development: establishing resources to support operations
- Initial Access: getting into the network
- Execution: running malicious code
- Persistence: maintaining access to systems
- Privilege Escalation: gaining higher-level permissions
- Defense Evasion: avoiding detection
- Credential Access: stealing usernames and passwords
- Discovery: gaining knowledge of the network
- Lateral Movement: moving through the network
- Collection: gathering data of interest
- Command and Control: communicating with compromised systems to control them
- Exfiltration: stealing data from the network
- Impact: manipulating, interrupting, or destroying systems and data
Using ATT&CK for CTI
ATT&CK is used by many InfoSec pros. What’s the value for CTI analysts?
Common language, improved reporting
ATT&CK provides a common “language” (info structure) to describe and analyze threat intel. Different analysts can use the same agreed-upon IDs and terms in communications.
By including ATT&CK mappings in your reports for other CTI analysts, you make it easier for those analysts to understand your intel and apply it to their situations.
Understand adversaries
ATT&CK contains a wealth of real-world info about a range of adversaries. You can save yourself a lot of research and analysis effort by looking up your adversaries of concern and building on the work already done by those who have contributed to ATT&CK.
The more you understand about an adversary, the more you’ll learn about their behaviors. That will let you focus on indicators higher up the Pyramid of Pain, where defensive efforts are more effective.
Map intel to ATT&CK
In addition to using intel that others have mapped to ATT&CK, you can map intel yourself. The MITRE ATT&CK blog gives these steps for mapping intel to ATT&CK:
- Understand ATT&CK
- Find the behavior
- Research the behavior
- Translate the behavior into a tactic
- Figure out what technique applies to the behavior
- Compare your results to other analysts
Provide intel to defenders
You can help your defenders by researching one or more adversary groups that your organization is concerned about in ATT&CK, to learn more about their behaviors.
You can also discover new groups that may target your organization, but researching groups in ATT&CK to see who those groups have previously targeted.
Once you know more about the groups you need to defend against, provide intel about those groups to your defenders.
Again, the more you can focus on indicators higher up the Pyramid of Pain, the more effective defenders can be. There’s still value in IoCs that are lower on the pyramid, so don’t ignore them.
Prioritize defenses
As you map more data to ATT&CK, you’ll have a better idea of how defenders should prioritize their defenses. You’ll be able to inform them about commonly-used techniques, and how best to detect and mitigate them.
