MITRE ATT&CK in Cyber Threat Intelligence

The ATT&CK Matrix

  • Tactics: Adversary’s technical goals, such as
    Reconnaissance or Credential Access.
  • Techniques: Adversary’s methods to achieve tactics. For example, to achieve the tactic of Reconnaissance, an adversary can use the techniques Phishing for Information and/or Search Open Websites/Domains.
  • Sub-techniques: More specific, lower-level methods fitting under their parent technique. For example, the Phishing for Information technique has the sub-techniques Spearphishing Service, Spearphishing Attachment, and Spearphishing Link.
  • Procedures: Adversary’s specific implementations of techniques. For example, the technique Phishing for Information has a procedure example of APT28 has used spearphishing to compromise credentials.
MITRE ATT&CK Matrix for Enterprise
  • Sub-techniques (if any)
  • Procedure Examples (if any): specific examples of how adversaries have used the technique
  • Mitigations: how to defend against the technique
  • Detection: how to detect the technique
  • References: additional info about the technique

ATT&CK Tactics

  • Reconnaissance: gathering info to plan future operations
  • Resource Development: establishing resources to support operations
  • Initial Access: getting into the network
  • Execution: running malicious code
  • Persistence: maintaining access to systems
  • Privilege Escalation: gaining higher-level permissions
  • Defense Evasion: avoiding detection
  • Credential Access: stealing usernames and passwords
  • Discovery: gaining knowledge of the network
  • Lateral Movement: moving through the network
  • Collection: gathering data of interest
  • Command and Control: communicating with compromised systems to control them
  • Exfiltration: stealing data from the network
  • Impact: manipulating, interrupting, or destroying systems and data

Using ATT&CK for CTI

Common language, improved reporting

Understand adversaries

Map intel to ATT&CK

  1. Understand ATT&CK
  2. Find the behavior
  3. Research the behavior
  4. Translate the behavior into a tactic
  5. Figure out what technique applies to the behavior
  6. Compare your results to other analysts

Provide intel to defenders

Prioritize defenses

Additional Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

579 Followers

Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.