MITRE ATT&CK Framework

Free, Open, Effective

A New Approach and a Useful Tool

The MITRE ATT&CK framework is simultaneously an approach to cybersecurity planning and operations, and a tool for maximizing the effectiveness of an organization’s cyberdefenses.

As an approach, the framework takes the perspective of the adversary rather than that of the defender, presenting known adversary behaviours rather than the forensic analysis of what happened in a particular case. This analytic mode of focusing on known threat behaviors helps defenders better align their defenses with probable, high-risk attacks, rather than reacting indiscriminately to attacks as they are detected. It helps defenders get ahead of the adversary.

The tool provided by the ATT&CK framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that have been reported by defenders in the field or otherwise have been made publicly available. The tool is available free of charge from the MITRE Corporation, a federally funded, nonprofit research and development organization.

The Backstory

The MITRE framework was developed to serve as a single, holistic repository of adversary TTPs. Before it existed, defenders were working forensically and often in isolation, investigating the possible causes of attacks on their organizations based on indicators of compromise (IOCs, also referred to as “signatures”), which are digital traces that adversaries leave on the systems they attack. Constrained by the need to protect their intelligence sources and methods, defenders did not share their findings broadly; likewise, they were generally unable to tap into the knowledge of other organizations given classification and a broader culture of secrecy around sharing known adversary behaviors given the fear that it would lead the adversary to change their behavior. Yet the fact remained: there is a known body of knowledge of consistent tactics, techniques, and procedures, and MITRE realized that it could be put into one place to benefit the broader community.

Aiming to consolidate this type of practitioner information into a tool that would be easy to access and use, MITRE created the first ATT&CK model in 2012 and released a public version in 2015. The original model was developed for Windows environments; MITRE has subsequently released models for other operating environments (MacOS and Linux) and platforms (such as mobile). MITRE has also recently deepened the framework with sub-techniques that provide more specific threat information.

Unlike the forensic approach, which is narrowly focused on rooting out attackers’ signatures, the ATT&CK framework gives defenders a comprehensive view of the threat landscape. Viewing the ATT&CK matrix from right to left, defenders can see the entire cybersecurity kill chain. Looking down the columns, they can see the known techniques for each step in the chain.

Compiled from publicly available information that has been reported and verified by cybersecurity professionals—and free of any potentially sensitive details that pertain to an individual organization—the data in the MITRE ATT&CK knowledge base is inherently shareable.

ATT&CK Framework Applications

Organizations like yours apply the MITRE ATT&CK framework to achieve a variety of cybersecurity and risk management objectives:

  • Cyberthreat intelligence
  • Automated testing and auditing
  • Security risk management and strategy
  • Regulatory and compliance mapping
  • Security control rationalization
  • Analyst training and exercises
  • Threat hunting
  • Validation of commercial security solutions

Our website offers more on each of the above on our Solutions page. For more information on how to apply the framework to optimize security in your organization, refer to MITRE ATT&CK for Dummies, brought to you by AttackIQ.

Overwhelming Global Adoption

The more the MITRE ATT&CK framework is adopted, the more valuable it becomes. Increasing numbers of defenders worldwide are contributing to the MITRE ATT&CK knowledge base, broadening the scope of TTPs that it contains. According to one survey, the framework is used by more than 80% of companies as part of their cybersecurity programs.

The framework is also becoming a gold standard for cyberdefense guidance and education. Here are just a few examples:

  • The Australian Cyber Security Centre (ACSC) refers to the MITRE ATT&CK framework as the source for the TTPs listed in its security advisories. Recently, the Australian Prime Minister strongly encouraged all Australian organizations to make use of this information.

Leverage the MITRE Framework to Your Best Advantage

You can make to most of the framework with a methodical approach:

  • Study adversary behaviors in the relevant MITRE ATT&CK matrix.
  • Select adversaries that target organizations, businesses, or industries like yours. The MITRE ATT&CK Navigator, part of the AttackIQ Security Optimization Platform, simplifies this process.
  • Compile these adversaries’ TTPs into your organization’s threat intelligence repository.
  • Integrate the threat intelligence with your security information and event management (SIEM) solution and other analytics tools so that you can correlate log events to TTPs. In the process, you will revise the detection settings of your analytics systems so they operate more accurately, with minimal false positives.

Go deeper into the MITRE ATT&CK framework with free online courses at AttackIQ Academy.