The MITRE ATT&CK Matrix

Mapping the Minds of Your Cyber Adversaries

The MITRE ATT&CK Framework is based on the idea that cybersecurity practitioners must be able to understand their adversaries in order to know how to defend against them. This is the basis for threat-informed defense.

“MITRE ATT&CK is fantastic. It lays out multiple layers how an attacker goes through from innovation, to exfiltration, going to the left recon, the initial attack faces. It gives you every single technology aspect to it. And our hunting teams actually love it because they take it and they test it.”

–Kumar Chandramoulie , Vice President, Cyberdefense, Data, and Threat Management at AmerisourceBergen

MITRE ATT&CK is known for its matrix, a deep well of content on cyber adversaries, which can take a while to understand and learn to use fully. If you’re not ready for a deep dive into the matrix, here’s a quick primer on its structure and the primary paths into its extensive interior.

 

ATT&CK Navigator Heatmap

Figure 1. A partial view of the ATT&CK Enterprise Matrix

 

The Foundation: Tactics, Techniques, and Procedures

The MITRE ATT&CK framework revolves around a knowledge base of cyber adversary tactics, techniques, and procedures (TTPs). The knowledge base is organized in the form of an attack matrix (or, ATT&CK matrix), currently consisting of 14 columns with varying numbers of rows under each.

  1. Reconnaissance
  2. Resource development
  3. Initial access
  4. Execution
  5. Persistence
  6. Privilege escalation
  7. Defense evasion
  8. Credential access
  9. Discovery
  10. Lateral movement
  11. Collection
  12. Command and control
  13. Exfiltration
  14. Impact

The column headings are the tactics—technical objectives that adversaries want to achieve. They appear in the general chronological order in which attacks develop. MITRE defined and ordered these tactics based on the latter stages of its seven-stage Cyber Attack Lifecycle, which, in turn, was modeled after the Lockheed Martin Kill Chain, described in 2016.

The cells that appear under each column heading are the techniques—mechanisms that adversaries may use to achieve each tactical objective. Clicking on a cell opens a page with more detailed information about the technique, such as the operating systems it affects, indicators of compromise, names of threat actors known to use the technique, and published references. The detail page also provides information on potential mitigations, as well as methods to detect the technique in action.

By expanding the view of the matrix, you can also see sub-techniques, which are more specific instances of each technique. For example, under the tactic Resource Development, there is a technique called Compromise Accounts. Sub-techniques under this include Social Media Accounts and Email Accounts. Information on the sub-techniques are also included in the technique detail page.

Because real-world attacks are often a mix of techniques or sub-techniques, MITRE has also curated procedures, which delineate ways in which the techniques have been combined and implemented. The well-known APT29 and FIN6 are examples of procedures; they are familiar because this is often the way threats are represented in the cybersecurity media. Procedures are listed on the detail pages of the techniques they include.

At this point, it should be noted that although we use the term “ATT&CK matrix” in the singular, there is not just one. The matrix we most often refer to is the Enterprise matrix. But there are also separate matrices for mobile platforms and for industrial control systems (ICS).

Accessing the Matrix

As a textual reference, the ATT&CK matrices are easily accessible from the MITRE website. However, to make it easier for security practitioners to import the indicators of compromise and other technique-related information into their security controls and analytics tools, MITRE has made APIs to the ATT&CK content available through several GitHub repositories.

AttackIQ also offers an interface into the ATT&CK matrix, enhanced with a library of attack scenarios that we have developed in collaboration with customers over the years. This has been seamlessly integrated into the adversary emulation workflows in the AttackIQ Security Optimization Platform.

Given that the MITRE ATT&CK matrix is a deep and robust source of information, it can take time to learn how to leverage it to its fullest potential for your organization. Download the MITRE ATT&CK for Dummies guide for tips on how to get started using the matrix. You can also obtain a deeper understanding of MITRE ATT&CK framework use cases with free online courses at AttackIQ Academy. Then, get individualized advice from your AttackIQ representative about the best ways for your organization to get started with this proven, globally recognized framework for cyberdefense.

Introduction to FIN6 Emulation Plans

The emulation plan, focused on FIN6, marks the first time in history that industry giants have collaborated with threat researchers to produce an emulation plan for the public.
Foundations of Operationalizing MITRE ATT&CK

This training session introduces students to the basics of the MITRE ATT&CK Framework.
Foundations of Breach & Attack Simulation

This session is a hands-on training program designed to introduce the capabilities and deployment options in a BAS (breach and attack simulation) platform.
Foundations of Purple Teaming

This training session introduces the state-of-the-art practice of purple teaming and its essential nature as the joint operation of red and blue teams.