What Is the ATT&CK Framework?
This article will outline the evolution of the ATT&CK Framework and the various different high-level configurations for types of systems (i.e., cloud, mobile, Windows, etc.). It will also serve as the introduction to related use cases. We will cover the following topics:
- A brief history and evolution of ATT&CK
- Overview of the various ATT&CK models
A brief history and evolution of ATT&CK
Let’s start with the basics and learn about the history, purpose, categories, and overview of different models within this article.
The MITRE ATT&CK Framework was founded in 2015. It started off as a total of 9 tactics and 96 techniques and quickly gained traction for how threats and attacks were categorized and organized in security.
It currently stands at version 11 released in April 2022, which has 14 tactics, 191 techniques, 386 sub-techniques, and 134 groups, and covers 680 pieces of software.
It remains one of the top comprehensive knowledge bases out there. Over the years, it has included specific operating systems and different types of infrastructures and environments, making it a more practical framework to categorize threats against your environment as a whole. The growth from 2015 to 2022 alone shows the amount of work that has gone into identifying new techniques, detections, and mitigation strategies, and it has continued to be publicly accessible for everyone to use as a resource when evaluating their environments. The matrices continue to be tweaked and perfected and new matrices are being added. According to the release notes from version 11 of ATT&CK, ATT&CK for Mobile is still in beta, which shows future plans for advancement and continued development. They also list out all of the techniques and sub-techniques that have been changed in the update and list out new techniques that have been added, so you can quickly digest the new information without having to dig through the matrices by yourself.
All of the matrices are to be used as a guideline when evaluating and categorizing risks and techniques. In fact, a large portion of security tools now align detections to the MITRE ATT&CK, and it continues to gain more popularity as a resource, and strategy, but more are sure to be created in the future. This means that understanding the framework is a valuable skill for any cyber practitioner, and you should have both theoretical knowledge and practical knowledge, meaning you not only understand what the techniques are but also how to create an implementation and categorize threats in your network to align with the framework.
The continued evolution of the matrices means that this is a tool in and of itself in addition to being a resource that is integrated with many of the current cybersecurity tools. This is used to build justification for monitoring, more mature detection, and justification for implementing mitigations. It can even be used to associate criticality with different techniques based on your environment, which gives you a prioritization system so you can focus your efforts on the areas that need the most help.
The MITRE ATT&CK Framework is only going to continue to advance, grow, and be more applicable to more environments, so it’s important to be able to learn and speak about it and apply controls effectively. The next section will cover a brief overview of the current ATT&CK model, including the tactics, matrices, and a small sampling of examples of techniques and sub-techniques.
Overview of the various ATT&CK models
As mentioned, the MITRE ATT&CK Framework has evolved to include multiple different models based on operating systems and environments. Currently, these are the following models:
These models are meant to be used in a pick-and-choose manner so that, as an end user, you are able to select the techniques and matrices that apply to your environment and mix and match options as needed. However, from a basic point of view, they are all initially based on a version of the Cyber Kill Chain framework. The Cyber Kill Chain framework, developed by Lockheed Martin, involves the following stages:
1. Reconnaissance — Used for information gathering, scanning, and so on.
2. Weaponization — An attacker would choose an exploit based on the information gathered in the reconnaissance phase and package the exploit for the next stage.
3. Delivery — The exploit that was packaged during the weaponization phase is sent to the potential victim. Methods to send the package include phishing, whaling, drive-by download, and so on.
4. Exploitation — The exploit that was weaponized and delivered in previous stages has now been executed on the victim’s account/system.
5. Installation — The malware/exploit has been installed and detonated on the victim’s system or account and is considered an active infection at this point.
6. Command and control — Due to this being an active infection, the malware or exploit will have established persistent communications in multiple different forms. One possible form would be through a periodic beacon, which essentially sends network traffic from the infected host to a C2 server to let the attacker know what systems are still compromised.
7. Action on objectives — The exploit or malware has completed its objective, which could be something such as exfiltration of data, opening a backdoor, logging keystrokes, and so on.
The Cyber Kill Chain stages are then broken into more granular tactics in the MITRE ATT&CK:
After the tactics, they are broken into techniques and sub-techniques. Some examples of techniques are Hijack Execution Flow, File and Directory Permissions Modification, and Forge Web Credentials. They can be broken down as follows:
As we can see from the preceding image, we have the stage, which is also a tactic. Next, we have the technique number. Every technique within the matrices has its own unique number, and all sub-techniques have the identification number with .001, so for example, the sub-technique of DLL Search Order Hijacking would have the technique number T1574.001. Then there is a description, but to get that, you would have to select the technique you were interested in on the matrices and go to the reference link. On the matrix itself, it does show all of the sub-techniques:
On the reference page, as mentioned, you get the description, any other tactics that the technique can be a part of (a technique can be in multiple different tactics but doesn’t have to be), possible mitigation steps to lessen the risk of the technique, possible detection strategies, and additional resources specific to that technique. The reference pages for all techniques can be incredibly informative and helpful when learning about techniques and risk and learning how to apply risk categorizations to your organization.
One thing to keep in mind is that with the example and the matrix alone, while a lot of tactics or stages are the same as the ones listed in the Cyber Kill Chain, it’s important to understand what the Cyber Kill Chain is and its purpose, as there are a few key differences between the two. The first difference is that the MITRE Framework is more detail-oriented than the Cyber Kill Chain. For example, the Cyber Kill Chain only has the overall tactics or stages listed and not techniques, sub-techniques, detections, mitigations, and so on. The second difference is that the Cyber Kill Chain is flat and does not have variable forms for different types of environments. This means that it attempts to take a one-stage- fits-all approach, and that’s also why it must be more generalized than specific.
Another important aspect to remember is that not everything from the MITRE ATT&CK Framework can be implemented; for example, some techniques rely on you predicting the future for new malware, and while you want to try to predict what is coming next, you’ll never be able to fully predict the future. That can be a downfall to being specific; the techniques or sub-techniques don’t always fit, which is why it’s important with the matrices to use them as a guide and apply concepts where needed. It’s not a compliance framework where you are trying to obtain 100% of a matrix, and if you are taking that approach right now, you should stop and re-evaluate. Taking that approach will only lead to headaches and disappointment, so it’s critical to analyze your environment and understand how to implement detection, mitigations, and controls that make sense to your environment and add value.
Summary
The MITRE ATT&CK Framework is important to understand and to have as part of your foundation of information for a career in information security. The building blocks, such as how the matrices are used, how to build detections ranging from novice to expert in the depth of understanding, and learning new techniques due to the continued evolution of the matrices, keep you current in this industry.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
