MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.
MITRE has ATT&CK broken out into a few different matrices: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques associated with that matrix’s subject matter.
The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a particular target network or system.
When looking at ATT&CK in the form of a matrix, the column titles across the top are tactics and are essentially categories of techniques. Tactics are the what attackers are trying to achieve whereas the individual techniques are the how they accomplish those steps or goals.
ATT&CK Enterprise Matrix from https://attack.mitre.org/matrices/enterprise/
For example, one of the tactics is Lateral Movement. In order for an attacker to successfully achieve lateral movement in a network, they will want to employ one or more of the techniques listed in the Lateral Movement column in the ATT&CK matrix.
A technique is a specific behavior to achieve a goal and is often a single step in a string of activities employed to complete the attacker’s overall mission. ATT&CK provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.
Example of a technique description in MITRE ATT&CK
As an example of how tactics and techniques work in ATT&CK, an attacker may wish to gain access into a network and install cryptocurrency mining software on as many systems as possible inside that network. In order to accomplish this overall goal, the attacker needs to successfully perform several intermediate steps. First, gain access to the network - possibly through a Spearphishing Link. Next, they may need to escalate privilege through Process Injection. Now they can get other credentials from the system through Credential Dumping and then establish persistence by setting the mining script to run as a Scheduled Task. With this accomplished, the attacker may be able to move laterally across the network with Pass the Hash and spread their coin miner software on as many systems as possible.
In this example, the attacker had to successfully execute five steps - each representing a specific tactic or stage of their overall attack: Initial Access, Privilege Escalation, Credential Access, Persistence, and Lateral Movement. They used specific techniques within these tactics to accomplish each stage of their attack (spearphishing link, process injection, credential dumping, etc.).
PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.
|PRE-ATT&CK Tactics||ATT&CK Enterprise Tactics|
ATT&CK is valuable in a variety of everyday settings. Any defensive activities that reference attackers and their behaviors can benefit from applying ATT&CK’s taxonomy. Beyond offering a common lexicon for cyber defenders, ATT&CK also provides a foundation for penetration testing and red teaming. This gives defenders and red teamers common language when referring to adversarial behaviors.
Examples where applying ATT&CK’s taxonomy can be useful:
Many organizations maintain lists of detective and preventive security controls in their environment - a controls catalog. Looking at these controls through the lens of ATT&CK can help hone controls, expose inefficiencies, and show gaps in protection. It’s important to keep in mind that while ATT&CK can be used in this manner, it is primarily for describing attacker behaviors - not defensive mechanisms.
The process of aligning controls to ATT&CK techniques is pretty straightforward. For each control, consider what techniques (and specifically what ways of employing those techniques) can be detected or prevented by that control. Referencing ATT&CK’s techniques (or tactics where a specific technique can’t be nailed down) now allows for searching, pivoting, and reporting on the controls by means of how the environment looks to attackers. For example, once all controls have ATT&CK techniques associated with them, it should be easy to see what techniques have no detective or preventive controls in place at all. Using the MITRE ATT&CK Navigator is a great way to visualize this effort.
By stepping through the tactics (columns) in the ATT&CK Enterprise matrix and selecting techniques that have no controls in place, possible attack scenarios can be pieced together where the organization would have no visibility and no prevention in place to stop. Consider how likely the resulting scenarios would be and rank them by feasibility. The most feasible scenarios should be sources for threat hunting to see if attackers have already exploited them. These should also be the areas where investment occurs to get some controls in place.
Instead of operating on the assumption that the controls would indeed be effective against specific attacker techniques, simulating the techniques against the controls should be done when possible. Controls may not be as effective as we thought and testing is really the only way to know for sure. Also, configuration errors or system problems may exist that prevent the controls from operating effectively. These issues may not be known were the controls not tested from time to time.
Testing is also a good way to validate tool investments by showing which tools are really doing the lion’s share of providing detections or preventions, which aren’t doing much at all or are ultimately redundant to other tools in the environment.
ATT&CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&CK is also available as a STIX/TAXII 2.0 feed which makes it easy to ingest into existing tools that support those technologies.
ATT&CK provides details on nearly seventy actors and groups, including what techniques and tools they are known to use based on open source reporting.
MITRE ATT&CK Group List
The intelligence creation process itself can benefit from using the common vernacular of ATT&CK. As mentioned, this can apply to actors and groups but can also apply to observed behaviors as seen from the SOC or incident response activities. Malware can also be referred to in terms of behaviors via ATT&CK. Any threat intelligence tools that have support for ATT&CK help make this process straightforward. Commercial and open source intelligence that apply ATT&CK to any mentioned behaviors is also helpful in keeping things consistent. Disseminating intelligence to operations or management is ultimately much easier when all parties speak the same language around adversarial behaviors. If operations know exactly what Forced Authentication is and sees it mentioned in an intelligence report, they may know exactly what actions should be taken or what controls are already in place regarding that piece of intelligence. Standardizing on ATT&CK references in intelligence products in this way can dramatically improve efficiency and ensure common understanding.
Testing the techniques in ATT&CK against the environment is the best way to:
The process of performing adversarial simulation isn’t foreign to many environments. When employing penetration testers to test the environment, organizations are engaging in adversarial simulation testing. The same applies to organizations that have internal red teams or that perform purple team engagements. Applying the activities of these engagements to ATT&CK techniques elevates the understanding of the results by defenders. Instead of reporting failures to detect certain activity, reporting from pen tests and red teams can contain better context to apply their activities directly to operational controls, defensive tools, and procedures. This makes it easier for defenders to take appropriate actions as a result of the reports.
Simulations can be designed to mirror tools and techniques known to be used by specific actors as well. This can be especially useful when trying to assess how successful certain adversaries might be against the controls present in the environment.
Additionally, there are tools available that provide mechanisms for testing certain techniques directly inside the environment and are already aligned with ATT&CK. Commercial tools such as Verodin, SafeBreach, and AttackIQ provide the ability to perform adversarial simulation aligned with ATT&CK. There are some open source options to do adversarial simulation and also align with ATT&CK as well (listed below). As always, take care when performing adversarial simulations on production networks where the scope of potential ramifications isn’t fully understood.
The process for making use of these tools is straightforward:
The following is a list of best practices for ATT&CK.
Using ATT&CK doesn’t come without challenges. It’s good to keep these in mind when leveraging ATT&CK.
The following is a list of tools and other resources that make use of ATT&CK. Some of these have been mentioned previously but are provided here for easy reference. To have something added to this list, send an email to email@example.com.
ATT&CK Navigator is a great tool to use for mapping out controls against ATT&CK techniques. Layers can be added that show specifically detective controls, preventive controls, or even observed behaviors. Navigator can be utilized online for quick mockups or scenarios or it can be downloaded and setup internally as a more permanent solution.
MITRE ATT&CK Navigator
Metta is an open source project from Uber that performs adversarial simulation and is aligned with MITRE ATT&CK.
Caldera is an open source, automated adversary simulation tool that is based on MITRE ATT&CK.
MITRE Caldera Screenshot
Atomic Red Team is an open source tool from Red Canary for simulating adversarial behaviors mapped to MITRE ATT&CK. More info available at: https://atomicredteam.io/
Atomic Red Team Test Example
Red Team Automation is an open source tool from Endgame that tests malicious behavior modeled on MITRE ATT&CK.
Current list of techniques supported by Red Team Automation (RTA)
The good folks at Malware Archeology provide a number of Windows logging cheat sheets to aid defenders in finding malicious activity in logs. They have one dedicated to finding techniques from MITRE ATT&CK.
Example of included details in the ATT&CK Logging Cheat Sheet from Malware Archeology
MITRE has a resource called the Cyber Analytics Repository (CAR) which is a reference site to various analytics useful for detecting behaviors in MITRE ATT&CK.
MITRE Cyber Analytics Repository (CAR)
Cyb3rPanda has loaded ATT&CK into a public Tableau instance for easy pivoting and filtering.
ATT&CK Enterprise Matrix in a public Tableau by Cyb3rPanda
Palo Alto’s Unit 42 group has released a free playbook viewer which shows known adversarial behaviors for a handful of threat groups aligned to MITRE ATT&CK.
Palo Alto Unit 42’s Playbook Viewer
The Anomali Weekly Threat Briefing is a free weekly report of key security and threat developments of the week. The report includes relevant IOCs and ATT&CK techniques for each story in the briefing.
Anomali Weekly Threat Briefing example
MITRE has made a significant contribution to the security community by giving us ATT&CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.