MITRE ATT&CK Framework: The Ultimate Guide

What Is the MITRE ATT&CK Framework?

MITRE is a government-backed not-for-profit organization that conducts federally funded cybersecurity research to support defensive IT security across all sectors, including government agencies and defense contractors. 

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a free and open knowledge base of cybersecurity information first released in 2018. ATT&CK is designed to help cybersecurity analysts and others gain Cyber Threat Intelligence (CTI) insights for planning and designing cyber defense programs and facilitate communication by providing a common reference vocabulary. 

MITRE ATT&CK Matrix

The complete MITRE ATT&CK framework is branched into three main variants, each containing a subset of TTP that applies to specific target IT environments. Each variant is known as a “Matrix.” 

The three primary Matrices in the ATT&CK framework are the Enterprise Matrix, the Mobile Matrix, and the ICS (Industrial Control System) Matrix. The Enterprise and Mobile Matrices are further subdivided into sub-Matrices filtered to contain only those Tactics, Techniques, and Procedures (TTP) relevant to each environment.

Enterprise ATT&CK Matrix

The Enterprise ATT&CK Matrix contains 14 tactics that apply to cyberattacks against enterprise infrastructure. The Enterprise Matrix can further be limited to 7 sub-Matrices. These sub-Matrices focus on pre-attack activities (PRE Matrix), attacks against specific OS (Windows, Linux, and macOS Matrices), network infrastructure attacks (Network Matrix), cloud infrastructure attacks (Cloud Matrix), and attacks against containers (Containers Matrix).

Mobile ATT&CK Matrix

The Mobile ATT&CK Matrix contains 14 Tactics but differs slightly from the Enterprise Matrix in that “Reconnaissance” and “Resource Development” tactics have been replaced with “Network Effects” and “Remote Service Effects.” The Mobile Matrix focuses on target mobile OS (iOS and Android). The additional mobile-specific tactics highlight the potential to intercept and tamper with data-in-transit over WiFi connections and the ability to achieve objectives by compromising mobile apps and services.

Industrial Control Systems (ICS) ATT&CK Matrix

The ICS ATT&CK Matrix contains 12 tactics applicable to cyberattacks against ICS. It does not include the “Credential Access” or “Exfiltration” tactics but instead contains two unique tactics not in the Enterprise or Mobile Matrices: “Inhibit Response Function” and “Impair Process Control.” The unique ICS tactics include hostile activity such as inhibiting safety, protection, quality assurance, or operator intervention functions or changing configuration parameters or firmware to impair process control and cause damage to physical infrastructure.

ATT&CK Tactics, Techniques, and Procedures

A complete offensive cyber campaign consists of several stages and requires combining multiple tactics to achieve its goal. MITRE ATT&CK uses the TTP perspective to organize cybersecurity knowledge into a hierarchical framework. Tactics are the highest-level category in the ATT&CK hierarchy and correspond to the specific goals attackers try to achieve at various phases of an attack. 

ATT&CK Tactics

  • Reconnaissance (Enterprise, ICS)
  • Resource Development (Enterprise, ICS)
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access (Enterprise, Mobile)
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration (Enterprise, Mobile)
  • Impact 
  • Network Effects (Mobile-only)
  • Network Service Effects (Mobile-only)
  • Inhibit Response Function (ICS-only)
  • Impair Process Control (ICS-only)
Each Tactic contains multiple Techniques, each defining a strategic method for accomplishing the tactical goal. The lowest hierarchical level in the ATT&CK framework includes detailed Procedures for each Technique, such as tools, protocols, and malware strains observed in real-world cyberattacks. The lowest level of ATT&CK information also includes other common knowledge, such as which adversarial groups are known to use each Technique.
MITRE D3FEND is a knowledge base—defined as a "knowledge-graph" by MITRE—that serves a library of defensive cybersecurity countermeasures, components, and their associations and capabilities. It is complementary to the MITRE ATT&CK framework of cybercriminals' Tactics, Techniques, and Procedures (TTP).

The Cyber Kill Chain is a cyberattack framework released in 2011 by Lockheed Martin. Like MITRE ATT&CK, the Cyber Kill Chain categorizes all cyberattack behaviors into sequential tactics.

7 Stages of the Cyber Kill Chain

  1. Reconnaissance
  2. Weaponization
  3. Delivery 
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives

The Cyber Kill Chain is fundamentally different from the MITRE ATT&CK framework in that it claims all cyberattacks must follow a specific sequence of tactics to achieve success; MITRE ATT&CK makes no such claim. Another difference between the two frameworks is that the Cyber Kill Chain is essentially a sequence of stages that comprise a cyberattack combined with a general defensive security axiom that “breaking” any phase of the “kill chain” will stop an attacker from successfully achieving their goal, and thus afford protection to the defender. 

MITRE ATT&CK is much more than a sequence of attack tactics. It is a deep knowledge base that correlates environment-specific cybersecurity information along a hierarchy of Tactics, Techniques, Procedures, and other Common Knowledge, such as attribution to specific adversarial groups.

How to Use the MITRE ATT&CK Framework

Because ATT&CK includes a broad, high-level perspective and granular, low-level information, security teams can use it to traverse knowledge gaps between distinct cyberattack objectives and low-level information. This makes it a powerful tool for cybersecurity education and planning enterprise security programs.

MITRE ATT&CK Use Cases

Threat hunters, red teamers, and defenders use ATT&CK for insights into cyberattacks and a standard classification system that can be used as a reference for communication between stakeholders when developing enterprise cybersecurity programs.

Because it is a comprehensive knowledge base of cyberattack information, ATT&CK can serve as a checklist of attack goals and methodologies. You can use this checklist to justify implementing security controls, ensuring they are comprehensive and offer some degree of protection against all elements that comprise real-world cyberattacks.

ATT&CK can also be used by penetration testers, red teams, and security product testers to emulate realistic cyberattacks. ATT&CK enables simulated adversaries to understand the attack landscape and apply the same tactics and techniques as real-world attackers.

FAQ

What Does MITRE ATT&CK Mean?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.

What is the MITRE ATT&CK Framework?

MITRE ATT&CK is a free and open knowledge base of cyberattack strategies and related information designed to help cybersecurity analysts and other stakeholders gain Cyber Threat Intelligence (CTI) insight and facilitate communication about offensive and defensive cybersecurity.

What is the MITRE ATT&CK Matrix?

The MITRE ATT&CK Matrix is a hierarchical framework of attack tactics and techniques that comprise cybercriminals’ individual goals and strategies. There are three primary ATT&CK Matrices, each addressing distinct environments: Enterprise, Mobile, and Industrial Control Systems.

BlackBerry’s suite of Cylance cybersecurity solutions was 100 percent successful in preventing both the Wizard Spider and Sandworm attack emulations very early in MITRE ATT&CK's 2022 evaluation—before any damage occurred. 

BlackBerry’s CylancePROTECT® and CylanceOPTICS® solutions provided comprehensive detections on individual attack techniques with high confidence, helping to reduce wasted resources spent chasing false positives.