ATT&CK
The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.[1]
Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.
The framework consists of 14 tactics categories consisting of "technical objectives" of an adversary.[2] Examples include privilege escalation and command and control.[3] These categories are then broken down further into specific techniques and sub-techniques.[3]
The framework is an alternative to the Cyber Kill Chain developed by Lockheed Martin.[3]
ATT&CK Matrix for Enterprise
The ATT&CK Matrix for Enterprise is a comprehensive framework that is presented as a kanban board-style diagram.[4] It defines 14 categories of tactics, techniques and procedures (TTPs) used by cybercriminals with the associated techniques and sub-techniques.
| Category | Description | Techniques |
|---|---|---|
| Reconnaissance | Gathering information about a target. | 10 |
| Resource Development | Identifying and acquiring resources for the attack. | 8 |
| Initial Access | Gaining initial access to a system or network. | 10 |
| Execution | Running malicious code on a system. | 14 |
| Persistence | Maintaining access to a system or network. | 20 |
| Privilege Escalation | Obtaining elevated privileges within a system or network. | 14 |
| Defense Evasion | Disabling or evading security measures. | 43 |
| Credential Access | Obtaining credentials to access systems or data. | 17 |
| Discovery | Identifying additional systems or information within a network. | 32 |
| Lateral Movement | Moving laterally within a compromised network. | 9 |
| Collection | Collecting data from compromised systems. | 10 |
| Command and Control | Establishing communication with compromised systems. | 17 |
| Exfiltration | Transferring stolen data from a compromised system. | 9 |
| Impact | Taking actions to achieve the attacker's objectives. | 14 |
Reconnaissance
Reconnaissance is the initial stage of information gathering for an eventual cyberattack.[5]
There are 10 techniques – including the use of network scanning, social engineering and Open-source intelligence (OSINT).
| MITRE ID | Techniques | Summary |
|---|---|---|
| T1595 | Active Scanning | Active reconnaissance by scanning the target network using a port scanning tool such as Nmap, vulnerability scanning tools and wordlist scanning for common file extensions and software used by the victim. |
| T1598 | Phishing for Information | Using social engineering techniques to elicit useful information from the target. Using a communication channel such as e-mail, including generic phishing and targeted spearphishing which has been specifically created to target an individual victim |
| T1592 | Gather Victim Host Information | Discover the configuration of specific endpoints such as their hardware, software and administrative configuration (such as Active Directory domain membership). Especially security protections such as antivirus and locks (biometric, smart card or even a Kensington K-Slot). |
| T1590 | Gather Victim Network Information | Discover the target network's configuration such as the network topology, security appliances (network firewall, VPN), IP address ranges (either IPv4, IPv6 or both), fully qualified domain names (FQDN) and the Domain Name System (DNS) configuration. |
References
- "What is the MITRE ATT&CK Framework?". Rapid7. Retrieved 2022-04-18.
- "Tactics in the ATT&CK Framework". Exabeam. 2022-08-03.
- "What is the Mitre Attack Framework?". crowdstrike.com. Retrieved 2022-04-18.
- "MITRE ATT&CK". mitre.org. MITRE. Retrieved 1 March 2024.
- "Reconnaissance". attack.mitre.org. MITRE. Retrieved 1 March 2024.