ATT&CK

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.[1]

Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The framework consists of 14 tactics categories consisting of "technical objectives" of an adversary.[2] Examples include privilege escalation and command and control.[3] These categories are then broken down further into specific techniques and sub-techniques.[3]

The framework is an alternative to the Cyber Kill Chain developed by Lockheed Martin.[3]

ATT&CK Matrix for Enterprise

The ATT&CK Matrix for Enterprise is a comprehensive framework that is presented as a kanban board-style diagram.[4] It defines 14 categories of tactics, techniques and procedures (TTPs) used by cybercriminals with the associated techniques and sub-techniques.

CategoryDescriptionTechniques
ReconnaissanceGathering information about a target.10
Resource DevelopmentIdentifying and acquiring resources for the attack.8
Initial AccessGaining initial access to a system or network.10
ExecutionRunning malicious code on a system.14
PersistenceMaintaining access to a system or network.20
Privilege EscalationObtaining elevated privileges within a system or network.14
Defense EvasionDisabling or evading security measures.43
Credential AccessObtaining credentials to access systems or data.17
DiscoveryIdentifying additional systems or information within a network.32
Lateral MovementMoving laterally within a compromised network.9
CollectionCollecting data from compromised systems.10
Command and ControlEstablishing communication with compromised systems.17
ExfiltrationTransferring stolen data from a compromised system.9
ImpactTaking actions to achieve the attacker's objectives.14

Reconnaissance

Reconnaissance is the initial stage of information gathering for an eventual cyberattack.[5]

There are 10 techniques – including the use of network scanning, social engineering and Open-source intelligence (OSINT).

MITRE IDTechniquesSummary
T1595Active ScanningActive reconnaissance by scanning the target network using a port scanning tool such as Nmap, vulnerability scanning tools and wordlist scanning for common file extensions and software used by the victim.
T1598Phishing for InformationUsing social engineering techniques to elicit useful information from the target. Using a communication channel such as e-mail, including generic phishing and targeted spearphishing which has been specifically created to target an individual victim
T1592Gather Victim Host InformationDiscover the configuration of specific endpoints such as their hardware, software and administrative configuration (such as Active Directory domain membership). Especially security protections such as antivirus and locks (biometric, smart card or even a Kensington K-Slot).
T1590Gather Victim Network InformationDiscover the target network's configuration such as the network topology, security appliances (network firewall, VPN), IP address ranges (either IPv4, IPv6 or both), fully qualified domain names (FQDN) and the Domain Name System (DNS) configuration.

References

  1. "What is the MITRE ATT&CK Framework?". Rapid7. Retrieved 2022-04-18.
  2. "Tactics in the ATT&CK Framework". Exabeam. 2022-08-03.
  3. "What is the Mitre Attack Framework?". crowdstrike.com. Retrieved 2022-04-18.
  4. "MITRE ATT&CK". mitre.org. MITRE. Retrieved 1 March 2024.
  5. "Reconnaissance". attack.mitre.org. MITRE. Retrieved 1 March 2024.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.