What is MITRE ATT&CK?
MITRE ATT&CK is a documented collection of information about the malicious behaviours advanced persistent threat (APT) groups have used at various stages in real-world cyber-attacks. ATT&CK, which stands fro Adversarial Tactics, Techniques, and Common Knowledge, includes detailed descriptions of these groups' observed tactics, techniques, and procedures, commonly called TTPs.
In general, MITRE ATT&CK Framework was created MITRE in 2013 to document attackers tactics and techniques based on real-world observations. The index continues to evolves with the threat landscape and has become a renowned knowledge base of the industry to understand attacker models models, methodologies, and mitigation.
What is in the MITRE ATT&CK Matrix?
The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The Objectives are presented linearly from the point of reconnaissance to the final goal of ex-filtration or "impact". Looking at the broadest version of ATT&CK for Enterprise, which includes Windows, mac OS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers, the following adversary tactics are categorized:
- Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
- Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
- Initial Access: trying to get into your network, i.e., spear phishing
- Execution: trying the run malicious code, i.e., running a remote access tool
- Persistence Escalation: trying to maintain their foothold, i.e., changing configurations
- Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
- Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
- Credential Access: stealing accounts names and passwords i.e., keylogging
- Discovery: trying to figure out your environment, i.e.,exploring what they can control
- Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
- Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
- Command and Control: communication with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
- Exfiltration: stealing data, i.e., transfer data to cloud account
- Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware
For More Information click here