Understanding MITRE ATT&CK Framework: Concepts and Use Cases

The MITRE ATT&CK framework is a comprehensive, global knowledge base of adversary tactics and techniques based on real-world observations.

March 19, 2023

What Is the MITRE ATT&CK Framework? 

The MITRE ATT&CK framework is a comprehensive, global knowledge base of adversary tactics and techniques based on real-world observations. It serves as a common language for the cybersecurity community, enabling organizations to map their security tools and processes to specific stages of an attack. 

This information can be used to better understand the adversary’s goals and objectives, improve threat intelligence analysis, and guide the development of better security technologies. Additionally, the framework provides a basis for measuring the effectiveness of a given set of security controls against actual threats, and for continuously refining and updating those controls over time.

The following image is a snapshot of the MITRE ATT&CK Enterprise Framework.

a snapshot of the MITRE ATT&CK Enterprise Framework

Source: MITRE

This is part of a series of articles about vulnerability management

In this article:

Who Maintains the ATT&CK Framework?

MITRE Corporation, a non-profit organization that operates multiple Federally Funded Research and Development Centers (FFRDCs), created the ATT&CK framework. The framework was developed to provide a common language for describing adversary behavior and a way to compare the effectiveness of different security controls against actual threats. 

The framework is based on extensive research and analysis of actual attacks, and it is continuously updated with new information as threats evolve. Today, the ATT&CK framework is widely used in the cybersecurity community and has become a key resource for organizations looking to improve their threat detection and response capabilities.

How Does the MITRE ATT&CK Framework Work? 

The MITRE ATT&CK framework organizes adversary tactics, techniques, and procedures (TTPs) into a common, easy-to-understand taxonomy. These components work together to provide a comprehensive view of the TTPs used by attackers, allowing organizations to improve their understanding of the threat landscape and improve their security posture.

The framework consists of several matrices, each of which represents a specific technology or operating environment (e.g., Cloud Matrix, Endpoint Matrix, Mobile Matrix, etc.). Each matrix is organized into a series of stages, which represent the different phases of a cyber attack (e.g., initial access, execution, persistence, etc.). Within each stage, specific tactics and techniques are described, along with example tools and methods used by adversaries to carry out these actions.

Here is a brief summary of the main concepts in the MITRE Framework:

  • Tactics: A high-level categorization of the different stages of an attack, such as initial access, execution, persistence, privilege escalation, and data exfiltration.
  • Techniques: Specific methods used by attackers to carry out each tactic, such as using social engineering to gain initial access, exploiting vulnerabilities to execute code, or using remote access tools to maintain persistence.
  • Procedures: The specific steps taken by attackers to carry out each technique, such as sending phishing emails, compromising a website to deliver malware, or using specific tools to evade detection.
  • Matrix: A visual representation of the tactics and techniques used by attackers, organized by attack stage and tactics.
  • Detection: Information about the data or information that can be used to detect each technique, such as network logs, endpoint data, or application logs.
  • Sub-techniques: Detailed information about specific variations or implementations of each technique.
  • Adversaries: Information about specific threat actors or groups that are known to use each tactic and technique.

Organizations can use the framework to map their existing security controls and threat detection capabilities to the specific tactics and techniques used by attackers. This allows them to identify gaps in their defenses and prioritize their efforts to improve their security posture.

MITRE ATT&CK Framework Use Cases 

The MITRE ATT&CK framework has several key use-cases, including:

Prioritizing Detections Based On an Organization’s Unique Environment

By mapping their existing security tools and processes to the tactics and techniques used by attackers, organizations can identify gaps in their defenses and prioritize their efforts to improve their security posture. This allows them to focus on the most critical threats and detections first, based on their specific environment and risk profile.

Evaluating Current Defenses

Organizations can use the framework to evaluate the effectiveness of their current security controls against actual threats. By comparing the coverage of their existing tools and processes against the tactics and techniques used by attackers, they can identify areas where they are vulnerable and prioritize their efforts to improve their defenses.

Tracking Attacker Groups

The framework includes information about specific threat actors and groups, as well as the tactics and techniques used by each group. This information can be used to track the activities of specific attacker groups and understand their goals and objectives. This information can also be used to inform threat hunting and incident response processes, allowing organizations to respond more effectively to attacks.

Improving Threat Intelligence Analysis

The framework provides a basis for analyzing and understanding the TTPs used by attackers, allowing organizations to improve their threat intelligence capabilities. By understanding the specific tactics and techniques used by attackers, organizations can better prioritize their intelligence gathering efforts and develop more effective strategies for detecting and responding to attacks.

MITRE ATT&CK Framework for Containers 

The MITRE ATT&CK Containers Matrix is a framework that focuses specifically on the tactics and techniques used by attackers to target containerized environments. It provides a comprehensive overview of the different stages of a containerized attack, from the initial access to the impact on the target system.

The framework includes information on techniques against containers, including:

  • Initial access techniques include exploiting vulnerabilities in container images, exploiting misconfigurations in container orchestration platforms, and phishing attacks targeting developers or administrators.
  • Execution techniques include running malicious containers or injecting code into existing containers. 
  • Persistence techniques include modifying container images or configuration files to maintain access to the system.
  • Privilege escalation techniques include exploiting vulnerabilities in container runtimes or Kubernetes clusters to gain administrative privileges.
  • Credential access techniques include stealing credentials from container images, configuration files, or memory. 
  • Defense evasion techniques include using obfuscation, encryption, or other methods to avoid detection.
  • Lateral movement techniques include pivoting between containers or from containers to the host system. 
  • Discovery involves identifying vulnerable resources such as containers or sensitive data.

MITRE ATT&CK Framework vs. Lockheed Martin Cyber Kill Chain 

The Cyber Kill Chain, developed by U.S corporation Lockheed Martin, is a model for describing the stages of a cyber attack, from the initial reconnaissance and delivery of the payload, through to the actual execution of the attack and the theft or destruction of data. 

The model is used to help organizations understand the various stages of an attack and the types of defenses and countermeasures that can be put in place at each stage to prevent or detect the attack. The Cyber Kill Chain consists of the following stages:

  1. Reconnaissance: The attacker gathers information about the target and its systems and networks.
  2. Weaponization: The attacker creates and packages the payload that will be delivered to the target.
  3. Delivery: The attacker delivers the payload to the target, typically through an email, a website, or a network vulnerability.
  4. Exploitation: The attacker exploits a vulnerability in the target’s systems or networks to execute the payload and gain a foothold in the target’s environment.
  5. Installation: The attacker installs additional tools or payloads to maintain persistence in the target’s environment and to facilitate data theft or destruction.
  6. Command and Control: The attacker establishes a communication channel with the compromised systems to remotely control and execute commands.
  7. Actions on Objectives: The attacker carries out the objectives of the attack, such as data theft or destruction, and exfiltrates the stolen data.

The MITRE ATT&CK framework and the Cyber Kill Chain are both models used to understand and describe the stages of a cyber attack. However, there are some key differences between the two frameworks:

  • Focus: The MITRE ATT&CK framework is broader in scope and covers a wider range of tactics and techniques used by attackers. The Cyber Kill Chain, on the other hand, is more focused on the specific stages of a cyber attack and is used to understand the technical details of an attack.
  • Depth of coverage: The MITRE ATT&CK framework provides a more detailed and comprehensive view of the threat landscape, including information about specific attacker groups and the tactics and techniques used by each group. The Cyber Kill Chain provides a more high-level view of the stages of an attack and is less detailed.
  • Use cases: The MITRE ATT&CK framework is used to improve security posture and inform security investments, while the Cyber Kill Chain is used to understand the technical details of an attack and inform incident response.
  • Tools and resources: The MITRE ATT&CK framework provides a wealth of resources and tools for organizations looking to improve their security posture, including a comprehensive database of tactics, techniques, and procedures used by attackers, as well as a matrix for mapping the coverage of existing security tools and processes. The Cyber Kill Chain does not provide these types of resources and tools.

Both the MITRE ATT&CK framework and the Cyber Kill Chain are valuable tools for organizations looking to understand and protect against cyber attacks. However, the MITRE ATT&CK framework provides a more comprehensive and detailed view of the threat landscape and is better suited for organizations looking to improve their overall security posture. The Cyber Kill Chain, on the other hand, is better suited for organizations looking to understand the technical details of an attack and respond effectively to incidents.

Learn more About Vulnerability Management

Open Source Vulnerability Scanning: Methods and Top 5 Tools

Open source vulnerability scanners, often used as part of Software Composition Analysis (SCA) tools, are used to detect open source components used in software projects, and check if they contain unpatched  security vulnerabilities, and help organizations remediate them. These tools scan complex dependency trees, because vulnerabilities can be found in a dependent library used by the main component or brought into an application during the build phase.  Learn how open source vulnerability scanning works and discover tools that can help you identify and remediate vulnerabilities in OSS components and containers. 

Read more: Open Source Vulnerability Scanning: Methods and Top 5 Tools

Trivy Vulnerability Scanner Adopted by Leading Cloud Native Platforms

Trivy is a comprehensive and easy-to-use open source vulnerability scanner for container images. Unlike other open source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines. Trivy vulnerability scanner is being added as an integrated option in the CNCF’s Harbor registry, in GitLab, and in Mirantis Docker Enterprise.
Read more: Trivy Vulnerability Scanner Adopted by Leading Cloud Native Platforms