Created in 2013 by the MITRE Corporation, the MITRE ATT&CK Framework is a cyber threat intelligence knowledge base. MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) knowledge base provides detailed information on adversary tactics, techniques, and domains.
What Does the MITRE ATT&CK Framework Include?
The MITRE ATT&CK framework’s catalog looks at cybersecurity from the adversary’s perspective. It includes the adversary’s goals, who they are, and the specific methods they deploy to launch attacks. The material is organized into various domains:
Tactics represent the attacker’s goal:
- enterprise network – 14 tactics
- mobile applications – 14 tactics
- industrial control system (ICS) – 12 tactics
Techniques represent how the attacker achieves their goal:
- enterprise network – 193 techniques and 401 sub-techniques
- mobile applications – 66 techniques and 41 sub-techniques
- industrial control system (ICS) – 79 techniques
Data sources represent the various types of information that might be targeted, leveraged, or logged. The framework tracks 39 data sources.
Mitigations represent techniques or tactics that have been used to counter adversarial attacks. The framework tracks 43 different mitigation types.
Groups represent adversary collectives by common names and their associated groups. Known groups are mapped to publicly-reported technique use along with any original references to their activity. The framework follows 135 groups.
Software represents the types of custom or commercial code, operating system utilities, open-source software, or other tools adversaries use to achieve their goals. The framework includes 718 types of software code.
Campaigns represent intrusion activity tracked. The framework follows 14 campaigns, attributing them to a group and type of software, where available.
The MITRE ATT&CK framework for Enterprises includes information across numerous platforms, including Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, network, and containers.
How Should You Use the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework has tools that educate a security team on how adversaries prepare, launch, and execute their attacks. For example, its APT29 diagram maps potential means of mitigation that could defeat specific techniques used against specific data source types. Security professionals use the information to evaluate their defenses, detect adversary actions, and create a robust plan to mitigate an attack.
The framework’s real-world, open-source information serves as a rich and usable resource to understand how adversaries penetrate networks, move laterally, escalate privileges, and evade security defenses. Organizations can better protect themselves with this knowledge.
ATT&CK matrices are helpful in role playing threat scenarios. MITRE ATT&CK® Navigator is their web-based tool that allows teams to explore and annotate ATT&CK matrices. Matrices and Navigator support visualizing defensive coverage, red and blue team planning, and measuring how often detected techniques occur. Users can drill down into specific tactics and techniques found within each matrix. For example, users can look at procedure examples, mitigations, detection methods to fend off specific attack groups or campaigns.
Modern Cloud-Native Security Starts with Panoptica
Cisco’s Emerging Technologies and Incubation (ET&I) team is paving the way with “DevOps-friendly” cloud-native security solutions that fundamentally simplify conventional offerings. Our Panoptica solution simplifies cloud-native application security, making it easy to embed into the software development lifecycle. Panoptica protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (Containers or Serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using. Try Panoptica for free!