Clear all

Posts: 83
Topic starter
Joined: 9 months ago

MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.

ATT&CK is a matrix of hacking techniques by tactics. There are several different matrices:

  • PRE-ATT&CK Matrix includes techniques used for reconnaissance, target identification, and attack planning.
  • Windows includes techniques used to hack all flavors of Windows.
  • Linux includes techniques used to hack all flavors of Linux.
  • MacOS includes techniques used to hack MacOS.
  • Mobile ATT&CK matrix includes techniques used to attack mobile devices.

The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. At the time of this writing, there are 245 techniques in the Enterprise model. MITRE regularly updates ATT&CK with the latest and greatest hacking techniques that hackers and security researchers discover in the wild.

The Differences Between PRE-ATT&CK and ATT&CK Enterprise

PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.

Cyber Kill Chain

PRE-ATT&CK Tactics ATT&CK Enterprise Tactics
  • Priority Definition
  • Target Selection
  • Information Gathering
  • Weakness Identification
  • Adversary OpSec
  • Establish & Maintain Infrastructure
  • Persona Development
  • Build Capabilities
  • Test Capabilities
  • Stage Capabilities
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control

MITRE and other third-party developers use ATT&CK to help the Red and Blue Teams implement their pentesting and defensive efforts:

  • Caldera is MITRE’s automated attach technique emulation tool
  • Cascade is MITRE’s Blue Team automation toolset
  • Attack Navigator is a web application you can use to make notes and track your ATT&CK status
  • Oilrig is Palo Alto’s Adversary Playbook built on the ATT&CK model.
  • MITRE’s Cyber Analytics Repository is a separate project from ATT&CK that tracks detailed information about how to detect techniques.
  • Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the HashPass the Ticket, and Brute Force.  Varonis threat models use the same language as ATT&CK so you can easily reference both resources when you need to research cyberattacks.

ATT&CK Enterprise Matrix


Topic Tags
1 Reply
Posts: 83
Topic starter
Joined: 9 months ago
What is Mitre ATT&CK?
It is a framework for describing the different ways that attackers have been able to both target and attack their victims. It is a living framework, as it is regularly updated and it is a compilation of real-world attacks.
You may notice there are pre-att&ck and att&ck matrices. Along with distinctions made for different OS platforms (e.g. Windows, MacOS, Linux) along with Cloud and Mobile options. The distinctions are necessary because not all attacks will be applicable to all OS platforms or technologies.
Pre-att&ck refers to the range of activities attackers may use before they actually attack. Activities are more than just reconnaissance (learning about the target), but also about acquiring and maintaining infrastructure.
You’ve Probably Heard of TTP’s, but what do they Mean?
Refer to tacticstechniques and procedures. Let’s dive deeper.
Tactics: are the reason for performing an action; the “why”. Gaining initial access, executing something, persisting, elevating privileges, discovering credentials, moving laterally, etc. Take note, an attacker may not necessarily use all tactics for an attack.
Example of a Tactic:
Each of the column headers in the ATT&CK Matrix is a tactic, there are 11:
Techniques: represent the “how”. How the attacker may leverage a tactic such as exfiltration to move data out of a system. There are hundreds of techniques. Take note, techniques fall under tactics, so be sure to read them vertically.
Example of Techniques:
Are the vertical boxes under each tactic. For example, “Exfiltration” has 8 techniques under the Windows Matrix.
Procedures: are the details of performing the technique. Or in a practical sense, how the attacker got in, or how they could get (assuming you’re planning for proactive measures).
Putting it all together (an example):
Tactic: Initial Access
Technique: Phishing (Spearphishing via Service)
Procedure Description: Spearphishing via service is a specific variant of phishing. It is different from other forms of spearphishing in that it employs the use of third party services (e.g. Twitter, LinkedIn, etc) rather than directly via enterprise email channels.
Procedure Example: One of your employees gets targeted via Facebook at work to visit a malicious URL. 
Mitigations: Anti-malware, user training, restrict services
Detections: SSL/TLS inspection, endpoint protections