The MITRE ATT&CK Framework
MITRE developed ATT&CK as a model to document and track various techniques attackers use throughout the different stages of a cyberattack to infiltrate your network and exfiltrate data.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is a matrix of different cyberattack techniques sorted by different tactics. There are different matrices for Windows, Linux, Mac, and mobile systems.
ATT&CK is a matrix of hacking techniques by tactics. There are several different matrices:
- PRE-ATT&CK Matrix includes techniques used for reconnaissance, target identification, and attack planning.
- Windows includes techniques used to hack all flavors of Windows.
- Linux includes techniques used to hack all flavors of Linux.
- MacOS includes techniques used to hack MacOS.
- Mobile ATT&CK matrix includes techniques used to attack mobile devices.
The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. At the time of this writing, there are 245 techniques in the Enterprise model. MITRE regularly updates ATT&CK with the latest and greatest hacking techniques that hackers and security researchers discover in the wild.
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control
The Differences Between PRE-ATT&CK and ATT&CK Enterprise
PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.
|PRE-ATT&CK Tactics||ATT&CK Enterprise Tactics|
MITRE and other third-party developers use ATT&CK to help the Red and Blue Teams implement their pentesting and defensive efforts:
- Caldera is MITRE’s automated attach technique emulation tool
- Cascade is MITRE’s Blue Team automation toolset
- Attack Navigator is a web application you can use to make notes and track your ATT&CK status
- Oilrig is Palo Alto’s Adversary Playbook built on the ATT&CK model.
- MITRE’s Cyber Analytics Repository is a separate project from ATT&CK that tracks detailed information about how to detect techniques.
- Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the Hash, Pass the Ticket, and Brute Force. Varonis threat models use the same language as ATT&CK so you can easily reference both resources when you need to research cyberattacks.