Collaboration and Consensus: Using the MITRE ATT&CK Framework
by Jeremy West, CIAS-ISAO Senior Cybersecurity Project Lead
The MITRE ATT&CK framework is one of today’s most significant and publicly available cybersecurity knowledge bases. The MITRE ATT&CK framework, developed by the non-profit organization MITRE, is a knowledge base of observed adversary behaviors and is an acronym for Adversarial, Tactics, Techniques and Common Knowledge. MITRE oversees U.S. government-funded research for numerous government agencies, which include but are not limited to the Department of Defense, the Department of Homeland Security, the Federal Aviation Administration, the Department of Health and Human Services, and the National Institutes of Standards and Technology (R&D Centers, n.d.).
The MITRE ATT&CK framework is referred to as the “cyber Rosetta stone,” as it gives analysts a tool to reflect cybersecurity jargon into terms understood across the organization.
As of February 2023, MITRE ATT&CK Enterprise is on version 12, containing 14 tactics, 193 techniques and 401 sub-techniques (CISA, 2023). Adversaries use tactics, techniques and procedures when conducting cyber-attacks. More precisely:
- Tactics are the adversary’s goals or why they are acting against your organization.
- Techniques and sub-techniques represent how an adversary accomplishes their goal.
- Procedures are the instances of what the adversary did. For example, an adversary may aim to perform an initial reconnaissance (tactic) of your organization. To perform reconnaissance, the adversary may use various active scanning (techniques), including IP block and vulnerability scanning (sub-techniques). The procedure, in this case, could be an adversary scanning your network for systems with the log4shell vulnerability.
Why Use MITRE ATT&CK?
Organizations, cybersecurity analysts and practitioners should use MITRE ATT&CK because it fosters greater awareness of the security posture by gaps in defenses. The framework enables the comparison of tactics, techniques and procedures (TTPs) used by adversaries and threat groups. More importantly, the ATT&CK lists methods to mitigate or interrupt attacker attempts to perform the specific technique (Hubbard, 2020). Moreover, the framework is designed to be used at all levels of the organization, from analysts to leaders (Clancy, 2022). Practitioners can use the MITRE ATT&CK framework to identify, protect, detect, respond and recover from cybersecurity events and incidents.
The MITRE ATT&CK framework is referred to as the “cyber Rosetta stone,” as it gives analysts a tool to reflect cybersecurity jargon into terms understood across the organization (Alba, 2022). As a result, analysts can leverage the cybersecurity knowledge base to communicate to various audiences.
Table 1 (below) identifies each tactic and provides a brief description of the adversary’s objective.
MITRE ATT&CK Enterprise Tactics v12 (Tactics – Enterprise | MITRE ATT&CK®, n.d.)
|ID||NAME||Description – The adversary is trying to:|
|TA0043||Reconnaissance||gather information they can use to plan future operations.|
|TA0042||Resource Development||establish resources they can use to support operations.|
|TA0001||Initial Access||get into your network.|
|TA0002||Execution||run malicious code.|
|TA0003||Persistence||maintain their foothold.|
|TA0004||Privilege Escalation||gain higher-level permissions.|
|TA0005||Defense Evasion||avoid being detected.|
|TA0006||Credential Access||steal account names and passwords.|
|TA0007||Discovery||figure out your environment.|
|TA0008||Lateral Movement||move through your environment.|
|TA0009||Collection||gather data of interest to their goal.|
|TA0011||Command and Control||communicate with compromised systems to control them.|
|TA0040||Impact||manipulate, interrupt or destroy your systems and data.|
Suppose the analyst is providing an executive summary as a part of a report about an incident or investigation. In that case, they can use the tactics leveraged by the adversary to express the impact on the organization, business or mission. For instance, the analyst could describe the following situation using MITRE ATT&CK tactics for an executive summary:
“An adversary performed reconnaissance (TA0043) to gain initial access (TA0001) to our environment, then move laterally (TA0008) to collect information (TA0009) from one of our systems and exfiltrate (TA0010) or steal customer information using our website.”
Whereas if the analyst was going to describe the same scenario to a more technical audience, they could use the techniques, sub-techniques or procedures to describe the same situation. The following description could be part of a technical summary:
“A spearphishing attachment (T1566.001) was used against one of our administrators (T1078.002) to gain initial access to our environment. The adversary used a local account (T1078.003) to perform privilege escalation and SMB remote services (T1021.002) to move laterally to a web server where they could extract files from local system sources (T1005). They could later exfiltrate the data using alternative symmetric and asymmetric encryption protocols (T1048).”
The two examples above demonstrate the power of the MITRE ATT&CK framework to describe the same incident to different target audiences. Leaders can use the executive summary of the incident to prioritize resources and make informed decisions about appropriate responses. In addition, the technical audience can use tactics, techniques, procedures (TTPs) and indicators of compromise (IOC) to thwart similar attacks in the future. Moreover, the TTPs and IOCs can be shared with other entities, such as information sharing and analysis organizations (ISAOs), law enforcement and other pertinent parties, to prevent the same adversary from successfully compromising other victims.
How to Access
MITRE ATT&CK Navigator is a web-based tool that organizations and analysts can utilize to visually map adversary tactics and techniques using colors and/or scores (Hubbard, 2020). The tool can be accessed and used directly via a webpage, or a version can be downloaded into your environment (ATT&CK Navigator – GitHub Repository, 2018/2023; ATT&CK Navigator – Tool, n.d.). Furthermore, the tool allows analysts to create layers to map different adversary groups targeting their organization. One of the most significant advantages of the Navigator is that it has direct links to definitions and descriptions of tactics, techniques, procedures, and mitigation and detection methods.
Perhaps an unrecognized use case is to use layers in MITRE ATT&CK Navigator to execute the Delphi technique. The Delphi method or technique is a mechanism for eliciting and refining analysis from experts or cybersecurity analysts (Davidson & Hasledalen, 2014). Each analyst can be assigned a separate layer to assess adversary activities. Once the layers are combined, the process can continue until a consensus is reached.
There are numerous uses and benefits to using the MITRE ATT&CK framework. These span from providing a common language that practitioners can use to express cyber events and incidents to preventing the incidents from occurring in the first place. Organizations and cybersecurity practitioners should use the MITRE ATT&CK framework to enrich their capabilities, protect their own organization and collaborate better with others.
Alba, M. (2022). Leveraging MITRE ATT&CK: How Your Team Can Adopt This Essential Framework. CIO. https://www.cio.com/article/309861/leveraging-mitre-attck-how-your-team-can-adopt-this-essential-framework.html
ATT&CK Navigator—GitHub Repository. (2023). [TypeScript]. MITRE ATT&CK. https://github.com/mitre-attack/attack-navigator (Original work published 2018)
ATT&CK Navigator—Tool. (n.d.). Retrieved February 15, 2023, from https://mitre-attack.github.io/attack-navigator/
CISA. (2023, January). Best Practices for MITRE ATT&CK Mapping. https://www.cisa.gov/uscert/sites/default/files/publications/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf
Clancy, R. (2022, December 22). MITRE ATT&CK: Meaning, Uses, and Benefits. Cybersecurity Exchange. https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/mitre-attack-uses-benefits/
Davidson, P., & Hasledalen, K. (2014). Cyber Threats to Online Education: A Delphi Study. International Conference on Management, Leadership & Governance, 68–77. https://www.proquest.com/docview/1781570386/abstract/3062EFD2C29F4A3BPQ/1