What is the MITRE ATT&CK Framework and Why Should You Care
Security teams often struggle keeping pace with cyber attackers. For every new technology that enables business operations, adversaries work to find a weakness that they can use to gain access to sensitive systems, networks, and data. When defending themselves against threat actors, most organizations put up a series of walls. By making it difficult for attackers to achieve their objectives, organizations mitigate risks because financially motivated malicious actors find it cost-prohibitive to continue on their path.
To successfully defend against attackers, security teams can leverage the MITRE ATT&CK Framework to understand why threat actors perform actions, how they achieve goals, and the steps they take to achieve their objectives.
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework is a comprehensive resource creating a common cybersecurity taxonomy and vocabulary with detailed information about the tactics and techniques that adversaries use in cyber attacks. The Framework outlines:
- Stages of the attack life cycle
- Common adversary behaviors
- Tactics specific to various operating systems and enterprise networks
Security teams typically use MITRE ATT&CK for threat modeling, gaining insights into how well their technical controls and processes mitigate risk by mapping out common tactics and individual techniques. The MITRE ATT&CK Framework enables security teams to:
- Understand attacker tactics, like initial access, credential access, and actions on objectives
- Proactively hunt for threats within their systems
- Identify control gaps
- Detect and respond to attacks more effectively
Tactics
MITRE, the nonprofit responsible for the Framework, defines tactics as the underlying reason that attackers perform actions. The Framework starts by identifying critical tactics for enterprise systems and also drills down into Mobile and Industrial Control Systems (ICS). While some primary tactics follow across all three environments, some are unique to Mobile or ICS.
The MITRE ATT&CK Framework identifies the following fourteen tactics that adversaries use in enterprise systems when trying to achieve their objectives:
- Reconnaissance: Gathering information to use in future operations
- Resource Development: Identifying the resources that they can use to support operations
- Initial Access: Gaining unauthorized access to a network
- Execution: Running malicious code
- Persistence: Remaining in systems
- Privilege Escalation: Giving themselves additional access permissions
- Defense Evasion: Avoiding detection by security tools and teams
- Credential Access: Stealing account names and passwords
- Discovery: Learning about the environment, including network infrastructure, systems, and user accounts
- Lateral Movement: Using stolen or escalated access to move through the environment
- Collection: Gathering data that helps achieve the objective
- Command and Control: Communicating with compromised systems to control them
- Exfiltration: Stealing data
- Impact: Manipulating, interrupting, or destroying systems and data
For mobile devices, MITRE ATT&CK identifies twelve of the original tactics and an additional two that are unique to these devices and environments:
- Network Effects: Intercepting or manipulating network traffic to or from a device
- Remote Service Effects: Controlling or monitoring the device using remote services
Finally, for ICS, MITRE ATT&CK identifies ten of the original tactics and an additional two that are unique to these environments:
- Inhibit Response Function: Preventing safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state
- Impair Process Control: Manipulating, disabling, or damaging physical control processes
Techniques
Techniques are the technical “how” that adversaries use to achieve a goal. Mapped to the tactics, the techniques and their sub-techniques provide information like:
- Examples of attacks and threat groups using the technique
- Mitigations that organizations can implement
- Data components that help detect the technique
- Resources security teams can use to learn more about the technique, mitigations, and detections
For example, the Initial Access tactic encompasses nine techniques, including:
- Drive-by compromise
- Exploit public-facing application
- External remote services
- Hardware additions
- Phishing
- Replication through removable media
- Supply chain compromise
- Trusted relationship
- Valid accounts
As the Framework drills down further, some techniques include sub-techniques. For example, the Supply Chain Compromise technique includes the following sub-techniques:
- Compromise software dependencies and development tools
- Compromise software supply chain
- Compromise hardware supply chain
Procedures
While tactics, techniques, and sub-techniques all focus on behaviors, procedures are real-world examples of attackers using them. While procedures appear specific to the victim organization, they give security teams practical insights into the steps threat actors take to implement techniques to achieve their objectives.
For example, the technique “Exploit Public-Facing Application” lists more than thirty procedure examples, including:
- Threat actor APT29 exploiting CVE-2019-19781, CVE-2019-11510, CVE-2018,13379, and CVE-2019-9670
- Threat actor APT41 exploiting CVE-2020-10189 an CVE-2019-19781
- Unidentified threat actors using Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832
What is MITRE ATT&CK used for?
Since MITRE ATT&CK takes an adversary’s perspective on an attack, security teams often use it to understand how threat actors think and the steps they take to undermine defensive controls.
Identify Threat Mitigation Activities
Within the Procedures, MITRE ATT&CK outlines mitigations that can reduce the impact of an adversary using a Technique. For example, within the “Exploit Public-Facing Application” Procedure, the Framework identifies the following mitigations:
- Application isolation and sandboxing
- Exploit protection
- Network segmentation
- Privileged account management
- Update software
- Vulnerability scanning
Since these threat mitigation activities are mapped to real-world attacks, security teams can identify the attack types targeting their industry and adopt appropriate controls to make an adversary’s job more difficult.
Evaluate Current Defenses
Many organizations use the Framework as a roadmap for penetration testing and red teaming. By building tabletop exercises that simulate real-world attacks, security teams can determine whether their cybersecurity tools adequately detect an incident. This process enables them to fine-tune their tools and identify areas of improvement.
Prioritize Detections
Since MITRE ATT&CK provides attack blueprints, security teams can look at the detection suggestions listed within a Procedure as a guideline. For example, the “Exploit Public-Facing Application” Procedure identifies two detections that teams can leverage:
- Application log content
- Network traffic content
The earlier in the attack life cycle that security teams can detect incidents, the less damage attackers can do.
How organizations can operationalize MITRE ATT&CK
Adversaries increasingly target IoT devices, but the MITRE ATT&CK Framework has only started addressing threats beyond the enterprise IT environment. Many organizations struggle to leverage MITRE ATT&CK to manage the unique risks associated with IoT, Industrial IoT (IIoT), and Internet of Medical Things (IoMT) devices. Further, this becomes even more challenging for organizations like manufacturers and healthcare delivery organizations (HDOs) whose technology investments include devices running end-of-life (EoL)/end-of-service (EoS) operating systems.
Identify Threat Actors
Some threat actors target specific industries because they feel that the return on investment makes it worthwhile. For example, HDOs manage high volumes of personally identifiable information (PII), making them attractive data theft targets. Meanwhile, if they believe that a ransomware attack will compromise patient health by taking a medical device offline, they are more likely to pay the ransom.
Security teams can use MITRE ATT&CK to test their defensive capabilities against attackers targeting their industry. By running simulations based on known attack methodologies, they can improve their preventive and detective controls purposefully.
Identify All Devices
Attackers focus their attacks on devices, software, and applications containing known vulnerabilities. By identifying the devices connected to the network, organizations can implement the appropriate threat mitigation activities. For organizations managing IoT, Industrial IoT, and IoMT this can be particularly challenging as typical scanning technologies can lead to service interruption.
Organizations should look for passive scanners that help them build accurate device inventories containing the following information:
- Operating system
- IP address
- MAC address
- Port numbers
- Hostname
- Version number
- Applications on devices
- Operating systems and versions
- Software versions
Identify Exploitable Vulnerabilities on Devices Connected to Public-Facing Networks
When organizations have an accurate asset inventory, they can use the same passive scanning technology to identify vulnerabilities on these at-risk devices. For example, a passive scanning solution that identifies software applications running on the network by inspecting packets rather than initializing traffic enables safe, real-time:
- Device behavior analysis
- Risk assessment
- Threat detection
- Remediation
Integrating this technology with the IT team’s active scanning tool enables the organization to create a comprehensive, layered approach to endpoint security that addresses the risks posed by IoT devices.
Prioritize Remediation Activities
Using MITRE ATT&CK, security teams can collaborate with vulnerability and patch management teams to prioritize remediation activities based on how attackers use vulnerabilities to compromise systems successfully. Depending on how the organization deployed its devices, attackers may not be able to exploit a vulnerability, even though a device appears at risk by containing it. For example, an organization that places a vulnerable device on a network that never connects to the public internet may not need to take additional steps.
To fully operationalize the MITRE ATT&CK Framework, organizations need solutions that enable them to prioritize vulnerabilities by aggregating and analyzing:
- Security data that the manufacturer supplies
- Open-source software components that developers used
- Vulnerability criticality
- Attacker tactics, techniques, and procedures (TTPs) that can use the vulnerability
Asimily: Using the MITRE ATT&CK Framework to Prioritize Vulnerability Management
Asimily provides holistic context into an organization’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.
Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.
To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.