MITRE ATT&CK Framework Overview
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It serves as a foundation for developing threat models and methodologies in the private sector, government, and cybersecurity industries. ATT&CK categorizes adversarial tactics and techniques as follows:
1. Reconnaissance
Reconnaissance involves adversaries gathering information that can support targeting efforts. This information may include details about the victim organization, infrastructure, or personnel. Reconnaissance helps adversaries plan Initial Access or prioritize post-compromise objectives. It may be active or passive and serves as a precursor to further attacks.
2. Resource Development
Adversaries create, purchase, or steal resources to support their operations. These resources include infrastructure (domains, servers), accounts, or capabilities (malware, tools). They may leverage these resources for other phases, such as using purchased domains for Command and Control or stolen certificates for Defense Evasion.
3. Initial Access
Initial Access techniques allow adversaries to gain a foothold in a network. This can be achieved through spearphishing, exploiting public-facing servers, or using compromised accounts. Gaining Initial Access often provides continued access through valid accounts or external services, which can be further exploited.
4. Execution
Execution refers to techniques that result in adversary-controlled code running on a system. These techniques are used in combination with others to achieve broader goals, such as network exploration or data theft. For example, an adversary might run a PowerShell script for system discovery via a remote access tool.
5. Persistence
Persistence techniques allow adversaries to maintain access to systems across restarts or changes in credentials. This could involve replacing or hijacking legitimate code, or adding startup entries to ensure continued access even after interruptions.
6. Privilege Escalation
Privilege Escalation involves gaining higher-level permissions to achieve objectives. While adversaries may enter a network with unprivileged access, they often require elevated permissions. This could be SYSTEM/root level, administrator access, or specific user accounts. These techniques frequently overlap with Persistence methods, as they leverage similar mechanisms.
7. Defense Evasion
Defense Evasion techniques help adversaries avoid detection throughout their attack. Techniques include disabling security tools, obfuscating data or code, and abusing trusted processes to hide malware. Techniques that evade defenses are often cross-listed with other tactics.
8. Credential Access
Credential Access techniques are used to steal account names and passwords. Methods include keylogging and credential dumping, which can provide adversaries with legitimate credentials. These credentials allow access to systems, making detection harder, and can be used to create new accounts for ongoing access.
9. Discovery
Discovery techniques enable adversaries to gather information about the system or network. By understanding the environment, adversaries can determine what is accessible and how best to achieve their goals. Native OS tools are commonly used to gather this post-compromise intelligence.
10. Lateral Movement
Lateral Movement involves moving between systems within a network to achieve a final objective. Adversaries may install remote access tools or use legitimate credentials to control additional systems. This often involves pivoting between multiple accounts and systems to reach the target.
11. Collection
Collection refers to gathering data relevant to the adversary’s objectives. Target sources may include local drives, browsers, or communication tools (email, audio, video). Techniques like keylogging or screenshot capture help adversaries gather sensitive information.
12. Exfiltration
Exfiltration techniques involve removing stolen data from the victim’s network. Adversaries may use command and control channels, alternate channels, or compression/encryption to avoid detection. Data is often packaged to evade monitoring or size limits during transfer.
13. Impact
Impact techniques are used to disrupt availability or compromise the integrity of systems. Adversaries may destroy or tamper with data, manipulate business processes, or alter systems in a way that benefits their goals. Impact techniques can help cover other actions or further the adversary’s objectives, such as confidentiality breaches.