What is MITRE ATT&CK?

MITRE ATT&CK meaning

The MITRE ATT&CK framework is defined as MITRE Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework acts as a library of guidance and public resource that organizations use to better understand how the most effective and prolific attack groups infiltrate networks with malware, zero-day exploits, and other malicious cyberthreats.

Within the framework, the MITRE ATT&CK matrices house actionable cyber threat intelligence (CTI) data that covers specifics on adversary group activity, such as tactics, techniques, procedures (TTPs) and sub techniques used to breach modern day organizations. The matrices provide a common language for IT experts and end users across the private sector, government, and cybersecurity verticals who discuss the prevention, analysis, and mitigation of cybercrime involving real-world attacker behavior.

What are MITRE ATT&CK tactics and techniques?

MITRE ATT&CK Tactics are interpreted as the “why” or motive behind adversary techniques and sub-techniques. Tactics are an important classification to describe the threat actor's intent as they move through your security defense layers to accomplish smaller objectives, such as infecting from account to account through Lateral Movement, Privilege Escalation, masquerading malware as legitimate software, and capturing user credentials.

MITRE ATT&CK Techniques provide deep context to describe “how” a threat actor achieves their tactical objective within an organization’s cybersecurity infrastructure. Techniques are critically important because they provide the technical detail illustrating ways attackers carryout tactics. Understanding and identifying MITRE ATT&CK Techniques helps organizations map proactive prevention and remediation plans to arm their security teams (as well as SOC and SIEM) with actionable threat intelligence that relates to their company’s environment. Distinguishing the attacker techniques that repeatedly target a business’s defense layers adds improved visibility which allows teams to focus on bolstering detection quality and better respond to attacks of similar nature.

ATT&CK Tactics and Techniques can be used to address the gaps in your organization’s security posture. Through observing known adversary tactics and techniques, teams can enhance their cybersecurity protection against specific adversary groups they face within their own landscapes and improve areas in their threat hunting, detection, and response.

MITRE ATT&CK and Cyber Kill Chain

What is the Cyber Kill Chain?

The Lockheed Martin Cyber Kill Chain is a similar tool used to understand the behavior of adversarial preparation, initiation, and execution of a campaign. As a trusted cybersecurity model, the Cyber Kill Chain outlines stages in a cyberattack through sequences of events. The model originated from a military framework. The Cyber Kill Chain was developed to analyze cyberattacks, dissecting an attack into seven steps to help educate teams on the structure of how attack campaigns work.

The Cyber Kill Chain 7 steps include vectors triggered in an attack:

1. 1. Reconnaissance – The bad actor gathers information through email address harvesting, conference information, intruding firewalls and authentication mechanisms, etc
   2. Weaponization – The threat actor acts on the gathered information to find and target points of weakness, coupling exploit with backdoor into deliverable payload
   3. Delivery – The threat actor is attempting intrusion and tries to gain access into layers of the security perimeter through spear phishing, supply chain breaching, etc
   4. Exploitation – The adversary seeks vulnerabilities to exploit through dynamic data exchange, PowerSHell, .Net, C# scripts, etc
   5. Installation – The attacker achieves privilege escalation and tries to gain further privilege to steal sensitive data and valuable assets through shared webroot, internal spear phishing, access token manipulation, etc
   6. Command and control – The attacker leverages control over assets and the systems they infect to create a demand control channel, operating his attack remotely
   7. Actions on objectives – The bad actor achieves the major objective by bringing all the malicious activities together to help accomplish the goal over a length of time

Which is better? The Cyber Kill Chain vs MITRE ATT&CK 

The main difference between the Cyber Kill Chain and MITRE ATT&CK is that the Cyber Kill Chain is sequential and provides foundational knowhow on adversary attack structure, while the MITRE ATT&CK Framework is a public library that is regularly updated with greater in-depth details on the attacker’s behavioral techniques and tactics as they move through the attack chain. The MITRE ATT&CK framework provides actionable threat intelligence data which means security analysts can use this information as a direct guide for handling cyberattacks based on real-life breaches.

MITRE ATT&CK Evaluation for Endpoint Detection and Response (EDR)

The MITRE ATT&CK Evaluation is the industry standard for testing and assessing EDR tools in cybersecurity. Centered on the MITRE ATT&CK framework, it measures the levels of visibility, protection, and analytic coverage of EDR vendors. There is no score or ranking in the MITRE ATT&CK Evaluation, but the terminology and structure of ATT&CK demonstrate how EDR providers handle threat detection on a granular level. The MITRE Evaluation's greatest advantage is its scope to assess for high-quality alerts and help businesses select an endpoint detection and response solution tailored to their environment and security needs.

How does MITRE Engenuity ATT&CK Evaluation work?

The MITRE ATT&CK Evaluation simulates the most dangerous and prolific cyber-attack groups by emulating the specific tactics and techniques these threat actors use to permeate networks in real-world attacks. The Evaluation focuses on the assessment of two main aspects in endpoint detection and response (EDR), detection and protection.

Detection Coverage

MITRE ATT&CK Engenuity Evaluation creates detection scenarios to determine EDR product efficacy that consist of a number of steps and sub-steps specific to the adversary groups that are being imitated. For each sub-step of an attack, the MITRE team reports the level of visibility for the participating EDR vendor solutions. The detection of techniques of a simulated attack are considered most valuable in assessing EDR tool visibility and analytic coverage of alerts.

Visibility explained

Visibility depicts alerts indicating the sub-steps in the environment were detected. Although rudimentary and lacking detail, these broad alerts are the first signs of detection that initiate the analytic investigation process to figure out where the threats occur, pinpoint what needs to be addressed, and prioritize which vulnerabilities to patch first.

Analytic coverage explained

Analytic coverage evaluates the EDR product’s ability to convert raw telemetry data into actionable threat detections. Analytic coverage is used to measure the detection quality of alerts that provide a level of detail to understand what is going on, where the threat is, and what your team needs to do to take the right action.

Detection quality is measured in the following categories:

• None - No detection was made or missed detection
• Telemetry - Raw detection data that is minimally processed and lacks context. Telemetry detection is difficult for IT personnel to interpret that may require further sleuthing to prioritize and plan a response
• General Detection - Broad, non-specific detection alerts that lack detail but indicate malicious activity was detected
• Tactic Detection – Broad alerts that describe tactic examples, such as credential access, lateral movement, communication with control server, but lack critical detail on the threat actor’s activity
• Technique Detection – The highest level of analytic capability and the highest precision alerts that provide the most valuable insight into how the threat actor is achieving goals. Technique detection coverage delivers actionable alert information

Technique detections empower security specialists to respond quickly and remediate threats with precision. High-quality alerts allow security analysts to confidently take action and accurately assess enriched events.

Protection Efficacy

While all EDR systems should be able to detect sophisticated attacks, not all EDR products can prevent them. It is important to note, the 2022 MITRE ATT&CK Protection Evaluation was optional this year.

The MITRE Protection evaluation measures what techniques vendor EDR tools were able to block and their efficacy when responding to simulated attacks. It gauges not only whether an EDR tool blocked an attack, but the tool’s prevention of adversary activity from continuing.

Advanced attack tactic prevention and real-time blocking is a delicate balance that requires effective real-time protection, while minimizing conflicts and the need for highly specialized configurations. The findings of detection coverage and protection efficacy reveal when and how each block happened in relation to ATT&CK techniques.