The MITRE ATT&CK framework is defined as MITRE Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework acts as a library of guidance and public resource that organizations use to better understand how the most effective and prolific attack groups infiltrate networks with malware, zero-day exploits, and other malicious cyberthreats.
Within the framework, the MITRE ATT&CK matrices house actionable cyber threat intelligence (CTI) data that covers specifics on adversary group activity, such as tactics, techniques, procedures (TTPs) and sub techniques used to breach modern day organizations. The matrices provide a common language for IT experts and end users across the private sector, government, and cybersecurity verticals who discuss the prevention, analysis, and mitigation of cybercrime involving real-world attacker behavior.
MITRE ATT&CK Tactics are interpreted as the “why” or motive behind adversary techniques and sub-techniques. Tactics are an important classification to describe the threat actor's intent as they move through your security defense layers to accomplish smaller objectives, such as infecting from account to account through Lateral Movement, Privilege Escalation, masquerading malware as legitimate software, and capturing user credentials.
MITRE ATT&CK Techniques provide deep context to describe “how” a threat actor achieves their tactical objective within an organization’s cybersecurity infrastructure. Techniques are critically important because they provide the technical detail illustrating ways attackers carryout tactics. Understanding and identifying MITRE ATT&CK Techniques helps organizations map proactive prevention and remediation plans to arm their security teams (as well as SOC and SIEM) with actionable threat intelligence that relates to their company’s environment. Distinguishing the attacker techniques that repeatedly target a business’s defense layers adds improved visibility which allows teams to focus on bolstering detection quality and better respond to attacks of similar nature.
ATT&CK Tactics and Techniques can be used to address the gaps in your organization’s security posture. Through observing known adversary tactics and techniques, teams can enhance their cybersecurity protection against specific adversary groups they face within their own landscapes and improve areas in their threat hunting, detection, and response.
The Lockheed Martin Cyber Kill Chain is a similar tool used to understand the behavior of adversarial preparation, initiation, and execution of a campaign. As a trusted cybersecurity model, the Cyber Kill Chain outlines stages in a cyberattack through sequences of events. The model originated from a military framework. The Cyber Kill Chain was developed to analyze cyberattacks, dissecting an attack into seven steps to help educate teams on the structure of how attack campaigns work.
The Cyber Kill Chain 7 steps include vectors triggered in an attack:
The main difference between the Cyber Kill Chain and MITRE ATT&CK is that the Cyber Kill Chain is sequential and provides foundational knowhow on adversary attack structure, while the MITRE ATT&CK Framework is a public library that is regularly updated with greater in-depth details on the attacker’s behavioral techniques and tactics as they move through the attack chain. The MITRE ATT&CK framework provides actionable threat intelligence data which means security analysts can use this information as a direct guide for handling cyberattacks based on real-life breaches.
The MITRE ATT&CK Evaluation is the industry standard for testing and assessing EDR tools in cybersecurity. Centered on the MITRE ATT&CK framework, it measures the levels of visibility, protection, and analytic coverage of EDR vendors. There is no score or ranking in the MITRE ATT&CK Evaluation, but the terminology and structure of ATT&CK demonstrate how EDR providers handle threat detection on a granular level. The MITRE Evaluation's greatest advantage is its scope to assess for high-quality alerts and help businesses select an endpoint detection and response solution tailored to their environment and security needs.
The MITRE ATT&CK Evaluation simulates the most dangerous and prolific cyber-attack groups by emulating the specific tactics and techniques these threat actors use to permeate networks in real-world attacks. The Evaluation focuses on the assessment of two main aspects in endpoint detection and response (EDR), detection and protection.
MITRE ATT&CK Engenuity Evaluation creates detection scenarios to determine EDR product efficacy that consist of a number of steps and sub-steps specific to the adversary groups that are being imitated. For each sub-step of an attack, the MITRE team reports the level of visibility for the participating EDR vendor solutions. The detection of techniques of a simulated attack are considered most valuable in assessing EDR tool visibility and analytic coverage of alerts.
Visibility depicts alerts indicating the sub-steps in the environment were detected. Although rudimentary and lacking detail, these broad alerts are the first signs of detection that initiate the analytic investigation process to figure out where the threats occur, pinpoint what needs to be addressed, and prioritize which vulnerabilities to patch first.
Analytic coverage evaluates the EDR product’s ability to convert raw telemetry data into actionable threat detections. Analytic coverage is used to measure the detection quality of alerts that provide a level of detail to understand what is going on, where the threat is, and what your team needs to do to take the right action.
Detection quality is measured in the following categories:
Technique detections empower security specialists to respond quickly and remediate threats with precision. High-quality alerts allow security analysts to confidently take action and accurately assess enriched events.
While all EDR systems should be able to detect sophisticated attacks, not all EDR products can prevent them. It is important to note, the 2022 MITRE ATT&CK Protection Evaluation was optional this year.
The MITRE Protection evaluation measures what techniques vendor EDR tools were able to block and their efficacy when responding to simulated attacks. It gauges not only whether an EDR tool blocked an attack, but the tool’s prevention of adversary activity from continuing.
Advanced attack tactic prevention and real-time blocking is a delicate balance that requires effective real-time protection, while minimizing conflicts and the need for highly specialized configurations. The findings of detection coverage and protection efficacy reveal when and how each block happened in relation to ATT&CK techniques.
The Malwarebytes 2022 MITRE ATT&CK Evaluation Results of the Wizard Spider and Sandworm adversaries were officially announced. We are proud to share Malwarebytes EDR's MITRE Engenuity test results which are a direct result of a dedicated core EDR team.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a resource that provides insight into adversarial attacker behavior. Teams use ATT&CK framework to address adversary techniques and tactics of prolific threats they face within a company's environment.
MITRE techniques give context into an adversary attack by describing a threat actor's activities in technical detail as they complete tactical objectives while moving through a network. The MITRE ATT&CK Techniques help organizations map proactive prevention and remediation plans to arm their security teams (as well as SOC and SIEM) with actionable threat intelligence that relates to their company’s environment.
MITRE PRE-ATT&CK focuses on an adversary’s preparatory actions. PRE-ATTACK arms organizations with knowledge to identify indicators of attack (IOAs) so companies can develop methods to stop adversarial preparation activities before an attack is launched.
Select your language