The MITRE ATT&CK framework is a publicly available knowledge base of observed adversary behaviors categorized into specific tactics and techniques across an adversary’s attack lifecycle. MITRE ATT&CK provides a taxonomy or vocabulary when discussing cybersecurity incidents or threats. Most importantly, it is an evolving knowledge base that gathers the latest intelligence from the community and updates its models over time.
MITRE ATT&CK (MITRE Adversarial Tactics, Techniques and Common Knowledge)
The MITRE ATT&CK framework was released by the MITRE Corporation in 2015, born of insights from an internal research project (notably Blake Strom’s red team) known as the Fort Meade eXperiment (FMX).
The MITRE Corporation was founded in 1958, an off-shoot of the MIT Lincoln Laboratory. MITRE is a non-profit and oversees federally funded research and development centers (FFRDCs, such as Fermilab) on account of various US Government agencies, including DoD and Homeland Security.
The MITRE ATT&CK framework consists of Tactics and Techniques across the lifecycle of an attack.
Tactics: The different tactics used by an adversary during an attack can be thought of as a sequence of events, almost like a movie. Each tactic represents a goal that the adversary is trying to achieve, and leads to the next goal in the sequence.
Techniques: Techniques refer to the specific tools, processes and steps that the adversary takes to achieve a specific tactic.
The “Persistence” tactic pertains to the adversary’s objective to maintain system access during restarts, changed credentials and other interruptions. MITRE ATT&CK identifies 19 different techniques used to accomplish this purpose — from Account Manipulation (such as modifying account credentials or permission groups, performing iterative password updates to bypass password duration policies, etc.) to Shortcut Modification (create or edit shortcuts during system boot or user login to reference other programs that will be opened or executed). These are techniques that maintain connectivity in the system.
Mitre Att&ck tactics
There are 14 Tactics in the Enterprise framework:
- Reconnaissance: Attempt to gather information for an attack.
- Resource Development: Attempt to create, steal, purchase or otherwise access resources such as infrastructure, accounts, capabilities, etc. that can be used during the attack.
- Initial Access: Gain a foothold in the network through various means such as spearfishing, exploiting public-facing applications, etc.
- Execution: Running adversary-controlled code or modifications to operations
- Persistence: The ability to remain a foothold in the environment through various changes, reboots, etc.
- Privilege Escalation: Gaining higher levels of permission through vulnerabilities, misconfigurations, etc.
- Evasion: Avoid defenses through disabling security software, masquerading malware as approved operations, etc.
- Credential Access: Stealing account names and passwords through credential dumping or keylogging, etc.
- Discovery: Gaining knowledge of the system that the adversary intends to compromise
- Lateral Movement: Move through a remote network once having gained access through legitimate credentials or remote access tools (RATs), etc.
- Collection: Gather information from the systems that is either sensitive in itself or provides further information about the defender’s environment.
- Command & Control: The ability to communicate with devices on the network to control their operation.
- Exfiltration: Stealing the data that has been collected by packaging it and transferring it to adversary-controlled networks or devices.
- Impact: Disrupt availability or compromise integrity of the network and systems themselves such as tampering or destroying data.
Mitre Att&ck Techniques
In each of these 14 tactics, MITRE describes the various techniques that adversaries can use to achieve the tactical objective. In total, in ATT&CK for Enterprise. there are 188 different techniques, which are not all unique to one tactic. Within each of these techniques, MITRE also provides a robust set of detailed information. For instance, for the technique External Remote Services found within the Initial Access tactic, MITRE provides a drill-down option to learn more about:
- Variety of threats
- Groups known to exhibit specific behaviors
- Detection hints
- References to other information sources
- Related mitigations
As you can see from the list of tactics, there is a logical sequence to these tactics. However, these do not necessarily happen in order, nor does each attack have to use each of these techniques.
How to use the MITRE ATT&CK® Framework in Industrial Organizations
The MITRE ATT&CK® framework has rightfully gained widespread awareness and attention within cybersecurity teams around the world. Its structuring of adversary behaviors into different steps based on real-world observations is a significant step forward for defenders of the world’s systems.
However, organizations are also familiar with or leveraging other frameworks such as those from NIST (CSF, 800, etc.), the Cyber Kill Chain introduced by Lockheed Martin or in industrial organizations IEC/ISA 62443, etc.
Questions often arise about what exactly MITRE ATT&CK is, how to best use it, what is the difference between the “MITRE ATT&CK Enterprise” framework and the “MITRE ATT&CK ICS” framework and how it relates to other frameworks an organization is using.
Cyber kill chain vs MITRE ATT&CK
One question that often arises when an organization looks at MITRE ATT&CK is how it compares to the “Cyber Kill Chain” introduced by Lockheed Martin. The “Kill Chain” is taken from the military environment that described the structure of an attack including the identification of the target, moving assets to the target, beginning the attack and completion or destruction of the target. Lockheed adapted this concept to the cyber world, introducing the “cyber” kill chain.
As you can see, the two frameworks have similarities in that they both have steps in an attack and even use some of the same terms such as reconnaissance.
But there are two differences between MITRE ATT&CK and the Cyber Kill Chain. First, the latter is designed to help defenders “break” the chain. If the chain is broken, the attack is defended at that point. So it is a true sequence, whereas MITRE is a series of tactics which may or may not occur in order and may stop at any time but yet achieve that objective. Second, MITRE ATT&CK is at a much more detailed level of granularity provided by the techniques. As MITRE says in its FAQ:
ATT&CK and the Cyber Kill Chain are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics are unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation, whereas the Cyber Kill Chain uses ordered phases to describe high-level adversary objectives.”
What are the use cases for the MITRE ATT&CK framework?
The MITRE ATT&CK framework is quite exhaustive and will be most useful to those knowledgeable and well-versed in cybersecurity.
Although many look at ATT&CK as a detection tool, in fact, it has a much broader set of use cases, and most are not about real-time monitoring and detection. There are eight broad use cases:
1. Adversary emulation scenario development
The framework, since it is based on real-world observations, allows an organization to develop potential scenarios of how attackers might attempt to compromise and impact their systems.
2. Gap assessment of current controls
By studying the scenarios, an organization can model how its current defenses would hold up against the techniques described in the adversary scenarios developed. Importantly, this is about much more than simply detection. It includes backup and restore, vulnerability and patch management, updated Anti-malware tools, etc.
3. Red-team or table-top planning
The scenarios can assist red-teams and teams creating table-top exercises to build real world attack patterns for the defenders to evaluate against. This can also include the evaluation of the maturity of the organization’s SOC as to whether they can identify the techniques as they are used.
4. Threat detection and monitoring
Threat hunting and monitoring teams can use the framework to ensure that their telemetry and analysis can identify the various techniques and how they link together.
5. Incident response
By providing the real-world examples and data about tactics and techniques, MITRE enables incident response teams to logically work through potential techniques once an incident is reported. While adversaries may use new and unseen techniques, the baseline of those described in the framework can accelerate response and remediation.
6. Current security tool integrations
Defending against the range of techniques in the ATT&CK framework requires a range of tooling and telemetry. The key to effective defense, however, is integrating this defense information into a common database so that organization can determine its protections across the range of tactics the adversary may desire.
7. Threat intelligence enrichment
The depth of information provided by MITRE as part of the framework content can significantly aid threat intelligence teams by providing depth and context of how that intel may display in the real-world environment.
8. Improve communication
The framework provides a common taxonomy to defenders across an organization as well as a way to describe threats to other stakeholders. This common taxonomy is enabled by the widespread awareness of the framework.
MITRE ATT&CK for Industrial Control Systems (ICS)
MITRE ATT&CK now has three different iterations:
Discusses the elements that are present in traditional onformation technology (IT) attacks and scenarios. It is also broken down by operating system (e.g., Windows) and a subsection devoted to cloud.
2. Industrial Control Systems (ICSs)
Discusses the elements that are present in Operational Technology (OT) attacks and scenarios. Unfortunately, it is separate from Enterprise’s ATT&CK framework, but because of the convergent nature of IT & OT, elements can and will overlap.
Discusses the unique adversarial behavior found when attacking iOS, Android, etc.
What is MITRE ATT&CK ICS framework? It is a knowledge base that describes the actions an adversary may use while operating in an industrial control system (ICS) environment. It focuses on post-compromise behaviors in specifically focused on environments where systems have an impact on the physical world and can risk health, safety, environmental impact, etc. It provides an overview of the tactics and techniques that are more likely to be present in OT/ICS environments and attempts to tailor cybersecurity to communities with very different priorities than the audience intended for the Enterprise ATT&CK matrix.
Why do we need another ICS framework
Although ICS systems leverage many technologies common to the Enterprise such as Windows and Linux servers and workstations, they also include many unique devices not found at the Enterprise level. In addition, these systems control physical processes and therefore the impact an adversary may aspire to can have very different consequences than those envisioned in the ATT&CK for Enterprise framework.
Therefore, MITRE undertook to develop a specific framework for these environments. It is heavily focused on what is referred to as “Level 0-2 of the Purdue Model”. For those readers unfamiliar with the Purdue model, it basically describes system levels within ICS or “Operating Technology” environments. Levels 0-2 are those closest to the physical operating sensors, valves, etc. These devices often operate with proprietary, embedded firmware and conduct physical operations to open and close connections or increase temperature or pressure. As a result, the traditional Enterprise techniques did not encompass the type of adversary behavior for these environments.
MITRE ATT&CK ICS is intended to focus on the following types of systems:
- Basic Process Control Systems
- Process Control
- Operator Interface & Monitoring
- Real-Time & Historical Data
- Safety Instrumented System(s) and Protection Systems
- Engineering and Maintenance Systems
What a close reader will notice is that the tactics are very similar to those found in Enterprise, which is a good thing as industrial organizations will need to use both frameworks to cover their entire environment. In ICS, MITRE excludes the two “Pre-ATT&CK” elements of Reconnaissance and Resource Collection as they are covered in Pre-ATT&CK. However, the framework for ICS excludes two tactics from Enterprise and adds two additional ones:
- Removes the Credential Access and the Exfiltration tactics
- Adds Inhibit Response Function and Impair Process Control tactics
The result is 11 Tactics in MITRE ATT&CK for ICS.
Although MITRE ATT&CK for ICS appears relatively similar at the tactic level, the difference, in the techniques is significant. The techniques, even for those tactics that also appear in the Enterprise framework, focus specifically on how an adversary would seek to impact an operating environment. Certainly adding the impairment and inhibiting of process control tactics is an important addition, but the shift in the techniques is where the “action” is. For instance, in the Execution tactic, the ICS framework includes items such as:
- Change operating mode which refers to controllers where the adversary can change it from “run” mode to “program” mode, for instance, which can allow the adversary to make unauthorized changes to the settings, programs, etc.
- Modify controller tasking which refers to changing the settings and commands on a controller intended to adjust the physical process in some way.
And while adding items like the above, the framework for ICS excludes Execution tactics found in Enterprise, such as:
- Windows Management Instrumentation in which an adversary can use the WMI to execute malicious commands.
- Software deployment tools in which an adversary may use tools already in the environment to take advantage of them to make changes in the environment.
But many techniques remain with slight adjustments such as the Scripting technique found in the Execution tactic where the potential scripts in focus in ICS may be different from the Apple scripts, etc. found in the Enterprise.
There are several other differences in the ICS framework from the Enterprise:
- The database used to develop the techniques is beyond publicly available incidents because there is just not the same richness of data for ICS attacks, so MITRE also uses academic research and potential attack vectors from the community.
- In the detailed information it provides organizational units of levels within the Purdue model as well as types of assets to aid users to understand which techniques are applicable to which asset types.
The use cases intended by MITRE include all the ones listed above for the Enterprise framework. In addition, however, there are two additional use cases as described in MITRE’s Philosophy Paper on the ICS framework:
- Development of Failure Scenarios. It can be used to help organizations supplement limited incident data with scenarios based on non-adversary-induced incidents. In other words, use operational disruption scenarios that are not caused by a cyber attacker as a way to model what an adversary might do to replicate those scenarios.
- Educational resources to help bridge the knowledge gap between cybersecurity teams and OT/ICS engineers providing a common language and framework for discussing potential scenarios.
MITRE ATT&CK as a way to understand defensive posture
One of the most compelling use cases for MITRE ATT&CK is using it to evaluate an organization’s current defenses against real-world adversaries. We have worked with industrial organizations to develop robust scenarios of attacks on their systems to evaluate how their current defenses would react in such a scenario. MITRE recognizes the advantages of a suite of defenses to stop an attack. The tactics and techniques highlight the adversary perspective that allows the defender to determine which layer of defenses will be most effective. It also recognizes there is no “one way” that a tactic can be achieved. So effective security requires a defense in depth or similar mindset.
By evaluating current tools, procedures and policies against scenarios organizations quickly see how critical it is to have comprehensive visibility of those defenses in one place. Perhaps the biggest challenge to today’s cybersecurity is the range of tools and organization silos or “towers” in achieving comprehensive security. The ATT&CK framework and the scenarios it enables highlight the gaps where defenses can fall between the cracks of these tools and groups if there isn’t a common view in a single database.