What is MITRE ATT&CK?
MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK provides a common taxonomy for both offense and defense, and has become a useful conceptual tool across many cyber security disciplines to convey threat intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.
Why did MITRE develop ATT&CK?
MITRE started ATT&CK in 2013 to systematically categorize adversary behavior as part of conducting structured adversary emulation exercises within MITRE’s FMX research environment. The objective of FMX was to investigate the use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks. ATT&CK was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.
What are the different MITRE ATT&CK domains?
MITRE ATT&CK is organized into different technology domains that represent different operational environments:
– Enterprise: Covers attacks against traditional IT networks and cloud environments.
– Mobile: Focuses on threats targeting mobile devices.
– ICS: Describes adversary behavior against Industrial Control Systems.
– PRE-ATT&CK: Details adversary actions before gaining access to a network, such as reconnaissance and weaponization.
How are tactics, techniques, and sub-techniques structured in ATT&CK?
– Tactics: Represent the adversary’s tactical goals (the “why”) behind an attack, such as gaining initial access, persisting on a system, or exfiltrating data.
– Techniques: Describe the specific actions (the “how”) an adversary takes to achieve a tactical objective. For example, “Spearphishing Attachment” or “Valid Accounts.”
– Sub-techniques: Provide a more granular breakdown of techniques, outlining specific methods used within a technique.
How can organizations use MITRE ATT&CK?
Organizations across various sectors use ATT&CK for:
– Threat modeling and analysis: Understanding potential threats and their tactics.
– Adversary emulation: Replicating real-world adversary behaviors to test defenses.
– Red teaming: Simulating attacks to identify vulnerabilities.
– Defensive gap assessment: Finding and prioritizing security control gaps.
– Security Operations Center (SOC) maturity assessment: Evaluating and improving SOC effectiveness.
– Cyber threat intelligence enrichment: Enhancing threat intelligence with context.
How does MITRE ATT&CK help with failure scenario development in ICS environments?
ATT&CK for ICS aids in failure scenario development by:
– Mapping adversary techniques to potential ICS impacts: Helping understand how cyberattacks could lead to physical process disruptions.
– Creating realistic attack scenarios: Using real-world adversary behaviors to create plausible attack simulations.
– Facilitating communication: Providing a common language for cybersecurity and ICS operations teams to collaborate on threat analysis.
What is the core philosophy behind MITRE ATT&CK’s development?
The framework is built on these key principles:
– Adversary-centric: It focuses on how attackers operate, enabling a proactive approach to defense.
– Empirically driven: The framework relies on real-world observed adversary behaviors from publicly available sources.
– Technology-agnostic: ATT&CK focuses on the adversary’s goals and actions, not specific tools or technologies.
Why is it difficult to achieve 100% coverage of ATT&CK techniques?
Achieving full ATT&CK technique coverage is challenging because:
– Constantly evolving threat landscape: New adversary techniques and variations emerge regularly, making it difficult to maintain comprehensive coverage.
– Resource limitations: Implementing detections and mitigations for every technique can be resource-intensive.
– Operational constraints: Certain security controls may not be feasible in all environments.
Instead of aiming for 100% coverage, organizations should prioritize based on their unique threat model, risk tolerance, and operational context.
What industries, sectors, or domains does ATT&CK cover?
ATT&CK is organized into a series of “technology domains”—the ecosystem an adversary operates within that provides a set of constraints the adversary must circumvent or take advantage of to accomplish a set of objectives. To date, MITRE has defined three technology domains: Enterprise (representing traditional enterprise networks and cloud technologies), Mobile (for mobile communication devices), and ICS (for industrial control systems).
How is MITRE ATT&CK for ICS different than MITRE ATT&CK for Enterprise?
MITRE ATT&CK for ICS and MITRE ATT&CK for Enterprise are distinct but related knowledge bases that provide a common language for understanding and categorizing adversary behavior in different technology domains. While they share a common structure and methodology, they differ in their focus, scope, and the specific tactics and techniques they encompass.
Focus and Scope:
– MITRE ATT&CK for Enterprise primarily focuses on adversary behavior targeting traditional enterprise IT networks and cloud environments.
– MITRE ATT&CK for ICS specifically addresses adversary behavior in the ICS technology domain, which encompasses the systems and functions associated with industrial control systems. This domain is typically associated with levels 0-2 of the Purdue architecture, which defines a hierarchical model for industrial control systems.
Tactics and Techniques:
– Shared Tactics: Both knowledge bases share some common tactics, such as Collection, which generally refers to the adversary’s goal of gathering information. However, the specific context and objectives may differ between the domains. For example, Collection in the Enterprise knowledge base often implies data theft, while in ICS, it often pertains to gaining domain knowledge to disrupt or manipulate industrial processes.
– Unique Tactics: ATT&CK for ICS introduces two unique tactics not found in the Enterprise knowledge base:
– Inhibit Response Function: This tactic describes an adversary’s objective to prevent safety and protection mechanisms from mitigating or remediating incidents within ICS environments.
– Impair Process Control: This tactic refers to an adversary’s goal of disrupting or manipulating the control processes within ICS environments.
– Technique Abstraction: While Enterprise techniques often focus on general adversary actions applicable across various platforms, ICS techniques tend to be more specific to asset categories and functional levels within industrial control systems. This specificity stems from the diversity of vendor software and products in the ICS domain.
Impact on ICS:
– A key distinction of ATT&CK for ICS is its emphasis on the impact of adversary actions on industrial control systems. Techniques in this knowledge base describe actions that directly or indirectly affect the essential functions of ICS, including safety, availability, control, and automation.
In summary, while both MITRE ATT&CK for ICS and Enterprise provide valuable insights into adversary behavior, they address distinct technology domains. Understanding their differences is crucial for organizations to effectively leverage these resources for threat modeling, security assessments, and incident response.