What is the MITRE ATT&CK Framework?
Introduction to MITRE ATT&CK
The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques designed for threat hunters, defenders and red teams to help classify attacks, identify attack attribution and objective, and assess an organization's risk. Organizations can use the framework to identify security gaps and prioritize mitigations based on risk.
About the MITRE ATT&CK Evaluations
MITRE’s approach is focused on articulating how detections occur rather than assigning scores to vendor capabilities. MITRE categorizes each detection and capture. Detections are then organized according to each technique. Techniques may have more than one detection if the capability detects the technique in different ways, and detections they observe are included in the results. While MITRE makes every effort to capture different detections, vendor capabilities may be able to detect procedures in ways that MITRE did not capture.
For a detection to be included for a given technique, it must apply to that technique specifically. For example, just because a detection applies to one technique in a step or sub-step, that does not mean it applies to all techniques of that step. For proof of detection in each category, MITRE requires that the proof be provided to them, but they may not include all detection details in public results, particularly when those details are sensitive.
To determine the appropriate category for a detection, MITRE reviews the screenshot(s) provided, notes taken during the evaluation, results of follow-up questions to the vendor, and vendor feedback on draft results.
They also independently test procedures in a separate lab environment as well as review open-source tool detections and forensic artifacts. This testing informs what is considered to be a detection for each technique. After performing detection categorizations, MITRE calibrates the categories across all vendors to look for discrepancies and ensure categories are applied consistently.
2022 MITRE Engenuity ATT&CK Evaluations
MITRE ATT&CK Update, October 2021
|Version||Start Date||End Date||Data|
|ATT&CK v10||October 21, 2021||This is the current version of ATT&CK||v10.0 on MITRE/CTI|
The October 2021 (v10) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complementing the ATT&CK Data Source name changes released in ATT&CK v9. An accompanying blog post describes these changes as well as improvements across ATT&CK's various domains and platforms.
This version of ATT&CK for Enterprise contains 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 638 Pieces of Software.
MITRE ATT&CK for Enterprise, 2020
What Is ATT&CK?
ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, and ATT&CK for Mobile, which focuses on behavior against mobile devices. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
Why Did MITRE Develop ATT&CK?
MITRE started ATT&CK in 2013 to document the TTPs that advanced persistent threats (APTs) use against enterprise networks. It was created out of a need to describe adversary TTPs that would be used by a MITRE research project called FMX. The objective of FMX was to investigate how endpoint telemetry data and analytics could help improve post-intrusion detection of attackers operating within enterprise networks. The ATT&CK framework was used as the basis for testing the efficacy of the sensors and analytics under FMX and served as the common language both offense and defense could use to improve over time.
MITRE ATT&CK now has three iterations:
- ATT&CK for Enterprise: Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
- ATT&CK for Mobile: Focuses on adversarial behavior on iOS and Android operating systems.
- Pre-ATT&CK™: Focuses on "pre-exploit" adversarial behavior. Pre-ATT&CK is included as part of the ATT&CK for Enterprise matrix.
What Are MITRE Techniques and How Many Are There?
Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The Enterprise ATT&CK matrix is a superset of the Windows, MacOS, and Linux matrices. In 2020, there are 245 techniques in the Enterprise model with MITRE regularly updating the techniques discovered in the wild by both cybersecurity researchers and hackers alike.
What Are Sub-Techniques?
Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.
What Are MITRE Tactics?
Tactics represent the “why” of an ATT&CK technique or sub-technique. Adversarial tactics represent the attacker's goal or the reason for performing an action. For example, an adversary may want to achieve credential access.
Tactics Include the Following:
|Tactic||The attacker is trying to:|
|Reconnaissance||Gather information they can use to plan future operations|
|Resource Development||Establish resources they can use to support operations|
|Initial Access||Get into your network|
|Execution||Run malicious code|
|Persistence||Maintain their foothold|
|Privilege Escalation||Gain higher-level permissions|
|Defense Evasion||Avoid being detected|
|Credential Access||Steal account names and passwords|
|Discovery||Figure out your environment|
|Lateral Movement||Move through your environment|
|Collection||Gather data of interest to their goal|
|Command and Control||Communicate with compromised systems to control them|
|Impact||Manipulate, interrupt, or destroy your systems and data|
What Are Procedures?
Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in the ATT&CK framework as techniques observed in the wild in the "Procedure Examples" section of technique pages.
What Are the Differences Between Sub-techniques and Procedures?
Sub-techniques and procedures describe different things in ATT&CK. Sub-techniques are used to categorize behavior and procedures are used to describe in-the-wild use of techniques. Furthermore, since procedures are specific implementations of techniques and sub-techniques, they may include several additional behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering PowerShell, Credential Dumping and Process Injection used against LSASS.
What Technologies Does ATT&CK Apply To?
Enterprise IT systems covering Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers); cloud systems covering Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office 365, Azure Active Directory (Azure AD), and Google Workspace; mobile devices covering Android and iOS.
How Can I Use ATT&CK?
ATT&CK can be used in several ways to help security operations, threat intelligence, and security architecture. See the getting started page for resources on how to start using ATT&CK. Also check out the Resources section of the website and the blog for related projects and other material.
These evaluations provide assessments for participating vendors to identify areas for improvement, including updating prevention, detection, and response rules that inform cybersecurity policies. While this exercise does not provide overall comparison scores or ranking, it provides a vendor-agnostic summary of the various methodologies employed by security practitioners for identifying and preventing sophisticated attack campaigns.
Learn More About the MITRE ATT&CK Framework and Evaluations with our Cortex XDR Resources:
|MITRE Evaluation||Product Evaluated||Resource|
|MITRE APT 3||Cortex XDR|
|MITRE APT 29||Cortex XDR||
|MITRE Carbanak FIN 7||Cortex XDR|
|MITRE Wizard Spider & Sandworm||Cortex XDR|
More About MITRE
About MITRE Engenuity
MITRE Engenuity ATT&CK Evaluations are paid for by vendors and are intended to help vendors and end-users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CK® framework. MITRE developed and maintains the ATT&CK knowledge base, which is based on real world reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense. MITRE Engenuity makes the methodology and resulting data publicly available so other organizations may benefit and conduct their own analysis and interpretation. The evaluations do not provide rankings or endorsements.
The MITRE ATT&CK Framework and Cortex XDR
Cortex XDR helps stop modern attacks by applying AI and behavioral analytics to endpoint, network, cloud and third-party data. It unifies prevention, detection, investigation, and response in one platform for unrivaled security and operational efficiency. Cortex XDR provides industry-leading coverage of MITRE ATT&CK techniques and consistently demonstrates stellar performance in independent industry testing, including the MITRE ATT&CK Evaluations.