Information security / Understanding the MITRE ATT&CK Matrix
Understanding the MITRE ATT&CK Matrix
15 July 2019
Richard Cassidy, Sr Director Security Strategy at Exabeam looks at the origins of the MITRE ATT&CK, what the goals of it are, and how organisations can use it to effectively protect themselves in the modern cyber security climate.
Recently, there’s been a lot of buzz about the MITRE ATT&CK Matrix and how it can help the cyber security industry galvanise itself against the growing number of threats out there. But what exactly is it, and why should cyber security professionals pay attention?
This article will look at the origins of MITRE ATT&CK, what the goals of it are, and how organisations can use it to effectively protect themselves in the modern cyber security climate.
Also of interest: How to improve cloud security, privacy, and compliance
What is MITRE?
Before addressing the Matrix itself, it’s important to understand who created it. MITRE is a US government funded organisation that was spun out of the Massachusetts Institute of Technology (MIT) in 1958. Since then, it has been involved in a wide range of commercial and secret projects for a numerous agencies. MITRE has a substantial cyber security practice, funded by the National Institute of Standards and Technology (NIST).
Interestingly, MITRE is not an acronym itself. Though many think it stands for the Massachusetts Institute of Technology Research and Engineering, its actually the creation of early board member James McCormack, who wanted something that sounded evocative, but meant nothing.
Also of interest: How to use deception to gain the advantage over cyber-attackers
A new approach to global cyber security
MITRE ATT&CK is an ever-evolving, globally-accessible knowledge base of cyber-criminal tactics and techniques, based on real-world observations over a number of recent years. These tactics and techniques are collated and displayed in a series of matrices, which are arranged by attack stages. The main ‘Enterprise’ matrix spans all three major desktop platforms (Linux, macOS and Windows) and there is also a separate matrix for mobile platforms.
ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge, which breaks down into two main parts:
- Adversarial Tactics and Techniques is a contemporary way of examining cyberattacks and represents a shift in effective threat detection away from increased isolated alerts. Rather than looking at the end-results of an attack, security analysts instead look at the tactics and techniques that suggest an attack is already in progress. Tactics are the why of an attack, while the techniques represent how performing certain actions helps a cyber-criminal achieve their objective.
- Common Knowledge is the known tactics and techniques used by modern adversaries. Essentially, common knowledge is the documentation of procedures. If we can understand adversarial procedures effectively, we can implement better security, compliance and governance controls, to protect our key users, assets and data.
The main objective of MITRE ATT&CK is to create a comprehensive, universally accessible list of all known tactics and techniques used by cyber criminals today. Open to government, education, and commercial organisations, the idea is to collect a wide, and hopefully exhaustive, range of attack stages and sequences. Doing so will create a standard taxonomy to make communications between organisations around the world both more informed and more specific.
Also of interest: Neurodiversity and cyber security
How does it work?
The MITRE ATT&CK Matrix visually arranges all known tactics and techniques into an easily understandable format, with individual techniques listed down each column and attack tactics across the top.
This is a very different representation to the well-known ‘Cyber Kill Chain’ – which essentially represents a high-level view of the standard attack stages, without further detail on how each stage may be performed.
Within the MITRE ATT&CK framework an attack will always involve at least one technique per tactic; a completed attack sequence is constructed by moving from the left of the matrix (Initial Access), to the right (Command and Control).
It’s important to note that an attacker doesn’t have to incorporate all eleven tactics across the top of the matrix. Rather, they will use the minimum number needed to achieve the desired objective. The less they use, the more efficient the attack and the smaller the footprint left behind, meaning a lower chance of discovery/detection
For example, at the Initial Access phase, an adversary may use a spearphishing link or embed an attachment, to try and compromise a user’s credentials. If successful, the attacker could then look for a remote system in the ‘Discovery’ stage to continue the attack and move laterally within the organisation. Let’s assume, that the attacker is after sensitive company data stored on OneDrive, to which the compromised user already has legitimate access.
If the attacker managed to compromise that user’s credentials, there’s no need to escalate privileges and the final phase of the attack (Collection) is performed by downloading the target files from OneDrive to the attacker’s machine.
Also of interest: Spotting the Insider Threat with Lisa Forte
Practical applications of MITRE ATT&CK
In practice, there are numerous ways that organisations can use MITRE ATT&CK to understand, plan and prepare for attacks. Here are five common examples:
- Cyber Threat Intelligence Enrichment: Understanding and profiling adversary groups from a behavioural perspective, independent of the tools they may use
- SOC Maturity Assessment: Determining how effective a Security Operations Centre is at detecting and responding to attacks
- Adversary Emulation: Creating scenarios for the purposes of testing and verifying defences against common adversary techniques
- Behavioural Analytics Development: Constructing and testing behavioural analytics to detect anomalous activity within an environment
- Defensive Gap Assessment: Assessing tools, monitoring, and mitigation of existing defences within an organisation’s enterprise.
With new adversarial tactics and techniques emerging all the time, the need to quickly and accurately share threat intelligence throughout the global cyber security community has never been higher.
The MITRE ATT&CK Matrix gives the community a central focal point for the first time, making collaboration and knowledge exchange easier than ever before and enabling numerous practical applications. Furthermore, its ability to evolve and change over time ensures it will remain relevant for many years to come, making it essential to security strategies everywhere.