How to Use MITRE ATT&CK to Understand Attacker Behavior

MITRE ATT&CK (“miter attack”) is an up-to-date and widely-used knowledge base that focuses on how attackers think and operate. It’s based on practical use cases, so companies can better evaluate security issues and get examples of common tactics and techniques used by threat actors.

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) documents adversary behaviors to be used by red teams (e.g., for pentesting) but also by defenders who want to understand “the context surrounding events or artifacts generated by a technique in use.” MITRE believes offense is the best driver for defense, so it does not focus on tools and malware but on how attackers behave during an operation.

The ATT&CK framework organizes information in a consistent and structured way, allowing people with varying knowledge, from beginners to advanced security teams, to use its documents. It provides advanced ability to defeat common attacks.

Also see: Best User and Entity Behavior Analytics (UEBA) Tools

Using TTPs for Real-world Use Cases

MITRE started in 2013 with Windows networks only, but it now contains information for various platforms, including mobile. The knowledge base describes tactics, techniques, and procedures (TTPs), which provide deep insight into attacker behavior, with detailed examples of tools and methods used by specific groups.

According to MITRE, there are four primary use cases where the document base can be beneficial:

  • Threat intelligence
  • Detection and analytics
  • Adversary emulation and red teaming
  • Assessment and engineering

ATT&CK is a great resource, but it can’t cover every situation. For example, MITRE does not recommend ATT&CK for reporting such as API calls in static malware analysis.

Also read: Top 11 Breach and Attack Simulation (BAS) Vendors for 2022

14 Tactics to Attack Companies

MITRE defines 14 tactics (at the time of writing) adversaries use to target enterprise networks:

  • Reconnaissance: Collecting information for future adversary operations
  • Resource Development: Creating resources to support operations
  • Initial Access: Trying to gain unauthorized access to the network
  • Execution: Running malicious code
  • Persistence: Maintaining access to the compromised system despite classic security actions such as restarts, changed credentials, and other interruptions
  • Privilege Escalation: Trying to gain higher-level permissions on the system or the network
  • Defense Evasion: Trying to circumvent detection tools and monitoring
  • Credential Access: Trying to steal account names and passwords
  • Discovery: Attempting to figure out a corporate environment
  • Lateral Movement: Traversing a corporate environment
  • Collection: Collecting relevant data for the operation
  • Command and Control: Communicating with the compromised system
  • Exfiltration: Stealing the data
  • Impact: Manipulating, interrupting, or destroying the system and data

What are MITRE Matrices?

MITRE organizes data into matrices—large tables with links to detailed explanations—which can help an organization to identify and understand adversarial behavior. Because hackers can use various techniques to achieve the same goal, MITRE categorizes them with few tactics.

This categorization allows for visualizing the relationship between tactics and techniques. Tactics can be described as how attackers achieve their objectives, such as lateral movement, using specific techniques like RDP hijacking or tainting shared content. Based on the relationships between the different tactics and techniques, you can learn how attackers use a specific technique to achieve a particular tactic.

Also read: Best Incident Response Tools and Software for 2022

Getting Started with ATT&CK

MITRE defines three levels for a thread-informed defense:

  • Level 1: Teams just starting who may not have many resources
  • Level 2: Mid-level teams starting to mature
  • Level 3: Advanced cybersecurity teams

If you want to focus on one group (e.g., FIN7), you can get helpful information to start cyber threat intelligence (CTI) analysis.

More advanced teams can map intelligence to ATT&CK instead of using others’ information. You can use your incident reports and categorize threats with one of the tactics defined by MITRE.

If you don’t know how to start, you can run a simple search on a specific command and learn more about the techniques that use it on MITRE’s website. You can also search for malicious software, such as Cobalt Strike, to learn how to better prepare your business against the techniques and tactics hackers use.

If you need easier ways to discover and use ATT&CK, you can try the MITRE ATT&CK Navigator, a free, open-source project that provides basic annotation and navigation.

Going Further with Mitigations, Procedures, and Sub-techniques

Mitigations help fight against TTPs by providing “security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.” Many security vendors use ATT&CK tactics and techniques to mitigate security threats and often map products like EDR tools to them.

These techniques may include sub-techniques. For example, Password Spraying is a sub-technique of the Brute Force technique and can be used to achieve credential access.

Sub-techniques are the deepest level of detail and abstraction. MITRE uses sub-techniques to avoid overloading its model with too many techniques describing very similar things while maintaining granularity levels. You can see sub-techniques as variations in adversary actions. In other words, they are very specific techniques.

Procedures are particular implementations of techniques and sub-techniques. MITRE defines them as the “in-the-wild use of techniques.” You’ll find practical examples of procedures for each technique and sub-techniques:

MITRE ATT&CK
MITRE ATT&CK procedures example

Towards Threat Modeling and Risk Management

Threat modeling consists of identifying, measuring, and addressing security risks. It’s a significant part of cybersecurity.

ATT&CK allows for a proactive defense. Indeed, it gives a good overview of the most threatening attacks and typical scenarios where they could be successful. You can also integrate it into your risk management solution. Risk quantification is not possible without understanding threats, which ATT&CK can help estimate and measure.

By utilizing the MITRE ATT&CK framework, you can choose the best strategy against specific threats.

Further reading: Best Risk Management Software for 2022

Julien Maury
Julien Maury is a backend developer, a mentor and a technical writer. He loves sharing his knowledge and learning new concepts.

Top Products

Top Cybersecurity Companies

Related articles