Introduction to MITRE ATT&CK – Featuring Version 12 (2023)

Have you ever wondered how to create a prioritized list of threat actors? Or identify what malicious tactics and techniques are most relevant? Or what security controls should be improved first? The MITRE ATT&CK Framework can help. Version 12 has just been released and this blog will help you understand what the Framework is and what’s new.

What is MITRE?

MITRE is a US-based not-for-profit organization that supports the US federal government in advancing national security by providing a range of technical, cyber, and engineering services to the government. In 2013, MITRE launched a research project to track cyber threat actors’ behavior, developing a framework named Adversarial Tactics, Techniques, and Common Knowledge, or in short form: ATT&CK.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework contains a taxonomy of threat actor behavior during an attack lifecycle, broken down into 14 tactics that each contain a subset of more specific techniques and sub-techniques (covering the TT in TTPs). The Framework is split into three separate matrices, Enterprise (attacks against enterprise IT networks and cloud), Mobile (attacks targeting mobile devices), and industrial control systems (attacks targeting ICS).

The Framework contains a wealth of knowledge based on real-world observations. To give you an indication of scope, the October 2022 iteration of ATT&CK for Enterprise contains 193 techniques, 401 sub-techniques, 135 threat actor groups, 14 campaigns, and 718 pieces of software/malware.

Screenshot of the MITRE ATT&CK Framework for Enterprise with some but not all techniques.

Each technique can be explored to reveal sub-techniques and there is an entire MITRE knowledge base that feeds the matrices. This database contains a colossal amount of information on threat actor groups, malware, campaigns, descriptions of techniques and sub-techniques, mitigations, detection strategies, references for external resources, an ID system for tracking, and more.

MITRE’s definitions of tactics, techniques, and procedures

Here are the 14 tactics contained in the Enterprise matrix:

MITRE ATT&CK Enterprise Tactics

How can you use MITRE ATT&CK?

How you use the MITRE ATT&CK Framework largely depends on which team you sit on and your workflows. Security teams who often rely on ATT&CK include blue teams, investigators, incident responders, cyber threat intelligence analysts, red teams, penetration testers, purple teams, and tooling assessors/engineers, each with their own use cases. Let’s explore some of these use cases.

Use Case #1: Research threats and attack lifecycles

The MITRE ATT&CK Framework is a phenomenal research tool. At a glance, it clarifies the stages of an attack lifecycle by splitting adversary behavior into 14 tactics. The ability to zoom in on sub-techniques and uncover a treasure trove of descriptions and examples makes understanding cyberattacks accessible to anyone.

This benefits everyone, from the novice seeking to learn about TTPs, to battle-hardened veterans who want to refresh their attack scenario knowledge (memorizing 401 sub-techniques would require a super-human memory).

If your email gateway has quarantined multiple malicious emails containing unfamiliar malware, check the MITRE ATT&CK Framework and if the malware is there, you’ll discover which techniques it is associated with it, with reference to real-world examples. This can help you determine what the threat actor is likely trying to achieve.

With a click of a button, you can visualize that data by exporting it to MITRE ATT&CK Navigator, an interactive version of the MITRE ATT&CK Framework we highly recommend you explore (it’s also free).

Use Case #2: Threat actor tracking and controls assessment

The MITRE ATT&CK Framework can map the most common tactics and techniques used by your top priority threat actors. You can scan ATT&CK’s “Groups” section for a list of common threat actors relevant to your organization or sector. You can then export that information into the MITRE ATT&CK Navigator.

In Navigator, you can import multiple tabs, each containing a group, and overlay them, exposing the most common techniques your top priority threat actors are using (Navigator has scoring and color code features). This enables you to zero in on the most dangerous techniques facing your organization, helping you assess your detection coverage against the most prevalent threats. Armed with this knowledge, you now have data to reinforce the business case for acquiring new security controls or tools to enhance your defenses.

Use Case #3: Mapping and responding to a novel attack

Being targeted by an attacker you have never dealt with before? MITRE lets you build a custom layer of the ATT&CK Framework in Navigator based on the malicious activity you’ve observed in your network. Here’s an example of how that can look:

  1. You detect suspicious activity on the network. Indicator of compromise (IoC) alarms are triggered, malware and C2 beaconing are detected.
  2. You investigate historical activity and discover evidence of initial access. Your organization received phishing emails, employees downloaded malware, and there are IoCs of lateral movement across the network.
  3. You create a custom layer in MITRE Navigator for clearer visualization of this activity.
  4. This flags the risk of data exfiltration as a potential next step for the attacker.
  5. You check and implement detection methods and mitigations by combining information from MITRE and your internal controls.

These examples just scratch the surface of what’s possible with ATT&CK. If you want to learn more, check out MITRE’s Getting Started page.

What’s new with ATT&CK Version 12?

Now we have a strong foundation in the MITRE ATT&CK Framework, let’s find out what’s new in the latest version (12), released on October 25, 2022.

Like most previous versions, v12 contains new attack techniques (e.g., Compromise Accounts: Cloud Accounts), as well as updates on existing techniques, groups, and software across all matrices based on observed adversary activity. Unlike other versions, v12 added detections to the ICS matrix (mirroring the Enterprise matrix) and introduced campaigns.

MITRE defines campaigns “as a grouping of intrusion activity conducted over a specific period of time with common targets and objectives.” Campaigns are useful for detecting an evolution in TTPs, identifying trends in changing tactics, and monitoring the introduction of new techniques and the sustained use of others.

Each campaign features a description of intrusion activity (e.g., known targeted countries and sectors), specific commands/steps taken by the actors (which helps to identify detection and mitigation opportunities), and are offered in STIX file format.

There’s more to learn about this exciting feature, which you can do using this link.

MITRE ATT&CK Campaigns

How does Feedly integrate with MITRE ATT&CK?

In case you’re wondering why we at Feedly are writing about the MITRE ATT&CK Framework, it’s because we recognize the importance of ATT&CK, and have been working with our customers to develop integrations in Feedly.

We’ve used machine learning models to map content in articles to the MITRE ATT&CK tactics and techniques to spread the common language they’ve created.

You can specifically search for MITRE TTPs in Feedly and, with a single click of a button, any article you find containing TTPs can be opened in ATT&CK Navigator (or downloaded as a JSON file).

Curious to see this in action, check out this video:

Refference : – Josh Darby MacLellan, Sr CTI Customer Success Manager