MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. They’re displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control.

What does ATT&CK stand for?

ATT&CK stands for adversarial tactics, techniques, and common knowledge.

Rather than looking at the results of an attack, aka an indicator of compromise (IoC), security analysts should look at the tactics and techniques that indicate an attack is in progress. Tactics are the why of an attack technique. Techniques represent how an adversary achieves a tactical objective by performing an action.

There is Common knowledge of tactics and techniques by adversaries. Essentially, common knowledge are the known procedures. Those familiar with cybersecurity may be familiar with the term “tactics, techniques, and procedures,” or TTP.

Tactics

Basically, MITRE says there are 11 tactics used in attacks, each tactic has several methods the tactic is performed. (Note: there are matrices for many types of attacks so for example, if your concern is industrial controls there is a specific matrix for that). Not all 11 are required for a successful attack. For example, Initial Access can be accomplished and is most usually accomplished, by either, web browser drive by’s, public facing applications, phishing, and a few others. The idea is that by knowing these and defending against these specific things which maybe only 5 or 6 things rather than the thousands of vulnerabilities and trying to get way into the weeds of the vast amount of data we see on networks daily.

So, if I as a defender know that there are 11 categories of things that are possibly involved in every attack, then I can filter out a ton of false positives and try to be alerted on, and intercede on those few things. (Note: attacks do not require all 11 categories to be successful so most people look for the 5 or so that must be part of an attack. Access, Discovery, Lateral Movement, Command and Control, Exfiltration.

Mitre Att&CK Matrix

Implications

The implications are almost obvious, if you are defending narrow your focus, if you are developing a strategy to defend know where to look. Foresite’s ProVision incorporates elements of the MITRE ATT&CK framework into our rules engine to weed out false positives and stay ahead of the adversary.