What is MITRE ATT&CK and How Can it Be Used Effectively?
According to Cybercrime magazine, by the end of 2025, cybercrime will cost the world $10.5 trillion annually. Therefore, there is a dire need for preparedness, and in a step towards that, in 2015, MITRE made ATT&CK (which stands for Adversarial Tactics, Techniques, and Common Knowledge), a U.S. government-funded, open-source, non-profit organization, available to the public. Moreover, it is associated with many top-secret and commercial projects for numerous agencies. So, what is MITRE ATT&CK and how does it impact us? Let’s dive in.
What Does MITRE ATT&CK Mean?
MITRE, the non-profit public interest company that came up with ATT&CK, wanted to make the virtual world safer. Therefore, ATT&CK is a knowledge base used as the starting point for creating threat models and approaches in many sectors.
What is MITRE ATT&CK, and How is it Useful?
MITRE ATT&CK is a knowledge-based framework of adversary tactics and techniques based on real-world observations. Also, ATT&CK is a structured list of cyber attackers‘ behaviors and patterns in the form of matrices comprising tactics and techniques. Therefore, it is used by organizations, both offensively and defensively, to overcome their system security vulnerabilities.
MITRE has segregated ATT&CK into three different matrices:
- Enterprise Matrix for Windows, Linux, and macOS
- Mobile Matrix for Android and iOS
- Industrial Control Systems (ICS) Matrix for industrial systems
To understand how it works better, we need to look at what MITRE ATT&CK techniques and tactics are.
What are MITRE ATT&CK Techniques and Tactics?
A tactic here refers to what the attackers are trying to achieve. Also, the technique is how to achieve that goal. It may be a single step or a combination of multiple strategies to complete the attacker’s mission. The tactics section also lists various techniques which the attacker may use depending on numerous variable factors.
As an example, a total of 14 tactics are cataloged in the Enterprise Matrix.
- Reconnaissance refers to tactics in which enemies actively or passively collect information
- Resource development refers to strategies in which attackers create, purchase, or compromise/steal resources that may be utilized to enable targeting vulnerabilities
- Initial access consists of various techniques to gain initial entry into the targeted company’s network
- Execution implies the adversary is running malicious code in your systems locally or remotely
- Persistence is for maintaining their foothold in your systems and not letting go of access
- Privilege escalation means the attackers use techniques to gain higher-level access by leveraging your vulnerabilities
- Defense evasion is where adversaries avoid getting detected throughout their compromise
- Credential access is when an attacker steals credentials for their benefit
- Discovery is when the adversary tries to figure out your internal network workings
- Lateral movement refers to strategies used by attackers to access and control distant systems on a network
- Collection refers to the techniques adversaries may employ to acquire information and the sources from which data is gathered that are useful in carrying out the adversary’s aims
- Command and control refer to a technique in which communication may be used to control compromised systems.
- Exfiltration refers to the stealing of data from the compromised system
- Impact is where the manipulation, interruption, or destruction of your system and data is carried out
Similarly, the Mobile matrix has 13 tactics, and the ICS 12.
What Does MITRE Stand for?
Contrary to common misconception, MITRE is not an acronym. For example, it was thought of as an acronym for the Massachusetts Institute of Technology Research and Engineering. However, James McCormack (an early board member of MITRE) clarified that he wanted the name to mean nothing and merely sound evocative.
Now that you have a basic understanding of what is MITRE ATT&CK’s worth for a safer virtual world, you may want to learn more about cybersecurity. For that, you can explore Emeritus’ rich repository of online cybersecurity courses and become part of the effort of keeping the virtual world safer.
By Siddhesh Shinde
Write to us at content@emeritus.org