The MITRE ATT&CK Framework is an extensive, globally accessible knowledge base that categorizes and organizes adversarial tactics, techniques, and procedures (TTPs) based on real-world observations. It helps organizations understand adversary behaviors across different platforms, from enterprise networks to cloud and mobile environments, enabling them to develop more effective threat detection and mitigation strategies.
The ATT&CK Framework is organized into several key components:
Tactics: High-level categories representing adversary objectives, such as Initial Access, Execution, and Exfiltration.
Techniques: Specific methods that adversaries use to accomplish each tactic, such as Phishing or Process Injection.
Sub-techniques: Variants or detailed implementations of primary techniques, providing more granular insights into adversary behaviors.
Mitigations: Best practices to prevent or minimize the impact of specific techniques.
Detections: Suggested methods for detecting adversary activities, helping security teams identify early indicators of compromise.
The MITRE ATT&CK Framework is widely used by cybersecurity professionals for several purposes:
Threat Intelligence: ATT&CK allows organizations to map observed adversary behaviors to specific tactics and techniques, providing insights into the likely objectives and capabilities of the adversary.
Detection and Response: By aligning detections with ATT&CK techniques, security teams can ensure that their monitoring efforts cover a wide range of attack vectors and identify early indicators of adversarial activity.
Red Teaming: ATT&CK helps red teams design realistic attack scenarios based on real-world adversary techniques, allowing organizations to test and improve their defenses.
Gap Analysis: By mapping current detections and mitigations to ATT&CK techniques, organizations can identify potential gaps in their defenses and prioritize improvements.
The Initial Access tactic covers techniques that adversaries use to gain initial entry into a target environment. This step is critical for establishing a foothold and often involves social engineering or exploiting vulnerabilities in public-facing applications.
Phishing: Attackers deliver deceptive messages, typically via email, to lure users into revealing credentials or executing malicious code.
Detection: Use email filtering tools to scan for known phishing indicators. Monitor login attempts from unusual locations or devices.
Mitigation: Educate employees on phishing awareness, enforce multi-factor authentication (MFA), and sandbox email attachments for security checks.
Exploit Public-Facing Application: Adversaries exploit unpatched vulnerabilities in internet-facing applications.
Detection: Continuously monitor logs for unauthorized access attempts and anomalies in application behavior.
Mitigation: Regularly apply patches, use Web Application Firewalls (WAFs) for added protection, and limit access to critical applications.
Valid Accounts: Attackers use compromised credentials to log in as legitimate users, bypassing perimeter defenses.
Detection: Monitor for suspicious login patterns, such as logins from new geolocations or unusual devices.
Mitigation: Enforce strong password policies, require MFA, and regularly review access to privileged accounts.
Execution tactics involve techniques that adversaries use to run malicious code on a target system, giving them control over the system or setting up additional payloads for further actions.
Command and Scripting Interpreter: Attackers use scripting languages (e.g., PowerShell) or command-line tools to execute code.
Detection: Monitor for unusual script or command-line executions, especially from non-standard paths.
Mitigation: Restrict script execution through application whitelisting and monitor user activity on command interpreters.
Scheduled Task/Job: Adversaries use scheduled tasks to run code at specific times or intervals.
Detection: Track new scheduled task creation and monitor for any unauthorized modifications.
Mitigation: Limit access for creating scheduled tasks to administrative users only.
Exploitation for Client Execution: Attackers exploit client application vulnerabilities to execute code.
Detection: Monitor endpoint logs for abnormal application behavior.
Mitigation: Regularly update software and use endpoint protection to block exploit attempts.
Persistence tactics allow adversaries to maintain access within an environment, even after restarts or updates, helping them retain control over compromised systems.
Account Manipulation: Adversaries modify existing accounts or create new ones to maintain access.
Detection: Monitor for unexpected changes in user account properties and access rights.
Mitigation: Enforce account management policies, especially for privileged users.
Boot or Logon Autostart Execution: Attackers configure code to execute automatically on boot or user logon.
Detection: Monitor changes to registry keys or files that control autostart behavior.
Mitigation: Restrict access to autostart entries and use endpoint protection software.
Scheduled Task/Job: Persistent tasks set by adversaries to automatically execute malicious code.
Detection: Review scheduled task creation events in logs for unusual or unauthorized entries.
Mitigation: Limit task scheduling permissions and enforce strict user access control.
Privilege Escalation tactics involve techniques that attackers use to gain higher-level permissions, allowing them to access sensitive information and resources.
Exploitation for Privilege Escalation: Attackers exploit software vulnerabilities to gain elevated privileges.
Detection: Use endpoint detection to monitor for signs of privilege escalation exploits.
Mitigation: Keep systems updated and deploy anti-exploit tools.
Process Injection: Injecting code into legitimate processes to evade detection and escalate privileges.
Detection: Track memory injection activities and unexpected behavior in legitimate processes.
Mitigation: Use security software that detects process injection and restrict unauthorized memory access.
Abuse Elevation Control Mechanism: Exploiting mechanisms like “Run as Administrator” to gain elevated access.
Detection: Monitor log events for unusual privilege elevation attempts.
Mitigation: Limit elevated access and enforce strict privilege management policies.
Defense Evasion tactics involve techniques used by adversaries to avoid detection and minimize the visibility of their activities, allowing them to operate undetected within a compromised environment.
Obfuscated Files or Information: Adversaries hide data to evade detection mechanisms.
Detection: Identify and flag compressed or encrypted files with unusual patterns.
Mitigation: Block access to common obfuscation tools and monitor file attributes.
Masquerading: Renaming files or processes to mimic legitimate software.
Detection: Monitor for unexpected filenames or executable paths.
Mitigation: Enforce strict process whitelisting policies.
Disabling Security Tools: Attackers may disable or tamper with security software.
Detection: Monitor for events where security tools are modified or deactivated.
Mitigation: Restrict access to security settings and enforce alerts for configuration changes.
Credential Access tactics include techniques that adversaries use to steal usernames, passwords, and other authentication data, often allowing them to move laterally within a network.
Brute Force: Repeated attempts to guess valid username-password combinations.
Detection: Monitor for repeated failed login attempts or unusual login patterns.
Mitigation: Use account lockouts and MFA to prevent unauthorized access.
Credential Dumping: Attackers attempt to extract credentials from local storage or memory.
Detection: Track the use of credential-dumping tools like Mimikatz.
Mitigation: Limit access to sensitive areas and apply encryption on sensitive data.
Unsecured Credentials: Adversaries exploit weak or exposed credentials in configuration files.
Detection: Regularly scan systems for plaintext passwords and configuration issues.
Mitigation: Enforce credential management practices and secure storage policies.
Discovery tactics involve techniques that adversaries use to gain knowledge about the system, network, and resources within an environment. This information-gathering phase helps attackers map out the environment and locate sensitive resources for further exploitation.
System Information Discovery: Adversaries gather information about the operating system and hardware.
Detection: Monitor for system commands that retrieve OS and hardware details, such as `systeminfo` and `uname`.
Mitigation: Limit user access to system commands and ensure logging of system information queries.
Network Service Scanning: Adversaries scan for open ports and services on the network.
Detection: Use IDS/IPS to detect unusual scanning activities and network traffic spikes.
Mitigation: Use network segmentation and firewall rules to restrict access to internal services.
Process Discovery: Attackers enumerate running processes to identify security tools and valuable targets.
Detection: Monitor process enumeration commands, such as `ps` and `tasklist`.
Mitigation: Restrict unnecessary permissions for process information access.
Lateral Movement tactics include techniques that allow adversaries to move across multiple systems within a network, expanding their access and control over valuable resources.
Remote Services: Attackers use remote desktop protocols (RDP), SSH, or other services to access systems remotely.
Detection: Monitor for unusual use of remote protocols or unauthorized remote sessions.
Mitigation: Enforce MFA for remote access and restrict remote protocol usage on sensitive systems.
Pass the Hash: Attackers use stolen hashed credentials to authenticate without requiring plaintext passwords.
Detection: Track unusual credential usage across systems.
Mitigation: Enforce Kerberos authentication and limit NTLM usage.
Remote File Copy: Attackers transfer malicious files or tools to remote systems.
Detection: Monitor for unexpected file transfers over network channels.
Mitigation: Restrict file-sharing capabilities and enforce access control on file transfer tools.
Collection tactics involve techniques that allow adversaries to gather sensitive data from compromised systems, such as files, screenshots, and keystrokes, which may later be used or exfiltrated.
Screen Capture: Captures screenshots to gather visual information from systems.
Detection: Monitor for unusual screen capture activity and software.
Mitigation: Restrict screen capture capabilities to trusted applications.
Keylogging: Logs keystrokes to capture sensitive data, including credentials.
Detection: Track software installations and scan for keylogging tools.
Mitigation: Use endpoint protection to block unauthorized keyloggers.
Clipboard Data: Attackers monitor clipboard content to capture sensitive data.
Detection: Monitor for unexpected clipboard access or data extraction tools.
Mitigation: Restrict clipboard access to authorized applications.
Exfiltration tactics involve techniques that adversaries use to transfer data from a compromised network or system to an external location under their control. Exfiltrated data can include confidential information, intellectual property, and other valuable resources.
Exfiltration Over C2 Channel: Data is sent over command and control channels to evade detection.
Detection: Monitor for unusual data transfers over known C2 channels.
Mitigation: Use network traffic analysis and data loss prevention (DLP) tools.
Automated Exfiltration: Attackers use scripts or automated tools to exfiltrate data in bulk.
Detection: Track large data transfers and abnormal traffic patterns.
Mitigation: Restrict access to critical data and monitor bulk transfer attempts.
Exfiltration Over Alternative Protocol: Data is exfiltrated over protocols less likely to be blocked (e.g., DNS, HTTPS).
Detection: Monitor for data transfers over non-standard protocols.
Mitigation: Block unauthorized protocols and use DNS filtering.
Impact tactics include techniques that adversaries use to disrupt, destroy, or otherwise impair an organization’s systems, data, and operations. These techniques are often used as a final stage to maximize damage and achieve the adversary’s objectives.
Data Destruction: Attackers delete or alter data to disrupt operations or cause irreparable damage.
Detection: Monitor for abnormal data deletion events and sudden spikes in delete commands.
Mitigation: Enforce regular backups and restrict delete permissions to authorized personnel only.
Service Stop: Attackers stop critical services, reducing availability and impacting business operations.
Detection: Track changes to service statuses and monitor for unauthorized stoppages.
Mitigation: Restrict permissions for stopping services and enforce regular audits of service activity.
Defacement: Adversaries alter website or application content, impacting brand reputation.
Detection: Monitor for unauthorized changes to public-facing content.
Mitigation: Enforce strict access controls on content management systems and maintain content backups.