MITRE ATT&CK
(Adversarial Tactics, Techniques, and Common Knowledge)
is a framework developed by MITRE Corporation, a not-for-profit organization dedicated to solving problems for a safer world. ATT&CK is a knowledge base that categorizes the tactics, techniques, and procedures (TTPs) used by adversaries or attackers during cyber intrusions.
The framework provides a comprehensive understanding of how cyber adversaries operate by organizing their behaviors into a matrix. This matrix consists of various tactics that represent high-level objectives an attacker may have (such as initial access, execution, persistence, privilege escalation, etc.) and techniques that represent specific methods or actions used to achieve those objectives.
Each technique is associated with real-world examples of how attackers have historically carried out cyber-attacks. The goal of ATT&CK is to assist organizations in improving their cyber defenses, threat detection, and response capabilities by mapping their security measures to the known tactics and techniques used by adversaries.
It’s widely used in cybersecurity for several purposes, including threat intelligence, red teaming, blue teaming, security assessments, and improving security posture by identifying and mitigating potential attack vectors based on known adversary behaviors. The framework is continuously updated and expanded to reflect the evolving landscape of cyber threats and attack methodologies.
Here are some examples of techniques related to Initial Access in the MITRE ATT&CK framework:
Spear phishing Attachment (T1566.001):
Attackers send tailored emails with malicious attachments to trick users into opening them, leading to the execution of malicious code.
Spear phishing Link (T1566.002):
Attackers send tailored emails containing links to malicious websites or resources to trick users into clicking, leading to exploitation or malware installation.
Valid Accounts (T1078):
Attackers use previously obtained credentials, such as stolen or purchased credentials, to gain unauthorized access.
External Remote Services (T1133):
Attackers exploit externally accessible services, such as VPNs or web services, to gain initial access to a network.
Exploit Public-Facing Application (T1190):
Attackers exploit vulnerabilities in public-facing applications, such as web servers, to gain access to the targeted network.
Drive-by Compromise (T1189):
Attackers compromise a legitimate website to host and deliver malicious content to visitors’ systems.
Phishing (T1566):
Attackers send deceptive communications (email, SMS, etc.) to trick individuals into divulging sensitive information or performing actions that compromise security.
Supply Chain Compromise (T1195):
Attackers target suppliers or vendors to gain access to their networks, which in turn could provide access to the targeted network.
These are just a few examples; the MITRE ATT&CK framework covers a wide array of tactics and techniques used by adversaries during different stages of a cyberattack. Each technique may have various sub-techniques and mitigations associated with it, providing a comprehensive understanding of potential threats and appropriate defenses.
You can find other learning for Security by clicking here.