Professional Documents
Culture Documents
MITRE
ATT&CK ™
MARK DUFRESNE
Protections Team Lead, Elastic Security
This question should give a security team pause. Where do ATT&CK began more than six years ago as an internal project
they begin to explain the complexities and nuances of the at MITRE that has since expanded into a large open project
risks posed by cyber threats? What does “good” mean to an with hundreds of detailed entries on discrete attacker
analyst, SOC manager, or CISO? The executive often only techniques. It is based on real research and observations of
wants a yes or no. She may not have the time to pick apart intrusion activity and helps provide a common language to
anything more complicated. describe the techniques adversaries use. ATT&CK is routinely
updated as our collective understanding of the threat
The same question hovers around proof of concept
landscape evolves.
evaluations for new cybersecurity solutions. As independent
antivirus vendor testing often reports results with mere There are only so many ways in which an adversary can
tenths of a percent separating the top solutions by only achieve a particular objective on a system. ATT&CK is the
testing a fraction of the possible attack surface (exploits, language we can use to describe these methods. Unlike
malware, and not much more), finding a material difference previous attempts at frameworks like this, ATT&CK does
to justify a purchase decision becomes a challenge. Will the not deal in generalizations. Every framework needs to be
new solution bring a “yes” to the question: “Are we good?” simplified on some level, but when reduced too much it
Teams cannot afford to wait for a real-world deployment to provides no actionable information.
get the answer.
ATT&CK is detailed enough for cyber defenders to turn a
Many are turning to MITRE ATT&CK™ to better understand high-level goal such as: “I should find post-compromise
threats in their unique environments to know how “good” activity on my network,” into an itemized system of
their existing security infrastructure may be. achievable checkpoints. For example, an analyst’s goal
M IT RE AT T& C K™ M AT RIX
Command and
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact
Control
Drive-by .bash_profile and Access Token Access Token Account Commonly Used Automated Account Access
AppleScript Account Discovery AppleScript Audio Capture
Compromise .bashrc Manipulation Manipulation Manipulation Port Exfiltration Removal
Communication
Exploit Public-Facing Accessibility Accessibility Application Access Application Window Application Access Automated
CMSTP Bash History Through Removable Data Compressed Data Destruction
Application Features Features Token Discovery Token Collection
Media
Application
External Remote Command-Line Account Browser Bookmark Data Encrypted for
AppCert DLLs Binary Padding Brute Force Deployment Clipboard Data Connection Proxy Data Encrypted
Services Interface Manipulation Discovery Impact
Software
Component Custom Command
Hardware Compiled HTML Cloud Instance Cloud Service Data from Cloud Data Transfer Size
AppCert DLLs AppInit DLLs BITS Jobs Object Model and and Control Defacement
Additions File Metadata API Dashboard Storage Object Limits
Distributed COM Protocol
Component Data from Custom Exfiltration
Replication Through Application Bypass User Credential Cloud Service Exploitation of
Object Model and AppInit DLLs Information Cryptographic Over Alternative Disk Content Wipe
Removable Media Shimming Account Control Dumping Discovery Remote Services
Distributed COM Repositories Protocol Protocol
Exfiltration Over
Spearphishing Control Panel Application Bypass User Clear Command Credentials from Domain Trust Internal Data from Local
Data Encoding Command and Disk Structure Wipe
Attachment Items Shimming Account Control History Web Browsers Discovery Spearphishing System
Control Channel
Exfiltration Over
Spearphishing Dynamic Data Authentication DLL Search Order Credentials in File and Directory Data from Network Endpoint Denial of
CMSTP Logon Scripts Data Obfuscation Other Network
Link Exchange Package Hijacking Files Discovery Shared Drive Service
Medium
Spearphishing via Execution through Credentials in Network Service Data from Exfiltration Over Firmware
BITS Jobs Dylib Hijacking Code Signing Pass the Hash Domain Fronting
Service API Registry Scanning Removable Media Physical Medium Corruption
Supply Chain Execution through Elevated Execution Compile After Exploitation for Network Share Domain Generation Scheduled Inhibit System
Bootkit Pass the Ticket Data Staged
Compromise Module Load with Prompt Delivery Credential Access Discovery Algorithms Transfer Recovery
Trusted Exploitation for Browser Compiled HTML Forced Remote Desktop Transfer Data to Network Denial of
Emond Network Sniffing Email Collection Fallback Channels
Relationship Client Execution Extensions File Authentication Protocol Cloud Account Service
Exploitation
Graphical User Change Default File Component Password Policy Multi-hop Proxy
Valid Accounts for Privilege Hooking Remote File Copy Input Capture Resource Hijacking
Interface Association Firmware Discovery
Escalation
ATT&CK matrices exist for the following security domains: thereof — can help provide teams with a list of items to
consider when seeking to improve detections.
Organizations that hope to use ATT&CK to improve their ◾ Are we regularly applying patches to our
security postures must be aware of, and prepared to
systems?
address, items that fall outside those limits.
◾ Can we see and stop common malware?
The first thing to consider is that ATT&CK is an ever-
◾ Do we have sufficient data sources to succeed
expanding database that is by no means complete. While it
with ATT&CK?
is the most comprehensive taxonomy of hacker techniques
currently available, it will not cover everything — in part
because of the boundless nature of cybersecurity. Hackers, Only once a strong foundation for security is in place does
whether white or black hat, are developing new techniques it make sense to reference ATT&CK, as sophistication is
and strategies so quickly that it is impossible for something necessary in taking actions based on its matrices. As we’ve
like ATT&CK to keep up in real time. Even with MITRE’s clear mentioned a couple times, ATT&CK is largely intended as
top positioning as the go-to framework and its collaborative a knowledge base of adversarial techniques, and must be
approach to gathering and incorporating techniques treated as such. The resources required to extend low false
observed by the security community, it takes time for MITRE positive rate coverage across every cell are enormous, and
to add new cells or update existing ones in response to the efforts to do so will come with diminishing returns.
discovery of new techniques.
In reality, if a security team were to be alerted every time a
ATT&CK also does not provide a comprehensive account of technique in ATT&CK was detected on an endpoint or on the
every possible variation of a given technique. For example, network, they would be flooded with alerts every time a user
there are several different ways adversaries can achieve compressed a file or every time an admin ran Powershell on
a technique like process injection. Adding visibility and an endpoint. After all, there is significant overlap between
monitoring for a single process injection technique does attacker techniques, operating system functionality, and
not mean you can answer “Are we good?” with a firm “Yes.” normal IT operations. Extensive tuning and detection
MITRE is in the process of addressing this well-known engineering is needed to get to high confidence, low
drawback through the introduction of sub-techniques to noise detections. Many techniques should rarely, if
its matrices. This makes things more granular in some ever, alert. They should instead be used as contextual
respects, but practitioners will still be behind the cutting indicators towards higher confidence alerts. Teams need to
edge of adversary tradecraft; adding further details to understand what is right for alerting in their environment.
existing techniques could lead to an overwhelming and They should understand which ATT&CK matrix cells are
counterproductive ATT&CK matrix. MITRE has a difficult more about visibility into techniques to ensure the ability
balance to strike between completeness and usability. to hunt proactively and further enrich other security alerts.
◾ Can I associate this with a legitimate business And finally, ATT&CK can help guide security teams to