What is the MITRE ATT&CK Framework?
2024 MITRE ATT&CK Evaluation: Trend Vision One™ leaves attackers with nowhere to hide
MITRE ATT&CK Framework
MITRE ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, is a public knowledgebase of adversarial tactics and techniques, which can be used as a foundation for the development of specific cyber threat models and methodologies.
This knowledge base has been developed based on the following three concepts:
It maintains the adversary's perspective
It follows real-world use of activity through empirical use examples
The level of abstraction is appropriate to bridge offensive action with possible defensive
MITRE ATT&CK helps the industry define and standardize how to describe an attacker’s approach. It collects and categorizes common attack tactics, techniques, and procedures (TTPs), then organizes this information into a framework.
The 3rd concept, which requires an appropriate abstraction level for bridging between the method of attack and the countermeasures that can be implemented on the defense side, is particularly important when you understand the structure of ATT&CK. Information is organized as information with a high degree of abstraction, not individual/specific information such as IP addresses, URL, and signature information of malware.
The base of the concept of factors is to analyze attacks based on so-called Tactic, Technique, and Procedure (TTP). Mainly, knowledge on Techniques is acquired and organized.
Tactic: A short-term goal of an attacker
Technique: The means for an attacker to achieve a goal
Procedure: A specific method for an attacker to utilize techniques
This framework can be used to help explain how adversaries behave, what they are trying to do, and how they are trying to do it.
Having a common language and framework is important in the ability to communicate, understand, and respond to threats as efficiently and effectively as possible.
MITRE ATT&CK has become a critical knowledge base for cyber defenders, ultimately improving security efficiency and response time. The annual MITRE Evaluation compares industry-wide innovation to deliver the solutions necessary to detect and respond to the evolving threat landscape.
The original resource can be found here
This type of framework is extremely useful to information security professionals helping to keep them updated on new attack techniques and to prevent attacks from happening in the first place.
Organizations use ATT&CK to standardize community conversations, defense testing, and product/service evaluations.
MITRE ATT&CK Evaluations
The MITRE ATT&CK Evaluation offers transparency to customers and real-world attack scenarios. This ensures that customers can actively evaluate security products to protect themselves from the latest advances from attackers based on their areas of greatest need. The evaluation uses adversary emulation to ensure customers can address today’s threats. Using techniques, tools, methods and goals inspired by that of an attacker.
The simulations are executed in a controlled lab environment to ensure fair and accurate testing. Attacker techniques are then used in logical step-by-step to explore the breadth of ATT&CK coverage.
The evaluations are not a competitive analysis. There are no scores, rankings, or ratings. Instead, they show how each vendor approaches threat detection in the context of the ATT&CK knowledge base
The evaluation offers cybersecurity solution buyers and customers with an unbiased option to evaluate security products to arm themselves against the latest advances from attackers based on their areas of greatest need.
For example, in 2022 the evaluation emulated Wizard Spider and Sandworm tradecraft operational flows to simulate attacks similar to the behavior used in the wild by these groups. After the simulation was run, results were processed and publicly released, including the methodology
MITRE ATT&CK matrices
The MITRE ATT&CK framework is structured into multiple matrices, each tailored to specific environments where cyber threats operate. These matrices categorize tactics, techniques, and procedures (TTPs) used by attackers, helping security teams enhance their defense strategies.
Enterprise Matrix
The most comprehensive matrix, covering threats across Windows, macOS, Linux, and cloud environments. It includes techniques like privilege escalation, lateral movement, and data exfiltration.
Mobile Matrix
Focused on threats targeting iOS and Android devices. This matrix details attack techniques such as credential theft, network exploitation, and mobile malware persistence.
ICS (Industrial Control Systems) Matrix
Addresses cyber threats specific to industrial environments, such as SCADA systems. It highlights techniques used to disrupt critical infrastructure, including unauthorized command execution and firmware manipulation.
MITRE ATT&CK Tactics
The basics of ATT&CK are a series of Techniques representing actions for an attacker to achieve a goal. Goals are classified as Tactics.
The Tactic represents the "Why" of Technique. It is the reason why an attacker executes an action. A Technique is the "Means" for an attacker to achieve a goal by executing an action. It also represents "What" the attacker acquires.
When taking the domain of Enterprise as an analogy, the Tactic is as follows:
Initial Access: Methods attackers use to infiltrate a network, such as phishing, supply chain compromise, and exploiting public-facing applications.
Execution: Techniques that run malicious code on a system, including command-line execution, scripting, and exploitation for client execution.
Persistence: Methods attackers use to maintain access after initial compromise, like creating new user accounts, registry modifications, and scheduled tasks.
Privilege Escalation: Ways adversaries gain higher-level permissions, such as exploiting vulnerabilities, credential dumping, and access token manipulation.
Defense Evasion: Techniques to bypass security measures, including disabling security tools, obfuscating files, and process injection.
Credential Access: Methods to steal credentials, such as keylogging, brute force attacks, and credential dumping.
Discovery: Tactics used to gather information about a system or network, like network scanning and account enumeration.
Lateral Movement: Techniques to move across systems, such as remote desktop protocol (RDP) and pass-the-hash attacks.
Collection: Methods for gathering sensitive data, including screen capture, keylogging, and data from local databases.
Exfiltration: Ways to transfer stolen data out of a network, such as encrypted exfiltration and cloud storage abuse.
Impact: Techniques aimed at disrupting operations, including ransomware deployment, data destruction, and service denial attacks.
MITRE ATT&CK Techniques
The MITRE ATT&CK framework categorizes adversary techniques used across cyberattacks. Key techniques include:
Initial Access – Methods like phishing and exploiting public applications to gain entry.
Execution – Running malicious code via command-line or scripting.
Persistence – Maintaining access through registry changes or scheduled tasks.
Privilege Escalation – Gaining higher privileges using exploits or credential dumping.
Defense Evasion – Bypassing security with obfuscation or disabling tools.
Lateral Movement – Spreading through networks via RDP or pass-the-hash.
Exfiltration – Stealing data using cloud abuse or encrypted transfers.
Understanding these techniques helps organizations strengthen security defenses.
Anatomy of MITRE ATT&CK Framework
Tactics are the description of what attackers are trying to achieve.
Tactics are similar to a chapter of a book. A CISO can outline a story they want to tell with the high level tactics used in an attack and then refer to the techniques to tell the story of how they accomplished the attack which provides extra detail
Example Story: Building an attack story in a common language
The goal of the attacker was to gain initial access to the network. Using a drive-by compromise with a spear-phishing link and trusted relationship, the attacker gained initial access using this technique.
Note : The framework lists all the known ways that an attacker can gain initial access.
How does a Cybersecurity Solution help?
The solution maps the products that has to the ATT&CK Framework, showing tactics and technique on detections which demonstrates how we can help you address the challenges of detecting and responding to threats
What about prevention?
Preventative controls are an important part of a threat mitigations strategy which add resilience when under attack. Preventative controls were tested in the latest round with the ability to deflect risk early on allowing organizations to spend more time on harder security problems
MITRE ATT&CK vs Cyber Kill Chain
MITRE ATT&CK is designed to provide a deeper level of granularity in describing what can occur during an attack which is step forward from the Cyber Kill Chain
There are seven steps in the Cyber Kill Chain:
Reconnaissance
Intrusion
Exploitation
Privilege Execution
Lateral Movement
Obfuscations / Anti Forensics
Denial of Service
Exfiltration
MITRE ATT&CK Use cases
MITRE ATT&CK allows you to organize technologies from the attacker's viewpoint and to reference countermeasures on the defense side. Therefore, the following use cases are described.
Adversary Emulation
The emulation of an attacker. From Groups in the database, extract Techniques and attack scenarios used by a specific attacker, detect a series of attacks, and verify whether there are defensive measures against those attacks.
Red Teaming
Create attack scenarios for cyber exercises. The red team plays the role of the attacker, the blue team plays the role of defense, and the white team plays the role of control and judgment.
Behavioral Analytics Development
Instead of IoC and known threat information, use the knowledge base of ATT&CK, and analyze unknown techniques and action patterns to develop new countermeasures.
Defensive Gap Assessment
Identify what is deficient in the existing countermeasures of an organization. Determine priorities for investment.
SOC Maturity Assessment
Determine how effective the detection, analysis, and response by SOC are.
Cyber Threat Intelligence Enrichment
The analyst can deeply understand the actions of an attacker group, and report them. It is possible to clearly identify what kind of tools a specific group has used, what kind of technology and what procedure the group has used when starting attacks, by retrieving data from the database.
Although it is a professional field, the website of MITRE ATT&CK also provides an application called ATT&CK Navigator, which allows you to create a matrix according to the purposes described above.
MITRE ATT&CK 2024 Results for Enterprise Security
MITRE ATT&CK 2024 Results for Enterprise Security
In 2024, MITRE Engenuity upped the game, simulating the most real-world modern attack techniques to date. To say Trend Micro crushed the assignment is an understatement.
2024 incredible performance in MITRE Engenuity ATT&CK Evaluations is our fifth in a row and includes some of the highest scores ever recorded for any vendor.
With over 161 billion threats blocked in 2023 - a 10% increase from 2022 - greater risk visibility is crucial to proactively stop even the most advanced attacks.
This year’s evaluations focused on the tactics, techniques, and procedures (TTPs) of DPRK, CL0P, and LockBit, three of the most sophisticated and dangerous ransomware threats out there.