MITRE ATT&CK® is an invaluable resource for IT security teams, who can leverage the framework to enhance their cyber threat intelligence, improve threat detection capabilities, plan penetration testing scenarios, and assess cyber threat defenses for gaps in coverage.
In this week’s blog post, we’ll explain more about MITRE ATT&CK and how organizations can use the framework to support their security log analytics initiatives, enhance threat defenses and protect their infrastructure and data from cyber adversaries.
The MITRE ATT&CK framework derives its name from the MITRE Corporation that maintains it and the acronym ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly accessible and serves as a knowledge base of techniques used by cyber adversaries to target enterprise IT systems.
Techniques are the building blocks of the MITRE ATT&CK Matrix. All ATT&CK techniques described in the framework have been used by cyber attackers and criminal organizations in the real world to infiltrate the networks of targeted organizations and steal their data. At the time of writing, the framework contains information on 235 different techniques. In 2024, MITRE introduced ATT&CK v.15, addressing both well-known and emerging behaviors used by threat actors, such as using generative AI to support malicious activities.
For each ATT&CK technique, the framework includes:
Image Source: MITRE ATT&CK Framework - Active Scanning
The adversarial technique Active Scanning is described in the MITRE ATT&CK framework as probing the victim’s infrastructure via network traffic. The listed sub-techniques describe two ways adversaries can do this: by scanning IP blocks, or by scanning the target host for vulnerabilities to a known exploit. Active Scanning is categorized as a reconnaissance technique, meaning that it’s used to collect information from the target organization before escalating adversarial activities.
Techniques in the MITRE ATT&CK framework are categorized under 14 tactics that span the entire cyber kill chain - from initial information-gathering, through to data exfiltration and additional impacts of the attack.
The MITRE ATTACK framework provides cyber resiliency tactics, techniques, and procedures for defending your systems against threat actors throughout the cyber attack lifecycle, otherwise known as the cyber kill chain.
When cyber criminals target organizational IT, we know their ultimate goal is going to be data exfiltration.
We can predict what the adversary behavior will be:
The 14 tactics described in the MITRE ATT&CK framework are an extension of this general pattern of action. They cover all of the short-term goals and objectives that cyber adversaries try to accomplish on their way to successfully stealing your data. Techniques are the specific methods used to accomplish these tactical objectives - that’s why each technique is listed according to the tactic it serves.
The 14 tactics can be summarized as follows:
The MITRE ATT&CK framework also contains information about known cyber threat groups around the world.
For each known threat group, the framework describes what kinds of organizations they target, the techniques they’ve used in past attacks, and software programs they’ve used to attack target networks.
Finally, the framework includes a database of software programs that were used in malicious cyber attacks.
MITRE ATT&CK Framework image depicts the MITRE ATT&CK Matrix, with 14 tactics detailed, along with techniques and sub-techniques threat actors use to exfiltrate data.
If cyber security was an exam, the MITRE ATT&CK framework is like a cheat sheet for detection and response.
The framework can tell your organization which cyber threat groups to watch out for, which specific techniques or software programs might be used to target your business, and how to detect and mitigate against the adversarial techniques described in the framework.
With high-quality information on adversary groups, the techniques they’re likely to use, and how they will behave once they access the target network, IT security teams can make targeted improvements to threat detection systems that increase the likelihood of containing and eradicating a threat before a data breach occurs.
To use the MITRE ATT&CK framework effectively, organizations can map detected adversary behaviors to the techniques in the framework. This helps in identifying gaps in defenses and prioritizing security measures. Security teams can utilize the framework for threat hunting in a security lake, red teaming, and improving incident response strategies. By understanding the specific techniques used by adversaries, organizations can create more robust and targeted defenses. The framework also supports sharing of threat intelligence, allowing for a collaborative approach to cybersecurity across different sectors.
By using the MITRE ATT&CK framework for threat hunting, security teams can proactively search for signs of malicious activity within their networks. This approach shifts the focus from reactive to proactive defense, enabling teams to detect and mitigate threats before they cause significant damage. For instance, by identifying patterns of lateral movement or unusual data collection, security professionals can intervene early, stopping adversaries from progressing through their attack lifecycle. Red teaming exercises, which simulate real-world attacks, can also benefit from the ATT&CK framework by using it to design realistic attack scenarios that test the organization’s defenses against known techniques. We’ll explore more of these MITRE ATTACK Framework use cases in the next section.
Finally, the MITRE ATT&CK framework can significantly enhance incident response strategies. When an incident occurs, having a detailed understanding of the adversary’s techniques allows responders to quickly pinpoint the methods used and predict possible next steps. This insight speeds up the containment and eradication phases of incident response, minimizing the impact on the organization. Plus, documenting incidents in the context of the ATT&CK framework facilitates better post-incident review and lessons learned. This continuous improvement cycle strengthens the organization’s overall security posture, making it more resilient against future attacks.
Cyber threat intelligence is all about understanding the cyber threat groups that matter to your organization, including their motives, typical targets, behaviors, and preferred software/techniques. IT security teams can use the MITRE ATT&CK framework to access specific information on the behaviors of known threat groups, then identify strategies to detect and mitigate their preferred techniques.
IT analysts can leverage the framework to categorize and better understand network security events. When suspicious activity is detected on the network, analysts can investigate the behavior to determine:
From there, security analysts can start correlating the suspicious activity to known threat groups or software programs and identifying ways to shut down the attack.
Ultimately, cyber threat intelligence should allow the organization to prioritize which techniques and tactics to defend against based on the perceived threat level from malicious groups.
Each technique in the MITRE ATT&CK framework includes a metadata field called “Data Sources”. This field lists specific types of data that organizations should collect to gain the visibility needed to detect that technique.
Common data sources include user authentication logs, file and registry monitoring, packet capture, process monitoring, Windows registry, Windows event logs, and process command-line parameters.
Image Source: MITRE ATT&CK Framework - Active Scanning
The framework tells us that IT security teams can enhance their ability to detect Active Scanning by capturing, storing, and analyzing packets and network device logs.
To enable threat detection and threat hunting using log analytics, organizations must be able to capture log and event data from these sources and store the data in a centralized repository, such as a security data lake. From there, the data must be cleaned and indexed before it can be queried by the organization’s log analytics/SIEM tool.
Many organizations are using the ELK stack (Logstash + Elasticsearch + Kibana) to support their threat detection efforts, but there’s now an even better way: ChaosSearch streamlines the threat detection process by empowering organizations to analyze log files and conduct SIEM analytics directly in Amazon S3 buckets with no data movement and no ETL process.
Leveraging the Elastic API and an integrated Kibana dashboard, ChaosSearch allows IT security teams to index log files at scale for unlimited data retention, build queries and analytics to detect known cyber threat signatures, and utilize monitoring and alerts to notify IT personnel of suspicious behavior and streamline incident response. These techniques can help teams embrace proactive security engineering best-practices.
Organizations can visit the MITRE Cyber Analytics Repository to access threat-detection analytics written by the global cybersecurity community. Other cybersecurity resources, such as the OCSF Framework, can also be incredibly valuable for threat hunting.
A third use case for the MITRE ATT&CK framework is penetration testing and cyber threat emulation.
Once your security team writes an analytic or configures security monitoring to detect an adversarial technique, penetration testing or adversary emulation can be used to evaluate the effectiveness of the implemented threat detection measures.
As a starting point, IT security teams can access Atomic Red Team, a collection of scripts used to simulate adversarial behaviors so organizations can test their threat detection capabilities and verify that monitoring/alerts are working as planned.
Image Source: Atomic Red Team
Atomic Red Team builds security tests that are mapped to specific techniques in the MITRE ATT&CK framework, allowing IT security teams to quickly and easily test their defenses against known adversarial techniques.
The process here is simple:
Organizations with red team/blue team capabilities can construct more complex adversary emulation scenarios using the MITRE framework. Red teams can map their activities onto the framework or model adversarial behaviors in an emulation scenario on the preferred techniques of a known threat group.
Once the scenario is finalized, the red team will stage an attack on the network while the blue team works to detect, investigate, and contain threats. Following the exercise, red and blue teams can work together to evaluate the effectiveness of threat detection systems and identify opportunities for improvement.
A final use case for the MITRE ATT&CK framework is threat coverage gap assessment.
IT security teams can map existing threat detection capabilities onto the MITRE ATT&CK framework to identify gaps in their defenses. They can identify the cyber threat groups which are most likely to target them and compare their threat coverage to the preferred techniques used by those organizations.
This process can help reveal the highest-priority areas where security teams should focus on implementing threat detection or mitigation solutions.
The MITRE ATT&CK framework provides techniques, procedures, and tips rooted in real-world observations, on how threat actors infiltrate targeted networks and steal data. Most importantly, the framework tells IT security teams how to detect each technique and which types of log data they’ll need to succeed.
Armed with this information, IT security teams can use log analytics software to collect log and event data from the necessary sources, build custom analytics and alerts to detect threats, and strengthen the organization’s overall security posture against cyber threat groups. When combined with a security data lake like Amazon Security Lake, log analytics tools can be powerful parts of a proactive threat hunting strategy.