MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base that provides detailed insights into the TTPs used by cyber adversaries. It breaks down the actions taken by attackers in a systematic way, allowing organizations to anticipate, detect, and respond to potential intrusions.
Key Components of MITRE ATT&CK:
- Tactics: The “why” behind an attack, representing the adversary’s tactical objectives. Examples include Initial Access, Persistence, Privilege Escalation, and Exfiltration.
- Techniques: The “how” — specific methods used by attackers to achieve each tactic, such as Spear Phishing for Initial Access or Credential Dumping for Credential Access.
- Sub-techniques: More granular explanations of how techniques are implemented, allowing for deeper insights into specific attack methods.
- Procedures: Real-world examples of techniques as used by specific threat actors. These are often specific details of how a particular group executes attacks, providing valuable context for defense planning.
Practical Use of MITRE ATT&CK in an Organization:
- Threat Intelligence Integration: Many organizations use MITRE ATT&CK as a reference to map observed threats, helping them understand how adversaries might target their systems.
- Incident Detection and Response: MITRE ATT&CK is invaluable for creating rules and alerts in SIEM (Security Information and Event Management) systems. For instance, if you detect lateral movement, you can use ATT&CK to identify specific techniques and adjust defenses accordingly.
- Red and Blue Team Exercises: For cybersecurity teams, ATT&CK provides a common language and structure for planning and executing red and blue team operations, from creating specific scenarios for red teams to formulating blue team defense strategies.
