MITRE ATT&CK is a knowledge base on attacker tactics and techniques based on real cyber attacks.
The ATT&CK Knowledge Base is used by the private sector, government agencies, and the cybersecurity products and services community as a foundation for developing threat models and defenses, and the ATT&CK helps MITRE fulfill its mission: “Solving problems for a safer world. ATT&CK is a community effort to develop more effective cybersecurity solutions to achieve MITRE’s mission of “solving problems for a safer world.
ATT&CK is free and open to the public and can be used by anyone
Here, we hope that MITRE ATT&CK will help you understand how the attack process of a real cyber-attack is carried out, and give you an opportunity to review effective cyber-attack countermeasures.
Perhaps the cyber-attack countermeasures we have in place now are meaningless when applied to a real attack.
ATT&CK has become an indispensable tool for both planning tests to simulate adversaries and for incident detection teams to track progress.
In addition, ATT&CK continues to expand to incorporate techniques used against macOS and Linux, techniques used against mobile devices, and strategies used by attackers to plan and execute pre-attack operations.
What is ATT&CK?
ATT&CK is primarily a knowledge base of attack methods, with a breakdown and classification of available attack methods against specific platforms such as Windows
This is not a description of the tools and malware used by attackers, but rather focuses on how attackers attack a system during an attack.
Each technique contains relevant information to help red teams and penetrators understand the nature of the attack technique, and to help defenders understand what is involved in the events, logs, etc. that are generated by using the attack technique.
Tactics of ATT&CK
ATT&CK’s Tactics represent the “why” of doing the ATT&CK technique.
Tactics are the tactical objectives of the adversary to perform a certain action, and serves as a category for individual techniques, covering the content of actions that an attacker performs during an attack, such as sustained access, information discovery, lateral movement, file execution, and data exfiltration.
For tactics (processes) in actual cyber attacks, please refer to the following.
About ATT&CK’s Techniques
Techniques in ATT&CK represent “ways” in which an attacker can achieve tactical objectives by performing certain actions.
For example, an attacker can dump in the network to obtain credentials, and then use the obtained credentials to perform lateral moves; Techniques can also represent the “what” an adversary gains by performing actions.
This can reveal what kind of information the attacker is trying to obtain by a particular action.
Since many methods (Techniques) are used to achieve tactical goals, there are often multiple Techniques in each Tactics category.
Please see below for techniques in actual cyber attacks.
The relationship between Tactics and Techniques can be visualized in the ATT&CK matrix.
For example, under the tactic “Persistence”, which remains in the target environment, there is a series of techniques such as “AppInit DLL”, “New Service”, and “Scheduled Task”.
Each of these is one technique that an attacker might use to achieve the goal of Persistence.
The ATT&CK matrix is the most widely recognized of the ATT&CKs and is shown in the table below.
The ATT&CK matrix is often used to show the defense coverage of an environment, the detection capabilities of security products, and the results of incidents and Red Team activities, making it the most widely known of the ATT&CK.
ATT&CK’s list of Tactics
There are two types of tactics listed in ATT&CK Tactics, Enterprise and Mobile, and most of the items in these two overlap, but there are some tactics that are only available in Mobile.
The basic attack process unfolds from the top to the bottom goal, so let’s focus on what kind of attack process will take place.
ATT&CK’s list of Techniques
The techniques listed in ATT&CK are the same as the Tactics, Enterprise and Mobile.
Check what kind of attack methods are used
|T1548||Abuse Elevation Control Mechanism|
|T1134||Access Token Manipulation|
|T1531||Account Access Removal|
|T1071||Application Layer Protocol|
|T1010||Application Window Discovery|
|T1560||Archive Collected Data|
|T1547||Boot or Logon Autostart Execution|
|T1037||Boot or Logon Initialization Scripts|
|T1217||Browser Bookmark Discovery|
|T1612||Build Image on Host|