Let’s understand the attack process of cyber attacks with MITRE ATT&CK. How can we protect ourselves from cyber attacks?

MITRE ATT&CK is a knowledge base on attacker tactics and techniques based on real cyber attacks.


The ATT&CK Knowledge Base is used by the private sector, government agencies, and the cybersecurity products and services community as a foundation for developing threat models and defenses, and the ATT&CK helps MITRE fulfill its mission: “Solving problems for a safer world. ATT&CK is a community effort to develop more effective cybersecurity solutions to achieve MITRE’s mission of “solving problems for a safer world.

ATT&CK is free and open to the public and can be used by anyone

Here, we hope that MITRE ATT&CK will help you understand how the attack process of a real cyber-attack is carried out, and give you an opportunity to review effective cyber-attack countermeasures.

Perhaps the cyber-attack countermeasures we have in place now are meaningless when applied to a real attack.

ATT&CK has become an indispensable tool for both planning tests to simulate adversaries and for incident detection teams to track progress.

In addition, ATT&CK continues to expand to incorporate techniques used against macOS and Linux, techniques used against mobile devices, and strategies used by attackers to plan and execute pre-attack operations.

What is ATT&CK?

ATT&CK is primarily a knowledge base of attack methods, with a breakdown and classification of available attack methods against specific platforms such as Windows

This is not a description of the tools and malware used by attackers, but rather focuses on how attackers attack a system during an attack.

Each technique contains relevant information to help red teams and penetrators understand the nature of the attack technique, and to help defenders understand what is involved in the events, logs, etc. that are generated by using the attack technique.

Tactics of ATT&CK

ATT&CK’s Tactics represent the “why” of doing the ATT&CK technique.

Tactics are the tactical objectives of the adversary to perform a certain action, and serves as a category for individual techniques, covering the content of actions that an attacker performs during an attack, such as sustained access, information discovery, lateral movement, file execution, and data exfiltration.

For tactics (processes) in actual cyber attacks, please refer to the following.

About ATT&CK’s Techniques

Techniques in ATT&CK represent “ways” in which an attacker can achieve tactical objectives by performing certain actions.

For example, an attacker can dump in the network to obtain credentials, and then use the obtained credentials to perform lateral moves; Techniques can also represent the “what” an adversary gains by performing actions.

This can reveal what kind of information the attacker is trying to obtain by a particular action.

Since many methods (Techniques) are used to achieve tactical goals, there are often multiple Techniques in each Tactics category.

Please see below for techniques in actual cyber attacks.

ATT&CK matrix

The relationship between Tactics and Techniques can be visualized in the ATT&CK matrix.

For example, under the tactic “Persistence”, which remains in the target environment, there is a series of techniques such as “AppInit DLL”, “New Service”, and “Scheduled Task”.

Each of these is one technique that an attacker might use to achieve the goal of Persistence.

The ATT&CK matrix is the most widely recognized of the ATT&CKs and is shown in the table below.

The ATT&CK matrix is often used to show the defense coverage of an environment, the detection capabilities of security products, and the results of incidents and Red Team activities, making it the most widely known of the ATT&CK.

ATT&CK’s list of Tactics

There are two types of tactics listed in ATT&CK Tactics, Enterprise and Mobile, and most of the items in these two overlap, but there are some tactics that are only available in Mobile.

The basic attack process unfolds from the top to the bottom goal, so let’s focus on what kind of attack process will take place.

ATT&CK’s list of Techniques

The techniques listed in ATT&CK are the same as the Tactics, Enterprise and Mobile.

Check what kind of attack methods are used

Enterprise Techniques

T1548Abuse Elevation Control Mechanism
T1134Access Token Manipulation
T1531Account Access Removal
T1087Account Discovery
T1098Account Manipulation
T1583Acquire Infrastructure
T1595Active Scanning
T1071Application Layer Protocol
T1010Application Window Discovery
T1560Archive Collected Data
T1123Audio Capture
T1119Automated Collection
T1020Automated Exfiltration
T1197BITS Jobs
T1547Boot or Logon Autostart Execution
T1037Boot or Logon Initialization Scripts
T1217Browser Bookmark Discovery
T1176Browser Extensions
T1110Brute Force
T1612Build Image on Host
T1115Clipboard Data