Search SenseOn.io
MITRE ATT&CK is a continuously updated cybersecurity database of threat actor behaviour. ATT&CK details attacker tactics, techniques, and procedures (TTPs) across the entire cyber-attack life cycle—hence the name.
The MITRE ATT&CK framework provides the cybersecurity community with information on more than 100 threat actor groups and the platforms they target.
The data within the framework comes from publicly available cyber threat intelligence and reports and security teams and threat researchers. ATT&CK is available for free to anyone who wants to use it.
Rather than just a repository of information, the framework is also used by private and public sector organisations to improve their security posture, produce threat models and methodologies, and speed up detections.
Detection, investigation, and response platforms like SenseOn that map detection signals to the ATT&CK framework can help analysts better and more quickly identify adversary behaviour and mitigation steps. This can significantly improve threat detection and response times.
The ATT&CK (short for Adversarial Tactics, Techniques, and Common Knowledge) framework was created by the MITRE Corporation, a non-profit organisation that provides research and development, systems engineering, and information support to the federal government.
Developed in 2013 for an internal research project, FMX, the framework, which takes an attacker’s point of view, was made available to the public in 2015. However, the knowledge base has undergone several changes since then. For instance, in the 2021 April release, 13 new techniques and 20 new sub-techniques were added to the Enterprise matrix.
There are many advantages to using the MITRE ATT&CK framework. Here are some of the more popular use cases:
Because attackers tailor their tactics and techniques to their target’s environment, ATT&CK is broken down into three different matrices or “technology domains.”
The Enterprise matrix focuses on threat actors’ behaviour in Windows, macOS, Linux, SaaS, IaaS, Azure AD, PRE, Google Workspace, Office 365, Network, and Containers.
The Mobile matrix focuses on threat actors’ behaviour on mobile devices (Android and iOS).
The ICS matrix focuses on threat actors’ behaviour within an ICS network.
Siloed security tools and out-of-context alerts are significant problems for most modern security operations centres (SOC). A security team working at an organisation with 1,000+ employees is likely to see at least 1,000 alerts per day — many of them false positives. Unsurprisingly, many security professionals report experiencing “alert fatigue.”
Each false-positive alert takes 32 minutes to resolve. Most organisations never address all alerts on the day they are issued and rarely get to the root cause of threats. As a result, both productivity and security suffer.
When security professionals are stuck chasing false positives, they have less time to spend on critical tasks like endpoint hardening, proactive security, or threat investigation. Overwhelmed security professionals have also admitted to ignoring alerts when an alert queue is full. Predictably, the time it takes to identify and contain a breach is increasing. It now takes an organisation an average of 326 days to identify and stop a ransomware breach. In contrast, it only takes cybercriminals around two days to penetrate a business’ internal network.
Each ATT&CK matrix visually lays out tactics and techniques used by adversaries.
Attack tactics are displayed at the top, with individual techniques listed underneath. Each technique also has additional information, including mitigation and detection tips.
Here, we look at the MITRE ATT&CK enterprise matrix specifically.
The top-level category of ATT&CK, tactics describe threat actors’ objectives, i.e., the “what” they are attempting to achieve.
Currently, the enterprise matrix outlines 14 tactics:
It’s important to note that a threat actor won’t necessarily always move through the different tactics linearly (i.e., from left to right). For instance, after Initial Access, a cybercriminal may move on straight to Exfiltration and only then carry out techniques that let them maintain a foothold on systems (Persistence).
Adversaries also don’t need to use all the ATT&CK tactics to accomplish their goals. If threat actors can achieve their objective in fewer steps, they will do so. The reason why is that doing so improves efficiency and reduces the likelihood of discovery by the target.
Techniques refers to the methods cybercriminals use to achieve their objectives.
Each tactic has a number of techniques. Different threat actors will use different techniques to reach their goals. Their chosen technique can depend on several factors, including the target’s environment, skills level, etc.
For example, to steal credentials (i.e., Credential Access), cybercriminals might use techniques like Brute Force, Network Sniffing, etc.
Adversaries can use one technique to accomplish several objectives. As such, a single technique can be classed under several tactics. Abuse Elevation Control Mechanism appears under both Privilege Escalation and Defence Evasion.
At the moment, there are 191 identified techniques. Each technique includes:
Sub-techniques are specific techniques. Whereas a technique shows the general action an adversary might take, sub-techniques are more detailed.
For example, there are four sub-techniques under the Brute Force technique: Password Guessing, Password Cracking, Password Spraying, and Credential Stuffing.
Adversaries can use several techniques for one tactic. In a phishing campaign, cybercriminals may use both a Spearphishing Attachment and a Spearphishing Link to increase their chance of success.
The metadata part of each technique/sub-technique includes things like:
The description part of each technique/sub-technique describes how the technique is commonly used by threat actors.
For example, under Phishing, we are told that cybercriminals use phishing to access victims’ systems and that they may use targeted (spearphishing) and non-targeted phishing. It also warns that phishing can be conducted through third-party services like social media platforms.
Procedures describe how a particular technique or sub-technique has been used in the wild.
For example, under Password Guessing, you can see that the malware variant Emotet has been noted to brute force user accounts by using a hardcoded list of passwords. On the other hand, the malware family Xbash brute forces user accounts with a list of weak credentials from a C2 server.
Mitigations outline how to defend against threat actors’ tactics and techniques. A single mitigation can address multiple tactics and techniques.
For example, creating a Data Backup addresses data encryption, data destruction, etc.
For every technique, MITRE provides several detection methods.
For example, under Brute Force, MITRE suggests that organisations monitor for the following to detect an in-progress brute force attack:
Groups are attacker groups, activity groups, threat actors, intrusion sets, and campaigns.
Each group entry contains information on the group, associated group descriptions, and the techniques and software used.
For example, Wizard Spider, the Russian-based threat group, is linked to 37 enterprise techniques and 16 types of software, including Ryuk and Emotet. The group is also known as UNC1878, TEMP.MixMaster, and Grim Spider.
The ATT&CK Navigator visualises how a group uses various techniques based on its tactics.
Software refers to open-source software, commercial and custom code, operating system utilities, and other tools used to carry out behaviours described by the framework. ATT&CK divides software into two groups:
Data sources refers to the raw logs or events by systems like endpoints and network devices.
In each technique, under “Detection,” organisations can see the types of data they need to collect to detect that specific technique.
Both the MITRE ATT&CK and the Cyber Kill Chain are cybersecurity frameworks used by organisations to assist in threat hunting and detection.
The Cyber Kill Chain was developed by the global security and aerospace company Lockheed Martin. Based on the US military’s cyber kill chain, it is a popular framework that describes the sequence of events in an attack on an organisation’s environment.
The Cyber Kill Chain consists of the following steps:
Whereas the ATT&CK is a “mid-level adversary model” (i.e., it looks at each attack stage in great detail through its techniques and sub-techniques), the Cyber Kill Chain is a high-level model (i.e., it notes attacker goals but doesn’t describe how they’re achieved in detail).
Also, while the Cyber Kill Chain is sequential (i.e., it begins with reconnaissance and ends with actions and objectives), the ATT&CK framework is not chronological. It expects threat actors to change their tactics and techniques during an attack.
Effective threat detection and response necessitates a deep understanding of adversary techniques and mitigation actions.
By providing context, the MITRE ATT&CK framework allows analysts to figure out quickly:
Increasing the speed with which analysts can triage and investigate incidents means that organisations can get through more alerts more quickly.
Because a high percentage of all alerts are false positives, this is an important capability. Recent research shows SOCs waste about 10,000 hours and $500,000 (around £406,000) every year to verify unreliable and incorrect alerts.
Unfortunately, analysts frequently suffer from “alert fatigue,” a phenomenon where an overwhelming number of alerts numb analysts tasked with responding to them and can lead to missed attacks.
The MITRE ATT&CK framework is not without its challenges. Some of the more important drawbacks of ATT&CK include:
To help organisations detect and understand threats as early as possible, SenseOn has integrated the MITRE ATT&CK framework directly into its automated threat detection, investigation, and response solution.
For every security observation that SenseOn makes, it maps it to the MITRE ATT&CK framework in real time.
Only behaviours that are actually malicious are flagged. To do this, SenseOn models behaviour on individuals, groups of users, and entire organisations to build a baseline of normal activity. When a behaviour different from the baseline is noted, SenseOn logs it as an “Observation.” However, it doesn’t immediately flag it (although analysts can view these Observations at any point via the SenseOn dashboard).
Instead, SenseOn uses a new technology, known as a “Universal Sensor,” to collect and correlate data across the various layers of an organisation’s IT infrastructure (endpoint devices, cloud infrastructure, the network, and investigator microservices). When other behaviour related to the Observation is discovered, SenseOn creates a threat “Case.”
Cases are mapped visually. The sequence of events is laid out in chronological order, the relationship between affected devices is displayed clearly, and each technique corresponds to a technique in the ATT&CK framework. We also include a link to the correlating ATT&CK technique on the MITRE ATT&CK framework website for analysts’ convenience.
Analysts can, therefore, immediately know what type of attack is in progress, who is likely targeting them, and what they should do to stop the attack.
Through automation of threat detection, investigation, and response, SenseOn helps defenders prevent, detect, and respond to attacks quickly and before substantial damage is done.
Learn why hundreds of organisations choose SenseOn.
“We just put SenseOn in and let it flow. There was minimal time for implementation. Nothing we’ve ever put in has shown value so quickly. We have gone from not having a security team, to having a security team as a result of SenseOn.”
Matt Blee
Cyber Security Manager, Yeo Valley
Read case study
“SenseOn was the toolset we'd been missing. As a small business, we need to have the same level of protection against threats as the big players, but we don't have the budget to employ dedicated security specialists and this is where SenseOn comes in."
Andrew Walles
IT Solutions Architect, Harbottle and Lewis
Read case study
“SenseOn is our most valuable security tool due to its ease of use and ability to detect across the estate. The speed of customer service is a huge benefit – I can use the intercom and within minutes, I have a response and someone helping me build a query or general support where I have a knowledge gap.”
Jim Newman
Senior VP of Information Security, KidsLoop
“We were keen to utilise new and innovative technology to defend our organisation. We spent a lot of time looking at more conventional solutions, but only SenseOn offered the functionality we wanted at a sensible price point.”
Adrian Moore
IT Director, bpha
"SenseOn is what you look for in a partner. They have been amazing to work with and dedicated to the success of Advantage and protecting our business."
Steven Young
VP Information Security
SenseOn was founded on the belief that the cybersecurity industry is broken. Designed by security professionals who have felt the pain of traditional tools, SenseOn’s vision is to remove the burden of mundane, repetitive work so security and IT professionals can enjoy more fulfilling careers by enabling an autonomous, intelligent and secure digital world.
Read moreExplore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.
Visit resource hub
Find out how you can protect your entire organization at the click of a button with our rapidly deployed, lightweight software solution.
Arrange a demo