At a high-level, ATT&CK is a behavioral model that consists of the following core components.
-
Tactics, denoting short-term, tactical adversary goals during an attack.
-
Techniques, describing the means by which adversaries achieve tactical goals.
-
Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques.
-
Documented adversary usage of techniques, their procedures, and other metadata.
ATT&CK is organized in a series of technology domains, the ecosystem an adversary operates within. Currently, there are three technology domains:
-
ATT&CK for Enterprise: This iteration focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
-
ATT&CK for Mobile: This iteration focuses on adversarial behavior on iOS and Android operating systems.
-
ATT&CK for ICS: This iteration focuses on describing the actions an adversary may take while operating within an ICS network.
Within each domain are platforms, which may be an operating system or application, for example, Microsoft Windows. Techniques and sub-techniques can apply to multiple platforms.
IMPORTANT: Both MITRE ATT&CK® and ATT&CK® are registered trademarks of the MITRE Corporation. © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
The ATT&CK Model
The basis of ATT&CK is the set of techniques and sub-techniques that represent actions that adversaries can perform to accomplish objectives. Those objectives are represented by the tactic categories the techniques and sub-techniques fall under. This relatively simple representation strikes a useful balance between sufficient technical detail at the technique level and the context around why actions occur at the tactic level.
The ATT&CK Matrix provides the relationship between tactics, techniques, and sub-techniques can be visualized in the ATT&CK Matrix. For example, under the Persistence tactic (this is the adversary’s goal – to persist in the target environment), there are a series of techniques including Hijack Execution Flow, Pre-OS Boot, and Scheduled Task/Job. Each of these is a single technique that adversaries may use to achieve the goal of persistence. Furthermore, some techniques can be broken down into sub-techniques that describe in more detail how those behaviors can be performed. For example, Pre-OS Boot has three subtechniques consisting of Bootkit, Component Firmware, and System Firmware to describe how persistence is achieved before an operating system boots. Figure 2 depicts the Persistence Tactic with techniques and four techniques expanded to show sub-techniques: Account Manipulation, Pre-OS Boot, Scheduled Task/Job, and Server Software Component.
About Adversaries and Techniques
A cyber adversary is a person, group, organization, or government that conducts or has the intent to perform malicious actions against other cyber resources.
The adversaries use certain ways called Techniques and perform certain actions to achieve a tactical goal.
For example: The adversary uses Access Token Manipulation technique to modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
For more information on Techniques, see https://attack.mitre.org/techniques/enterprise/.
There are 3 categories in Techniques:
-
Enterprise: This Techniques category displays a total of 201 Techniques.
For more information, see https://attack.mitre.org/techniques/enterprise/.
-
Mobile: This Techniques category displays a total of 72 Techniques.
For more information, see https://attack.mitre.org/techniques/mobile/.
-
ICS: This Techniques category displays a total of 81 Techniques.
For more information, see https://attack.mitre.org/techniques/ics/.
Tactics
Tactics represent the tactical goal of the adversary. They provide information about the reason for performing any action.
For example: If the Tactic name is Reconnaissance, it represents that the adversary may want to achieve credential access.For more information on Tactics, see https://attack.mitre.org/tactics/enterprise/.
There are 3 categories in Tactics:
-
Enterprise: This Tactics category displays a total of 14 Tactics.
For more information, see https://attack.mitre.org/tactics/enterprise/.
-
Mobile: This Tactics category displays a total of 14 Tactics.
For more information, see https://attack.mitre.org/tactics/mobile/.
-
ICS: This Tactics category displays a total of 12 Tactics.
For more information, see https://attack.mitre.org/tactics/ics/.
Sub-Techniques
Sub-techniques are the multiple ways that an adversary uses to execute the main Technique. In specific, Sub-technique is a way to describe a specific implementation of a technique in more detail. These Sub-techniques are more detailed adversary actions.
For example: The technique such as Phishing has 4 sub-techniques which provide more details about how adversaries send phishing messages to gain access to systems.
There are 424 Sub-techniques listed under the Enterprise Techniques list. For more information, see https://attack.mitre.org/techniques/enterprise/.
There are 42 Sub-techniques listed under the Mobile Techniques list. For more information, see https://attack.mitre.org/techniques/mobile/.
There are no Sub-techniques listed under the ICS Techniques list.
Mitigations
Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
For example: The Mitigation Audit represents performing audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
There are 43 Mitigations listed under Enterprise Mitigations list. For more information, see https://attack.mitre.org/mitigations/enterprise/.
There are 12 Mitigations listed under Mobile Mitigations list. For more information, see https://attack.mitre.org/mitigations/mobile/.
There are 52 Mitigations listed under ICS Mitigations list. For more information, see https://attack.mitre.org/mitigations/ics/.
Procedure Examples
A procedure is the specific details of how an adversary carries out a technique to achieve a tactic.
For example: MITRE ATT&CK lists how an adversary APT19 (G0073) uses a watering hole attack to perform a Drive-by Compromise (Technique T1189) and gain Initial Access (Tactic TA0001) of forbes.com in 2014.
For more information on Procedure Examples, see https://attack.mitre.org/resources/faq/#faq-0-2-header and https://attack.mitre.org/groups/G0032/.
Note: NetWitness Platform uses ATT&CK for Enterprise.
MITRE ATT&CK Integration with NetWitness Platform
MITRE ATT&CK is integrated with NetWitness Platform to help analysts look into the various techniques and tactics associated with the Incidents, alerts, and events. The new ATT&CK© Explorer Panel introduced in the Respond and Investigate view allows you to view the detailed information on the Tactics, Techniques, Sub-Techniques, Mitigations, and Procedure Examples associated with the Incidents, alerts, and events in the Respond and Investigate view.
NetWitness Live is integrated with MITRE framework to help analysts to view the MITRE ATT&CK Tactics and MITRE ATT&CK Techniques associated with the Application Rules and Event Stream Analysis Rules.
The Service Details Right panel ((Configure) > Policies > Content > Content Library > Application Rule or Event Stream Analysis Rule > click a row > Service Details Right panel) is enhanced to provide information about the MITRE ATT&CK Tactics and MITRE ATT&CK Techniques. You can tag MITRE ATT&CK Tactics and MITRE ATT&CK Techniques while creating a custom Application Rule or Event Stream Analysis Rule.
For more information on MITRE ATT&CK integration in the Investigate view, see NetWitness Investigate User Guide for 12.4.
For more information on MITRE ATT&CK integration in CCM, see Policy-based Centralized Content Management Guide for 12.4.
Incident List View Enhancement
In 12.4, the Incident List view is enhanced with MITRE ATT&CK Tactics column to display the particular Tactic associated with each Incident. The new ATT&CK© Explorer Panel populates when you click any Tactic in the MITRE ATT&CK Tactics column.
Incident Overview Panel Enhancement
In 12.4, the Incident Overview Panel is enhanced with MITRE ATT&CK Tactics and MITRE ATT&CK Techniques field. Refer the following figure.
The new ATT&CK© Explorer Panel populates when you click the Tactic or Technique in the Incident Overview Panel.
Incident Filters Panel Enhancement
In 12.4, the Incident Filters panel is enhanced with the new filters MITRE ATT&CK TACTICS and MITRE ATT&CK TECHNIQUES. You can filter the Incidents on the basis of the MITRE ATT&CK Tactics and Techniques associated with them. Refer the following figure.
Alerts List View Enhancement
In 12.4, Alerts List view is enhanced with MITRE ATT&CK Tactics column to display the particular Tactic associated with each alert. The new ATT&CK© Explorer Panel populates when you click any Tactic in the MITRE ATT&CK Tactics column.
Alerts Details View Enhancement
In 12.4, the Overview panel in the Alerts Details view is enhanced with MITRE ATT&CK Tactics and MITRE ATT&CK Techniques field.
The new ATT&CK© Explorer Panel populates when you click any Tactic or Technique in the Overview panel in Alerts Details view.
Alerts Filters Panel Enhancement
In 12.4, the Alerts Filters panel is enhanced with the new filters MITRE ATT&CK TACTICS and MITRE ATT&CK TECHNIQUES. You can filter the alerts on the basis of the MITRE ATT&CK Tactics and Techniques associated with them. Refer the following figure.
Alert Overview Panel Enhancement
In 12.4, the Alert Overview Panel is enhanced with MITRE ATT&CK Tactics and MITRE ATT&CK Techniques field. Refer the following figure.
The new ATT&CK© Explorer Panel populates when you click the Tactic or Technique in the Alert Overview Panel.
ATT&CK© Explorer Panel
ATT&CK© Explorer Panel provides information about the adversary tactics and techniques associated with the Incidents and alerts in the Respond view. The following table describes the various fields in the ATT&CK© Explorer Panel.
Fields | Description |
---|---|
MITRE ATT&CK Tactics | Displays the type of tactic associated with the Incident. For example: Credential Access. The tactic Credential Access tries to steal account names and passwords. For more information, see https://attack.mitre.org/tactics/enterprise/. |
ATT&CK ID | Displays the Tactics ID associated with the Tactic. For example: TA0006. The Tactics ID TA0006 is associated with the Tactic Credential Access. |
Description | Displays the detailed information about the Tactic associated with the particular incident. |
Techniques |
Displays the ID, Name, and the Description of the various Techniques and Sub – Techniques associated with the Tactics. Note: Techniques are the ways with which the adversary tries to achieve a tactical goal by performing an action. Sub – Techniques describe the adversarial behavior at a lower level than a technique. For more information, see https://attack.mitre.org/resources/faq/#faq-0-0-header and https://attack.mitre.org/techniques/enterprise/. |
Sub – Techniques |
Displays the ID, Name, and the Description of the various Sub - Techniques associated with the Techniques. Note: Sub – Techniques describe the adversarial behavior at a lower level than a technique. |
Mitigations | Displays the ID, Name, and the Description of the Mitigations used to prevent a technique or sub-technique from being successfully executed. For example: The Mitigation name Account Use Policies associated with the ID M1036 helps configure features related to account use like login attempt lockouts and specific login times. For more information, see https://attack.mitre.org/mitigations/enterprise/. |
Procedure | Examples Displays the ID, Name, and the Description of the procedures that the adversary uses for techniques or sub-techniques. For example: Lazarus Group with the ID G0032 is a North Korean state-sponsored cyber threat group that was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. For more information, see https://attack.mitre.org/resources/faq/#faq-0-2-header and https://attack.mitre.org/groups/G0032/. |
The following table explains the various sections highlighted in the above figures.
Sl.no | Description |
---|---|
1 | This section displays the type of Tactic associated with the Incident. |
2 | This section displays the Tactics ID associated with the Tactic. |
3 | This section displays the ID, Name, and the Description of the various Techniques associated with the Tactics. |
4 | This section displays the list of the various Sub-Techniques associated with the main Technique. |
5 | This section displays the ID, Name, and the Description of the Mitigations used to prevent a technique or sub-technique from being successfully executed. |
6 | This section displays the ID, Name, and the Description of the procedures that the adversary uses for techniques or sub-techniques. |
View MITRE ATT&CK Information for UEBA (On-premises)
From NetWitness Platform 12.5 or later, analysts can view the details of the tactics and techniques used by advanced attackers or advanced persistent threats (APTs) for UEBA alerts, indicators, and incidents. You do not have to search the MITRE pages to understand techniques or tactics and learn about their implications. When clicking on any tactic or technique for the UEBA alert, incident, or indicator, the ATT&CK Explorer panel will display all the details.
The following figure represents the UEBA Alert with MITRE ATT&CK Tactics column in the Alerts view.
The following figure represents the UEBA Alert with Mitre ATT&CK Tactics and Techniques in the Overview panel of the Alert Details view.
The following figure represents the UEBA Incident with MITRE ATT&CK Tactics column in the Incidents view.
The following figure represents the Indicators Panel of the Incident Details view with MITRE ATT&CK Tactics.
MITRE ATT&CK© Lookup in Respond Event Reconstruction view
In 12.4 version, the ATTACK.TACTIC, ATTACK.ALL, and ATTACK.TECHNIQUE meta keys in the Event Metadata panel or Event Reconstruction view are enhanced with MITRE ATT&CK© Lookup option to help analysts get more information on the MITRE Tactic and Technique associated with the particular event or the incident.
The new ATT&CK© Explorer Panel is displayed when you click MITRE ATT&CK© Lookup option.
To access MITRE ATT&CK© Lookup option
-
Go to the Respond view.
-
Select an Incident ID in the Incident List view.
The Incident Details view is displayed.
-
Select an event in the Indicators panel.
The Event Metadata panel is displayed.
-
Click next to the ATTACK.TACTIC or ATTACK.TECHNIQUE meta value.
-
Select MITRE ATT&CK© Lookup option.
The ATT&CK© Explorer Panel is displayed.
Use Case Example
The following use case provides an example of an administrator using NetWitness Platform to configure MITRE details for ESA Rules. The use case example also provides information on how an analyst can use the MITRE data configured to perform threat analysis and prevent the technique from being successfully executed.
Use Case: Configuring MITRE details for Custom ESA Rules
After logging in to NetWitness Platform, David, an administrator, navigates to ((Configure) > Policies > Content > Content Library > More > Event Stream Analysis Rule. Administrator selects a custom ESA rule Privilege Escalation Detected in Unix by Task Execution and configures the MITRE ATT&CK Tactic and MITRE ATT&CK Technique for the rule to help analyst with better insight on the threat associated with the alert or incident that is generated by this content.
In this case, the content can identify the threat which is associated with MITRE Tactic Privilege Escalation and Technique Scheduled Task/Job. Therefore, the administrator configures Privilege Escalation tactic and Scheduled Task/Job technique to the content.
When an alert is generated with the deployed ESA content with MITRE tactic and technique configured, John, an analyst, finds this information on the Respond Alerts and Incidents.
This additional MITRE context helps John to make an informed decision on responding to the incidents.
John also gets an overview on the attack tactic and technique by clicking on the MITRE tactic or technique. He further navigates over the technique, possible sub-technique, and their mitigation information.
This helps in fastening up the incident / alert triage process and take remediation steps quickly.