What you should know about MITRE ATT&CK

Cyber attacks are complex. Threat actors don’t just push a single button to totally compromise a targeted network. There are many steps involved in all cyber attacks.?

Lockheed Martin and many other organizations have conceptualized cyber attack chains based on the concept of attack chains in kinetic warfare. MITRE is perhaps best known in the cybersecurity community for their CVE database of known cybersecurity vulnerabilities in a plethora of technological products and services. But they also maintain other databases that are very useful for understanding cyber risks and threats.?

As far as the cyber attack chain is concerned, it’s worth referencing MITRE ATT&CK to understand both cyber attacks in the news and cyber attacks that impact your enterprise’s networks and applications. Like CVE and their other databases, MITRE ATT&CK is freely accessible on the web for anyone who needs to reference it.

Let’s get into the basics of MITRE ATT&CK.

MITRE ATT&CK categorizes hundreds of different exploitation techniques and activities into 14 different groups. From beginning to end, they represent the start to finish of a full cyber attack chain:

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command and Control
13. Exfiltration
14. Impact

Reconnaissance is when cyber threat actors research their potential targets to decide which targets to cyber attack, and how they’re going to do it. Techniques in this category include, but aren’t limited to, Active Scanning, Phishing for Information, Search Open Websites/Domains.

Resource Development is when attackers make their preparations to begin an attack. Techniques in this category include, but aren’t limited to, Compromise Accounts, Develop Accounts, Acquire access, Compromise Infrastructure.

Initial Access is the first point where an attacker starts to penetrate their targeted network or application. Techniques in this category include, but aren’t limited to, Content Injection, Phishing, Supply Chain Compromise, Hardware Additions, Exploit Public-Facing Application.

Execution is when an attacker’s malicious actions begin to execute. Techniques in this category include, but aren’t limited to, Serverless Execution, User Execution, Cloud Administration Command, Windows Management Instrumentation.

Persistence is the work done by cyber attackers to make sure they maintain control of their targeted system, even if their target reboots computers or closes applications. Techniques in this category include, but aren’t limited to, Browser Extensions, Hijack Execution Flow, Account Manipulation.

Privilege Escalation is when an attacker compromises one or multiple user or machine accounts, and then uses those accounts to acquire new privileges or to compromise accounts with administrative rights. Techniques in this category include, but aren’t limited to, Boot or Logon Initialization Scripts, Escape to Host, Event Triggered Execution.

Defense Evasion is how cyber threat actors work to avoid being detected or stopped by security monitoring tools and various security controls. Techniques in this category include, but aren’t limited to, Build Image on Host, Deploy Container, File and Directory Permissions Modification.

Credential Access is how attackers acquire credentials maliciously so they can further the progress of their attacks. Techniques in this category include, but aren’t limited to, Adversary-in-the-Middle, Forge Web Credentials, Network Sniffing.

Discovery is how attackers learn more about their targeted network from the inside, so they can further the progress of their attacks. Techniques in this category include, but aren’t limited to, Cloud Infrastructure Discovery, Debugger Evasion, File and Directory Discovery.

Lateral Movement is the stage where attackers take the new credentials they’ve acquired and the new network and application components they discovered in the previous two stages to expand their attack to different parts of the network or application. Techniques in this category include, but aren’t limited to, Exploitation of Remote Services, Software Deployment Tools, Taint Shared Content.

Collection is when attackers focus on getting the data or digital assets that they want. Techniques in this category include, but aren’t limited to, Audio Capture, Clipboard Data, Data from Removable Media, Input Capture.

Command and Control is when attackers maintain their remote connection to their targeted network or application, and execute further malicious commands. Techniques in this category include, but aren’t limited to, Ingress Tool Transfer, Protocol Tunnelling, Proxy, Remote Access Software.

Exfiltration is when attackers transfer the data and assets they want into their possession. Techniques in this category include, but aren’t limited to, Exfiltration Over C2 Channel, Transfer Data to Cloud Account, Exhilaration Over Web Service.

Impact is when attackers are able to achieve the ends of their cyber attacks. Techniques in this category include, but aren’t limited to, Account Access Removal, Firmware Corruption, Financial Theft, Disk Wipe.

Take some time and explore MITRE ATT&CK for yourself. It will help both your defensive security specialists and pentesters better conceptualize all the stages involved in cyber attacks of all kinds. And understanding cyber attacks is key to defending against them and preventing them.?