Gartner Peer Insights

What is MITRE ATT&CK®?

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methodologies in the private sector, government, and cybersecurity product and service community.

The structure of the ATT&CK methodology distinguishes between tactics and techniques. Tactics is a broader term referring to the stages of an attack, which describes how far the adversary has reached the target environment. Each tactic includes several (dozen) techniques, which now often include several sub-techniques. Techniques describe specific actions that the adversary performs to achieve the attack objectives. Techniques, in turn, have different sets of procedures. Thus, on a drill-down basis, the use of TTPs (the acronym TTP stands for Tactics, Techniques, and Procedures) enables security teams (SOCs) or security analysts to look for patterns of attacks instead of Indicators of Compromise, which are derived from the Cyber Kill Chain methodology previously used in our industry.

The MITRE methodology provides a more detailed description of adversary behavior during the attack lifecycle. Moreover, more matrices (knowledge bases) addressing specific environments are emerging each year. The basic ATT&CK matrix, relating to IT infrastructure, is now called Enterprise. The ATT&CK Enterprise knowledge base contains detailed information on more than a hundred actors and groups, including their techniques and tools. Next to it, dedicated matrices of tactics and techniques for ICS/OT infrastructure and mobile infrastructure appeared. These collections of information are very useful for network administrators and security analysts, as they associate cybercriminals with techniques and tactics they are known for from previous attacks.

For more information about MITRE ATT&CK®, visit the official site.

The MITRE Engage™ platform is used to plan and discuss adversary engagement operations during an attack. In this model, adversary engagement is the use of denial and deception in the context of strategic planning and analysis to raise the cost of the next attack while reducing the value of the adversary's actions. We presented the MITRE Engage™ methodology (and its predecessor Shield) in our article: From “nice to have” to “must have”: the role of Cyber Deception in active defense.

Moreover, MITRE specialists see a mutual synergy between the two methodologies:

“ATT&CK helps you detect what an adversary will do and offer ways to stop them. Whereas, with MITRE Engage (Shield in past), we’re saying sometimes you don’t want to stop them but watch them. You may want to employ a decoy technique—but to do that, you need ATT&CK’s detections. So, they really work together very well.” – said Bill Hill, CISO at MITRE. [1]


Use of MITRE ATT&CK® in Labyrinth Deception Platform alerts

Starting with the upcoming version of the Labyrinth Deception Platform, the system's alert information is supplemented by a description of the attacker's actions using the tactics and techniques described in the MITRE ATT&CK® matrix.

Techniques and tactics that appear in the alert description are links to the official MITRE website, where you can read a detailed description of a particular tactic or technique.

If SIEM integration is enabled and configured, information about tactics and techniques is also added to the CEF message.

For example:

A remote code execution (RCE) attempt, an attack in which an attacker can run malicious code on an organization's computers or network, has been detected on the Universal Web Point decoy. This is an activity described in MITRE ATT&CK® under the TA0008 tactic for lateral movement, which informs an adversary's attempts to move within an organization's environment/infrastructure, and the T1210 technique for exploiting remote services that an adversary can use to gain unauthorized access to internal systems on a corporate network.

Many security vendors are integrating the MITRE ATT&CK® platform into their solutions, ranging from SOAR and SIEM solutions to EDR, XDR, and NDR systems, as well as sandbox and network defense (aka active defense), as is the case with deception technology.

In addition, the MITRE ATT&CK® platform can be used to improve threat detection by adding a higher level of abstraction to behavioral analysis. ATT&CK is a a beneficial tool for communication and team collaboration in threat detection, investigations, and incident response.

[1] https://www.mitre.org/news-insights/impact-story/active-defense-using-deception-and-trickery-defeat-cyber-adversaries

Subscribe to our Newsletter

You successfully subscribed!