The MITRE ATT&CK framework covers a wide range of technologies and environments, providing security teams with a comprehensive understanding of real-world attackers' tactics and behavior.
The MITRE ATT&CK method has different matrices for various technological areas, helping security teams deal with threats specific to each. These include:
Each matrix in the framework customizes the tactics, techniques, and procedures (TTPs) to the unique characteristics and challenges of the corresponding technology. This customization enables security teams to identify potential attack vectors and strengthen their defenses against threats targeting various technological domains.
The MITRE ATT&CK framework helps security teams communicate better by providing a complete taxonomy of cyberattackers' complex and adaptable strategies and methods. This knowledge base helps improve detection, analysis, and mitigation strategies by documenting how threat actors attack businesses and giving them the know-how to defend themselves. Mapping adversarial behavior to the framework's TTPs is crucial for understanding and responding to cyberthreats.
Each classification contains a variety of techniques explaining how attackers accomplish their malicious goals. This comprehensive database is constantly evolving and categorizes the actions and behaviors of cyber attackers into three main areas:
MITRE ATT&CK tactics describe the goals that threat actors aim to achieve during a cyberattack. These strategic objectives provide valuable insights into the possible strategies that potential adversaries might use, including gaining access to credentials, evading defensive measures, executing malicious code, getting initial access to a system, moving laterally across systems, and augmenting their privileges.
MITRE ATT&CK techniques refer to attackers' specific methods to accomplish their objectives. For example, under the execution tactic, a command and scripting interpreter technique shows how the attacker uses command-line interfaces or scripting languages to carry out malicious commands.
Sub-techniques describe adversarial behaviors used to achieve a specific goal in a more detailed manner. They provide a lower description level than techniques, allowing for a more comprehensive understanding of how adversaries carry out a technique. Sub-techniques further break down techniques into more specific actions. For instance, an adversary may access the Local Security Authority (LSA) Secrets to dump credentials.
MITRE ATT&CK procedures refer to an adversary's specific tactics to carry out a particular technique or sub-technique. These procedures can take various forms, such as using PowerShell to inject malicious code into lsass.exe to extract the victim's credentials by scraping LSASS memory. The procedures are classified and cataloged in ATT&CK as examples of techniques observed in the wild and can be located in the "Procedure Examples" section of the technique pages.
Sub-techniques and procedures are two distinct elements in the ATT&CK framework. Sub-techniques categorize behavior, and procedures describe in-the-wild techniques.
Since procedures are specific implementations of techniques and sub-techniques, they may include several additional behaviors in how they are performed. For example, an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim is a procedure implementation containing several (sub)techniques covering the PowerShell, Process Injection, and Credential Dumping against LSASS behaviors.
The MITRE ATT&CK framework's matrices specialize in different technology areas. Each matrix addresses specific cyberthreats relevant to distinct technological environments, ranging from cloud platforms to mobile devices. This approach allows cybersecurity teams to effectively focus on and counteract threats unique to each technological domain, utilizing the detailed tactics and techniques outlined in the respective matrices.
The MITRE ATT&CK Cloud Matrix is structured to identify and mitigate vulnerabilities specific to cloud platforms like AWS, Azure, and Google Cloud. This framework catalogs cloud-specific techniques adversaries use, such as exploiting misconfigurations, compromising cloud management consoles, or taking advantage of weak identity and access management controls.
MITRE ATT&CK Containers Matrix describes attack strategies specifically designed to target containerized environments, such as those using Docker and Kubernetes. Common strategies include exploitation of configuration weaknesses, attacks on container orchestration tools, persistence tactics, deploying malicious containers, and lateral movement techniques.
The MITRE ATT&CK framework offers a comprehensive view of cyberattackers' strategies and methods in enterprise network environments. It encompasses tactics like initial access, credential access, defense evasion, privilege escalation, and techniques for maintaining a foothold within a network.
The MITRE ATT&CK PRE-ATT&CK matrix focuses on the initial stages of a cyberattack, including gathering intelligence and preparing the attack through tactics like reconnaissance and weaponization.
The MITRE ATT&CK framework's matrix for mobile devices addresses security concerns specific to platforms like iOS and Android, outlining tactics and techniques for exploiting vulnerabilities and executing malicious code.
MITRE ATT&CK identifies techniques adversaries use to exploit standard application-layer protocols for malicious purposes, highlighting activities like command and control communications and data exfiltration.