Difference between revisions of "MITRE ATT&CK"
| Line 10: | Line 10: | ||
==MITRE ATT&CK Techniques== | ==MITRE ATT&CK Techniques== | ||
Techniques in the context of the MITRE ATT&CK knowledge base describe how an attacker achieves a tactical objective, i.e. which actions he performs to achieve it. As a striking example, the threat actor can, for example, dump credentials in order to gain access to the victim's credentials. As of January 2023, a total of 201 techniques are documented with a total of 424 sub-techniques. <ref name=”RE2”>" Enterprise Techniques " - available under: https://attack.mitre.org/techniques/enterprise/</ref> | Techniques in the context of the MITRE ATT&CK knowledge base describe how an attacker achieves a tactical objective, i.e. which actions he performs to achieve it. As a striking example, the threat actor can, for example, dump credentials in order to gain access to the victim's credentials. As of January 2023, a total of 201 techniques are documented with a total of 424 sub-techniques. <ref name=”RE2”>"Enterprise Techniques" - available under: https://attack.mitre.org/techniques/enterprise/</ref> | ||
==MITRE ATT&CK Tactics== | ==MITRE ATT&CK Tactics== | ||
Tactics documented the why of an ATT&CK technique or sub-technique, it is therefore the actual target of the attacker. The targets reflect the respective process steps of the MITRE ATT&CK matrix - i.e. from reconnaissance to impact. For example, an attacker can use credential access or privilege escalation as a tactic. <ref name=”RE3”>" | Tactics documented the why of an ATT&CK technique or sub-technique, it is therefore the actual target of the attacker. The targets reflect the respective process steps of the MITRE ATT&CK matrix - i.e. from reconnaissance to impact. For example, an attacker can use credential access or privilege escalation as a tactic. <ref name=”RE3”>"Enterprise tactics" - available under: https://attack.mitre.org/tactics/enterprise/</ref> | ||
==MITRE ATT&CK Matrix for Enterprise== | ==MITRE ATT&CK Matrix for Enterprise== | ||
| Line 25: | Line 25: | ||
===Ressource Development=== | ===Ressource Development=== | ||
Resource development encompasses methods by which adversaries generate, acquire, or steal resources to support their targeting activities. These resources may include infrastructure, accounts or capabilities. The threat actors can use these resources at different stages of their lifecycle - for example by using purchased or stolen domains for command and control infrastructure, using email accounts for phishing during initial access or acquiring code signing certificates to facilitate defence evasion. <ref name=”RE6”>" Resource Development " - available under: https://attack.mitre.org/tactics/TA0042/</ref> | Resource development encompasses methods by which adversaries generate, acquire, or steal resources to support their targeting activities. These resources may include infrastructure, accounts or capabilities. The threat actors can use these resources at different stages of their lifecycle - for example by using purchased or stolen domains for command and control infrastructure, using email accounts for phishing during initial access or acquiring code signing certificates to facilitate defence evasion. <ref name=”RE6”>"Resource Development" - available under: https://attack.mitre.org/tactics/TA0042/</ref> | ||
===Initial Access=== | ===Initial Access=== | ||
Initial access consists of methods that the attackers use to gain a foothold in the victim's infrastructure. These include spearphishing, content injection or exploiting a vulnerability. A distinction can be made between measures that grant continuous access or temporary access, as passwords change continuously, for example. | Initial access consists of methods that the attackers use to gain a foothold in the victim's infrastructure. These include spearphishing, content injection or exploiting a vulnerability. A distinction can be made between measures that grant continuous access or temporary access, as passwords change continuously, for example. | ||
<ref name=”RE7”>" | <ref name=”RE7”>"Initial Access" - available under: https://attack.mitre.org/tactics/TA0001/</ref> | ||
===Execution=== | ===Execution=== | ||
Revision as of 08:46, 3 January 2024
Introduction
Developed by MITRE, ATT&CK is a globally accessible knowledge base focused on adversary behaviour - also called cyber threat intelligence . Cyber adversaries are known for their intelligence, adaptability, and persistence, learning from each attack, whether successful or unsuccessful. Their capabilities range from stealing personal information an data to disrupting infrastructure and/or damaging business operations. The MITRE ATT&CK knowledge-base is freely available to everyone. The knowledge base documents the common tactics, techniques and procedures used by cyber threat actors. The framework can be used as a resource for the development of specific threat models and methodologies, as well as the development of specific countermeasures. [1]
MITRE ATT&CK Groups
The groups are "activity clusters" that are often observed in the cyber security bubble under a specific name. It should be noted that groups in the cybersecurity sector are often loosely connected and may be known by several names. In addition, it can happen that the same clusters are tracked by different actors under different names. In the context of the MITRE Groups documentation, the MITRE team endeavours to document the overlaps under the Associated Groups/Aliases section. Groups are in turn linked to techniques that are assigned to the respective tactics. As a result, there is a separate ATT&CK matrix for many groups. [2]
MITRE ATT&CK Software
MITRE ATT&CK Techniques
Techniques in the context of the MITRE ATT&CK knowledge base describe how an attacker achieves a tactical objective, i.e. which actions he performs to achieve it. As a striking example, the threat actor can, for example, dump credentials in order to gain access to the victim's credentials. As of January 2023, a total of 201 techniques are documented with a total of 424 sub-techniques. [3]
MITRE ATT&CK Tactics
Tactics documented the why of an ATT&CK technique or sub-technique, it is therefore the actual target of the attacker. The targets reflect the respective process steps of the MITRE ATT&CK matrix - i.e. from reconnaissance to impact. For example, an attacker can use credential access or privilege escalation as a tactic. [4]
MITRE ATT&CK Matrix for Enterprise
The MITRE ATT&CK matrix is part of the knowledge base and provides actor-specific techniques and procedures for each phase of the attack. The process begins with reconnaissance and ends with impact. Different techniques and tactics are assigned to each process step, which can be clicked on and which then lead to documentation. [5]
Reconnaissance
Reconnaissance involves adversaries actively or passively collecting information to support their targeting efforts an reach their target, which consist in an successfull attack. This gathered informations may include details about the victim organization, its infrastructure, used software or hardware or personnel. Threat actors can utilize this information across different phases of the mentioned process (MITRE ATT&CK Matrix), using it for tasks like planning and executing Initial Access, determining post-compromise objectives, or guiding subsequent Reconnaissance efforts. [6]
Ressource Development
Resource development encompasses methods by which adversaries generate, acquire, or steal resources to support their targeting activities. These resources may include infrastructure, accounts or capabilities. The threat actors can use these resources at different stages of their lifecycle - for example by using purchased or stolen domains for command and control infrastructure, using email accounts for phishing during initial access or acquiring code signing certificates to facilitate defence evasion. [7]
Initial Access
Initial access consists of methods that the attackers use to gain a foothold in the victim's infrastructure. These include spearphishing, content injection or exploiting a vulnerability. A distinction can be made between measures that grant continuous access or temporary access, as passwords change continuously, for example. [8]
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Controll
Exfiltration
Impact
References
- ↑ "MITRE ATT&CK" - available under: https://www.mitre.org/focus-areas/cybersecurity/mitre-attack
- ↑ "Groups" - available under: https://attack.mitre.org/groups/
- ↑ "Enterprise Techniques" - available under: https://attack.mitre.org/techniques/enterprise/
- ↑ "Enterprise tactics" - available under: https://attack.mitre.org/tactics/enterprise/
- ↑ "ATT&CK Matrix" - available under: https://attack.mitre.org/#
- ↑ "Reconnaissance" - available under: https://attack.mitre.org/tactics/TA0043/
- ↑ "Resource Development" - available under: https://attack.mitre.org/tactics/TA0042/
- ↑ "Initial Access" - available under: https://attack.mitre.org/tactics/TA0001/