Ever wish you had a crystal ball for cyber threats? Meet MITRE ATT&CK and MITRE D3FEND, your digital fortune-tellers. In a fast-moving threat landscape, staying ahead of your adversaries is crucial. MITRE ATT&CK unveils adversary tactics, giving you the upper hand in fortifying your organization’s defenses. Meanwhile, MITRE D3FEND is all about defense strategies. Join us as we break down these frameworks, explore their real-world applications, and uncover how they can bolster your organization’s security strategy.
MITRE ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) is a framework developed by the MITRE Corporation for documenting common behaviors exhibited by cyber attackers, or adversaries, in real-world security incidents.
MITRE is a not-for-profit organization that supports American governments at the federal, state,
and local level and also works with academia and various industries. MITRE works in many domains, with a focus on technology.
The name MITRE looks like an acronym, but it actually isn’t. The name dates back to 1958, when, as the story goes, it was chosen by a board member because it had a nice feel, without having an existing meaning.
ATT&CK was created in 2013 as part of a MITRE research project about post-compromise detection in enterprise networks. The researchers found that they needed a framework for documenting adversary tactics, techniques, and procedures (TTPs) that:
ATT&CK was developed for MITRE’s internal use but proved so useful that the company decided to release it publicly in 2015. Since then, ATT&CK has expanded significantly, with regular updates to encompass a broader range of TTPs. It has gained widespread adoption across industries, becoming a standard reference for threat intelligence, detection, and incident response. The framework’s success led to the creation of the ATT&CK Evaluations program, which evaluates security products’ capabilities against real-world attack scenarios.
Recent years have also seen the introduction of the specialized matrices ATT&CK for Mobile and ATT&CK for ICS. Additionally, ATT&CK has expanded to include Detections, providing a practical guide for creating detection rules and enhancing security monitoring, as well as Software and Groups, which offer in-depth analysis of adversary tools and threat actor behavior, empowering organizations to better understand and counter cyber threats across a wide range of domains. In the spring of 2021, MITRE introduced D3FEND, a complementary framework that focused on defensive techniques.
The enterprise matrix is the original matrix, and is what people are generally referring to when they talk about MITRE ATT&CK. The enterprise matrix can be separated out into the PRE Matrix, which covers preparatory techniques, as well as matrices based on operating systems—e.g. Windows or Linux—or technologies—e.g. cloud or containers.
There are two matrices for mobile, one for iOS and one for Android. They provide a comprehensive framework for understanding and countering cyber threats directed specifically at mobile devices and operating systems. These matrices delve into techniques like app installation abuse and device discovery, which are unique to the mobile ecosystem.
The MITRE ATT&CK Matrix for Industrial Control Systems (ICS) focuses on cyberattack techniques uniquely relevant to critical infrastructure, such as manipulating process control systems, compromising industrial protocols, and exploiting hardware vulnerabilities. This specialized matrix assists in recognizing, analyzing, and thwarting threats targeting the operational technology layer, safeguarding vital industrial processes and systems from cyber risks.
The current ATT&CK Matrix for Enterprise has 14 tactics. These tactics represent what an adversary is trying to accomplish at that stage of an incident. The order of the 14 tactics reflects the path adversaries may follow in pursuit of their goals. This makes ATT&CK a variation on the “cyber kill chain” model. Lockheed Martin created the cyber kill chain model to define the sequence of a typical attack. Understanding the sequence gives security teams a better chance to anticipate an attacker’s next step and disrupt it, thereby breaking the “chain.”
The 14 tactics in MITRE ATT&CK are:
There are 193 techniques that represent the specific behaviors an adversary may use to try to achieve the goal of the associated tactic. Many techniques are associated with more than one tactic. For example, Access Token Manipulation may be used by an adversary to achieve either the tactic of Privilege Escalation or Defense Evasion.
In 2020, MITRE added sub-techniques for an additional layer of specificity. There are currently 401 sub-techniques.
MITRE ATT&CK includes a great deal of detail on technique pages, as well as separate information that is relevant to adversary behavior and methods for counteracting it.
Platforms are the operating systems and applications in which a specific technique could occur. The enterprise matrix can be broken down by platform, and platforms are listed on the detail page for each technique.
Mitigations are defenses organizations can adopt to counteract adversarial techniques, such as patching vulnerabilities or deploying detection systems. By integrating ATT&CK’s recommended mitigations, organizations bolster security, reduce attack surfaces, and mitigate cyber threats.
Detections are the ways that security teams can identify ATT&CK techniques in their environments, enabling rapid response. Detections include the data sources and data components needed to identify a technique. For example, one of the detections for T1189, Drive-by Compromise, requires the data source network traffic, with the components network connection creation and network traffic content.
More than 100 groups are classified by MITRE based on their techniques, targets, and motivations. Each group has a unique profile of tactics, techniques, and procedures, enabling organizations to anticipate and counter specific adversary behaviors.
Campaigns are groups of related activity attributed to a single threat actor or group with a single goal, for example, the Solarwinds Compromise of late 2020. MITRE has mapped the known techniques used in these campaigns to the ATT&CK Matrix, so security teams can visualize the controls they need in place to prevent similar attacks.
Software refers to the tools, malware, and utilities employed by threat actors to execute their tactics. ATT&CK outlines software usage to enhance understanding of adversary techniques and facilitate proactive defense measures.
The MITRE Engenuity Center for Threat Informed Defense, a non-profit research and development organization operated by MITRE, published a report in 2021 called Sightings Ecosystem: A Data-Driven Analysis of ATT&CK in the Wild. The report looked at more than six million sightings of techniques in the real world from 2019-2021.
15 techniques made up 90% of the observed techniques, providing an invaluable list of priorities for security teams with limited resources.Those techniques, in order, were:
MITRE D3FEND is an ongoing project by MITRE Corporation, the same organization responsible for MITRE ATT&CK. D3FEND is designed to complement ATT&CK by focusing on defensive techniques and strategies, whereas ATT&CK primarily focuses on describing offensive techniques used by adversaries. It includes guidance on how organizations can defend against known attack techniques described in MITRE ATT&CK.
According to MITRE, D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.
The D3FEND Matrix is laid out in six stages, or tactics:
The Model tactic includes techniques for applying analysis to an organization’s systems in order to build a complete understanding of the systems.
The Harden tactic comprises techniques for implementing defensive measures to strengthen a system’s security posture, reduce vulnerabilities, minimize the attack surface, and make the system more resistant to attacks.
The Detect tactic contains techniques aimed at identifying and promptly recognizing suspicious or malicious activities within an organization’s network or systems.
The Isolate tactic involves techniques for containing, segregating, or isolating compromised systems, devices, or network segments to prevent the spread of a cyberattack and limit potential damage.
The Deceive tactic involves applying techniques and technologies to mislead or confuse adversaries and deter them from conducting successful cyberattacks. This tactic creates a hostile and uncertain environment for attackers, making it more challenging for them to identify genuine assets, data, or vulnerabilities.
The Evict tactic includes techniques for forcefully removing unauthorized or malicious entities from a network, system, or environment once they have been detected.
Many organizations say they want to “implement MITRE ATT&CK”, but what does that mean exactly? It can be overwhelming to put this invaluable knowledgebase to work in your security operations. Here are some use-cases to start with.
One of the first things you can do to put ATT&CK into action is assess which ATT&CK techniques your current security tools and processes cover. Mapping your coverage across the entire ATT&CK matrix all at once is going to be out of scope for most organizations, so begin by assessing your coverage of one technique at a time, starting with the most important.
The ATT&CK website lists data sources and detection information for each technique, which you can use to assess coverage. Take the technique you’ve decided to start with, and check the listed data sources. If the sources are in place, move on to detection. Compare what’s listed in ATT&CK to the analytics you have, such as active rules in your security information and event management (SIEM) or endpoint detection and response (EDR) tool.
For example, sophisticated adversaries who are “living off the land” within a compromised environment may use the Windows Task Scheduler or utilities like schtasks to run malicious programs to maintain persistence. An organization that wanted to know if it was properly monitoring for such behavior could look up the Scheduled Task technique (classified as technique T1053 in the ATT&CK matrix). ATT&CK’s list of data sources needed to detect this technique includes Windows event logs, file monitoring, process monitoring, and process command-line parameter monitoring. With some luck, you’re already monitoring these data
sources and have detections in place, even if you weren’t classifying the behavior as an ATT&CK technique. If you haven’t been monitoring the data sources, you now know this gap should be closed. If you have the data sources, but not the detections, create a new analytic or leverage an existing open-source analytic.
By assessing more techniques, you can begin to build a map of coverage. To broaden your understanding of your coverage, start by taking an inventory of your data sources. Some data sources, such as File Monitoring, Process Monitoring, and Process Command Line, are especially valuable because they’re involved in the detection of many different techniques. As you progress with your assessments, you can track the results of your assessments in the ATT&CK Navigator, a web app from MITRE, available for free on GitHub. You can manipulate the ATT&CK matrix to create heat maps, add notes, and more. Find ATT&CK Navigator at https://mitre-attack.github.io/attack-navigator/enterprise.
ATT&CK is also a useful framework for evaluating new tools. If a tool doesn’t help you close gaps and cover relevant techniques, it isn’t worth your money. For example, imagine a company in the oil and gas industry that’s weighing investments in various security tools. Say the company has facilities and operations in the Middle East. A review of the ATT&CK framework identifies groups like MuddyWater (classified as group G0069 in ATT&CK) as well as the Iranian APT 33 (G0064) groups as active in that region with a history of targeting oil and gas companies.
The techniques used by those groups includes phishing emails with malicious Microsoft Word documents or HTML applications (T1204); the use of PowerShell for execution of malicious payloads (T1086); and the harvesting of credentials from web browser caches and files using tools like LaZagne and MimiKatz (T1003). However, neither group is associated with dedicated denial of service (DDoS) attacks.
Based on this analysis, DDoS protection isn’t the highest priority. Web application firewall capabilities could address some attack vectors but aren’t suited to groups that favor malicious email payloads. The most relevant tools are UBA technology to detect malicious activity on compromised endpoints or threat intelligence services that alert you to the activities of known advanced persistent threat (APT) groups.
On the ATT&CK website, APT groups are cataloged with the industries they’re known to have targeted. You can look up the major threats to your industry and see which techniques those APT groups use most frequently. For example, a quick search in ATT&CK for the APT group known as “Carbanak” or “Anunak” reveals that it relies heavily on Remote Access Tools (T1219) like AmmyAdmin and Team Viewer to conduct remote command and control of infected systems.
By using Navigator, you then map the techniques onto the ATT&CK Matrix. If you’ve already done analysis of what techniques you have coverage for, map your coverage as a layer to compare against the threats posed by APT groups. This action immediately highlights high-risk gaps and vulnerabilities in your detection and response capabilities.
The ATT&CK Navigator is a freely available tool developed by MITRE that serves as an interactive and customizable interface for the MITRE ATT&CK framework. Security teams can use Navigator for:
The end goal of leveraging MITRE ATT&CK is to improve your organization’s defenses against known adversary techniques. Here are a few ways that organizations can use ATT&CK information to improve their coverage of TTPs.
Analytics, in this context, are search queries that can be run from a tool (generally a SIEM) across collected log and event data to detect the behaviors associated with an ATT&CK technique. If, like most security teams, you don’t have the detailed understanding of ATT&CK techniques required to write detection analytics from scratch, you can leverage existing ATT&CK analytics, including those created by MITRE. These open-source analytics provide pseudocode that can be run in a SIEM as a search query. If the code doesn’t match the SIEM your organization uses, tools, such as Sigma, can translate the query for different platforms. After you’re running analytics and receiving results in your SIEM, analyze the results for false positives and make changes to filter them out. When an analytic works properly, you can use it to trigger an alert in your SIEM or SOAR platform.
Just as every technique in the matrix contains data source and detection information, it also has mitigations, which may be policies, tools, or security controls, such as Multi-Factor Authentication (classified as mitigation M1032 in ATT&CK), Network Segmentation (M1030), and SSL/TLS Inspection (M1020). To check where you have this level of coverage, look up mitigations on the ATT&CK page for each technique, or start by looking up a mitigation you know you have in place and see all the techniques it can be used against.
Test your defenses with adversary emulation, an exercise where a red team replicates the behaviors of a known adversary. One simple way to start, even if you don’t have a red team, is to use a collection of existing open-source scripts, such as Atomic Red Team, that replicate ATT&CK techniques. This approach may look like this:
A lot of security vendors are working the ATT&CK framework into their products. For example, some EDR tools will tag events with ATT&CK techniques when they match MITRE’s criteria. Some of these tools provide a map of the techniques that they can capture, saving you from having to assess your coverage of those techniques manually.
Because D3FEND is much newer than ATT&CK, most security teams have still yet to meaningfully operationalize it. Here are a few ways to get started.
The D3FEND matrix makes it possible to visualize your current ability to execute defensive measures. This will reveal the gaps in your security, for example, an overemphasis on the later stages at the expense of the Model and Harden tactics. Visualizing coverage can also be a useful way to evaluate the impact of new tools. If a tool won’t help you cover more techniques, it might not be the right investment.
Every security team wants to improve their posture over time and D3FEND gives them a way to quantify improvements and set benchmarks. This is also a valuable way for MSSPs to demonstrate improvements to their clients.
MITRE’s recommendations can be used as the basis for effective detection and response playbooks in tools like SOAR and XDR. By focusing on the most common ATT&CK techniques, you can ensure that you are properly defending against likely threats.
For example, here’s how a D3FEND-based playbook looks in D3’s Smart SOAR platform. This playbook is for ATT&CK Technique T1053, Scheduled Task/Job, which was the most frequently observed technique in a 2021 study by MITRE Engenuity: Implementing MITRE D3FEND for ATT&CK Technique T1053: Scheduled Task/Job.
ATT&CK and D3FEND are complementary frameworks that can be thought of as two sides of the same coin: what adversaries do and what security teams do. D3FEND techniques are tied to ATT&CK techniques, so for example, you can look up an ATT&CK technique from within the D3FEND matrix to see what defensive measures can be applied to it.
As previously covered, you can use ATT&CK to determine the most important TTPs to your organization. This can be achieved by using MITRE’s modeling of relevant APT groups, MITRE Engenuity’s study of TTP frequency, or, if you have the ability, by creating trend reports based on TTPs detected in your environment. Based on that information, you can create defensive plans and incident response playbooks for those techniques, following D3FEND best practices.
Security orchestration, automation, and response (SOAR) platforms provide an ideal way to turn MITRE’s knowledge into action. However, not all SOAR vendors incorporate MITRE ATT&CK and D3FEND equally. In this section, we will use examples from our Smart SOAR platform, which was the first SOAR platform to embed the MITRE ATT&CK matrix for analysis and incident response.
Many security tools, such as endpoint detection and response (EDR) tools, can tag alerts with suspected ATT&CK techniques. Because Smart SOAR integrates across the stack, it can validate those tags by gathering data from other tools. For example, checking SIEM logs or network traffic for more evidence of the suspected technique.
An important function of SOAR is to triage incoming alerts from other tools and analyze risk. Smart SOAR incorporates ATT&CK techniques into its analysis when performing triage, applying risk scores, and linking related alerts. SOAR users can build out the kill chain of an incident, based on the MITRE tactics that have been observed, and search for the links that are missing.
By tracking the ATT&CK techniques in your environment, you can target threat hunting playbooks in Smart SOAR to search for related techniques. MITRE’s recommended detections for each technique can be leveraged in playbooks.
Based on frequently observed techniques, which in Smart SOAR is visualized in the Monitor dashboard, SOAR users can hunt for signs of compromise related to those techniques and close security gaps. Evidence of related techniques can be hunted for in other integrated tools simultaneously, instead of hunting through each individual tool or data source.
Smart SOAR users can also put a high-risk technique under surveillance, so that any instance of it will be immediately flagged as an important incident.
Smart SOAR has playbooks based on D3FEND best practices for responding to techniques across the six stages. It also has playbooks for the most commonly detected ATT&CK techniques, such as Scheduled Task/Job and OS Credential Dumping. Other valuable data from MITRE can be worked into playbooks, such as detections, mitigations, and recommendations.