If you are a cybersecurity practitioner, you probably know what ATT&CK is all about. But just for those who aren’t aware, here’s a quick refresher on this revolutionary threat intelligence framework.
So what is the MITRE ATT&CK framework? ATT&CK, which stands for Adversarial Tactics, Techniques & Common Knowledge, is a knowledge base of cyber adversary behavior. ATT&CK is presented in the form of a matrix (a nested table) where the columns describe tactics, and the rows represent techniques and sub-techniques. Beyond the matrix, other key components are procedures, software, groups, detections, and mitigations. Let’s break down these core components of the ATT&CK framework:
- Tactics explain the “why” behind an attack and map to the adversary’s tactical goals.
- Techniques explain “how” an attacker achieves their tactical goal. It may also explain “what” an attacker stands to gain by performing an action.
- Sub-techniques describe specific techniques used by the attacker to achieve an objective. For example, Phishing, a technique listed under the Tactic Initial Access has three sub-techniques: Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service.
- Procedures refer to specific implementations of a technique or sub-technique. For example, the technique Boot or Logon Autostart Execution has more than a hundred implementations from known adversary groups.
- Groups comprises the APT (advanced persistent threat) groups tracked by ATT&CK, the aliases they are referred by, and the techniques and software they use. ATT&CK currently tracks 129 threat groups.
- Software refers to the tools and malware used by adversaries. Examples include Cobalt Strike, Mimikatz, and Metasploit.
- Detections describes ways in which a technique or sub-technique can be identified.
- Mitigations describes processes, tools, and configurations that can be used to prevent the execution of a technique or sub-technique.
How MITRE ATT&CK Helps Security Operations
ATT&CK has grown in popularity over the past five years. The cybersecurity industry has embraced ATT&CK because it’s a free and open framework, constantly evolving, and based on real-world observations and contributions. It provides a standardized vocabulary for the infosec community to describe and predict the behavior of cyber adversaries operating inside an enterprise network post-exploit and infiltration. ATT&CK also has valuable use-cases in threat intelligence, detection and analytics, adversary emulation and red teaming, and assessments and engineering.
The evolution of the MITRE ATT&CK framework in one GIF.
— D3 Security (@D3Security) April 22, 2022
History and Evolution of MITRE ATT&CK
At first glance, the ATT&CK framework can seem unfathomably complex — the latest version has 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 637 Pieces of Software. To get a better understanding of ATT&CK, let’s take a look at how the framework has evolved since its first public release.
May 2015: 9 tactics and 96 techniques
Launched as a wiki, the ATT&CK framework was community-driven from the outset. The first version had nine tactics — three of which were described first in Lockheed Martin’s Cyber Kill Chain: Privilege Escalation, Lateral Movement, and Exfiltration. From the outset, it included sections on detections and mitigations.
July 2016: 10 tactics, 121 techniques
This update added 25 new techniques, and one new tactic — Collection. It also renamed the Tactic known as Host Enumeration to Discovery. The update also gave Techniques an ID that can be referenced.
January 2017: 10 Tactics, 127 techniques
This was a minor update where five new techniques were added. Two under the Collection tactic — Audio and Video Capture — and two under the Defense Evasion tactic: Network Share Connection Removal, and Trusted Developer Utilities. This update also added API access to query for information.
April 2017: 10 Tactics 133 Techniques
This update saw the introduction of 6 new techniques: Netsh Helper DLL, Execution through Module Load — later renamed to Shared Modules — Authentication Package, Install Root Certificate, Data Encoding, and External Remote Services. The first three are Windows-specific, but the rest can apply to other platforms as well.
July 2017: 10 Tactics, 169 techniques
This was a significant update that saw the rollout of Linux and macOS versions of the ATT&CK Matrix. Eight new techniques were added and six were renamed. This period was notable for some activity outside of the ATT&CK Matrix. PRE-ATT&CK , which tracked pre-compromise adversary behaviors, debuted in 2017 with 17 tactic categories and 173 techniques. It would later be retired and integrated into the ATT&CK Matrix under the tactics of Reconnaissance and Resource Development.
January 2018: ATT&CK v1 — 10 Tactics, 188 techniques
ATT&CK adopted a versioning system in 2018, with the January 2018 version counted as v1. 19 new techniques were added in this update and three techniques were renamed. We can see what the ATT&CK Matrix looked like at this time on archive.org.
April 2018: ATT&CK v2 — 11 Tactics, 219 Techniques
A new tactic, Initial Access, was added from the PRE-ATT&CK matrix with ten techniques listed under it. 23 new techniques were added in total, making this the biggest ATT&CK update since its inception. Defense Evasion became the top tactic in terms of techniques listed, with a total of 59 techniques.
October 2018: ATT&CK v3 — 11 Tactics, 224 Techniques
This was a significant period for ATT&CK. MITRE announced that it would be retiring the wiki interface for the site around this period and debuted a new site in beta. The ID numbering scheme was extended to Tactics and Mobile Mitigations, and a versioning system was implemented. New techniques added included XSL Script Processing, Template Injection, File Permissions Modification, and Compiled HTML File.
April 2019: ATT&CK v4 — 12 Tactics, 245 Techniques
The tactic Impact was added to this version, representing the adversary’s end goal. It launched with 14 techniques covering scenarios like DDoS attacks, ransomware, and cryptojacking.
July 2019: ATT&CK v5 — 12 Tactics, 245 Techniques
This update did not see the addition of any new tactics or techniques. With this update, Mitigations were treated like objects similar to Groups and Software, with each mitigation category getting its own page under which applicable techniques were listed. There are currently 43 Mitigations listed in the enterprise ATT&CK matrix.
October 2019: ATT&CK v6 — 12 Tactics, 266 Techniques
ATT&CK for Cloud was added to the matrix in this update, covering adversary behavior against cloud-based Infrastructure as a Service (IaaS) platforms like AWS, Azure, and GCP. Simultaneously, cloud-based software platforms were added under Software as a service (SaaS), Azure Active Directory (Azure AD), and Office 365. 36 cloud-focused ATT&CK techniques were added to the matrix with this update.
July 2020: ATT&CK v7 — 12 Tactics, 156 Techniques, 272 sub-techniques
This version saw the addition of sub-techniques to the matrix, adding more depth and detail to the techniques used by adversaries. There was a lot of work behind this update, judging by the release notes, as many existing techniques became sub-techniques. 10 techniques were deprecated with this release. 2020 also saw the launch of ATT&CK for ICS, which is separate from ATT&CK for Enterprise and has its own site.
October 2020: ATT&CK v8 — 14 Tactics, 177 Techniques, and 348 Sub-techniques
PRE-ATT&CK was deprecated with this release, and two new Tactics — Reconnaissance, and Resource Development — were added to the ATT&CK matrix to replace it. This release also added Network as a platform, with 13 techniques and 15 sub-techniques mapping adversary behavior against network infrastructure devices.
April 2021: ATT&CK v9 — 14 Tactics, 185 Techniques, 367 sub-techniques
Containers and Google Workspace were added as platforms with this update, ballooning up the number of techniques and sub-techniques even further. IaaS (Infrastructure as a Service) platforms were consolidated under a single platform called IaaS.
October 2021: ATT&CK v10 — 14 Tactics, 188 Techniques, 379 Sub-techniques
This is the latest version of ATT&CK. The major change in this version is the addition of Data Sources and Data components, which represent the different types of telemetry that can be collected by sensors and logs.
D3 is the SOAR with MITRE ATT&CK
It might not be part of the official timeline of ATT&CK, but in 2019, D3 was the first SOAR platform to embed the MITRE ATT&CK matrix for correlation of adversary techniques. That means you can detect and mitigate APTs faster with D3’s next-generation SOAR platform, and use MITRE ATT&CK to disrupt the adversary’s kill chain. Book a one-on-one demo with our security experts to learn how we can transform your SecOps.