If you are a cybersecurity practitioner, you probably know what ATT&CK is all about. But just for those who aren’t aware, here’s a quick refresher on this revolutionary threat intelligence framework.
So what is the MITRE ATT&CK framework? ATT&CK, which stands for Adversarial Tactics, Techniques & Common Knowledge, is a knowledge base of cyber adversary behavior. ATT&CK is presented in the form of a matrix (a nested table) where the columns describe tactics, and the rows represent techniques and sub-techniques. Beyond the matrix, other key components are procedures, software, groups, detections, and mitigations. Let’s break down these core components of the ATT&CK framework:
ATT&CK has grown in popularity over the past five years. The cybersecurity industry has embraced ATT&CK because it’s a free and open framework, constantly evolving, and based on real-world observations and contributions. It provides a standardized vocabulary for the infosec community to describe and predict the behavior of cyber adversaries operating inside an enterprise network post-exploit and infiltration. ATT&CK also has valuable use-cases in threat intelligence, detection and analytics, adversary emulation and red teaming, and assessments and engineering.
The evolution of the MITRE ATT&CK framework in one GIF.
— D3 Security (@D3Security) April 22, 2022
At first glance, the ATT&CK framework can seem unfathomably complex — the latest version has 14 Tactics, 188 Techniques, 379 Sub-techniques, 129 Groups, and 637 Pieces of Software. To get a better understanding of ATT&CK, let’s take a look at how the framework has evolved since its first public release.
Launched as a wiki, the ATT&CK framework was community-driven from the outset. The first version had nine tactics — three of which were described first in Lockheed Martin’s Cyber Kill Chain: Privilege Escalation, Lateral Movement, and Exfiltration. From the outset, it included sections on detections and mitigations.
This update added 25 new techniques, and one new tactic — Collection. It also renamed the Tactic known as Host Enumeration to Discovery. The update also gave Techniques an ID that can be referenced.
This was a minor update where five new techniques were added. Two under the Collection tactic — Audio and Video Capture — and two under the Defense Evasion tactic: Network Share Connection Removal, and Trusted Developer Utilities. This update also added API access to query for information.
This update saw the introduction of 6 new techniques: Netsh Helper DLL, Execution through Module Load — later renamed to Shared Modules — Authentication Package, Install Root Certificate, Data Encoding, and External Remote Services. The first three are Windows-specific, but the rest can apply to other platforms as well.
This was a significant update that saw the rollout of Linux and macOS versions of the ATT&CK Matrix. Eight new techniques were added and six were renamed. This period was notable for some activity outside of the ATT&CK Matrix. PRE-ATT&CK , which tracked pre-compromise adversary behaviors, debuted in 2017 with 17 tactic categories and 173 techniques. It would later be retired and integrated into the ATT&CK Matrix under the tactics of Reconnaissance and Resource Development.
ATT&CK adopted a versioning system in 2018, with the January 2018 version counted as v1. 19 new techniques were added in this update and three techniques were renamed. We can see what the ATT&CK Matrix looked like at this time on archive.org.
A new tactic, Initial Access, was added from the PRE-ATT&CK matrix with ten techniques listed under it. 23 new techniques were added in total, making this the biggest ATT&CK update since its inception. Defense Evasion became the top tactic in terms of techniques listed, with a total of 59 techniques.
This was a significant period for ATT&CK. MITRE announced that it would be retiring the wiki interface for the site around this period and debuted a new site in beta. The ID numbering scheme was extended to Tactics and Mobile Mitigations, and a versioning system was implemented. New techniques added included XSL Script Processing, Template Injection, File Permissions Modification, and Compiled HTML File.
The tactic Impact was added to this version, representing the adversary’s end goal. It launched with 14 techniques covering scenarios like DDoS attacks, ransomware, and cryptojacking.
This update did not see the addition of any new tactics or techniques. With this update, Mitigations were treated like objects similar to Groups and Software, with each mitigation category getting its own page under which applicable techniques were listed. There are currently 43 Mitigations listed in the enterprise ATT&CK matrix.
ATT&CK for Cloud was added to the matrix in this update, covering adversary behavior against cloud-based Infrastructure as a Service (IaaS) platforms like AWS, Azure, and GCP. Simultaneously, cloud-based software platforms were added under Software as a service (SaaS),Microsoft Entra ID (Azure Active Directory), and Office 365. 36 cloud-focused ATT&CK techniques were added to the matrix with this update.
This version saw the addition of sub-techniques to the matrix, adding more depth and detail to the techniques used by adversaries. There was a lot of work behind this update, judging by the release notes, as many existing techniques became sub-techniques. 10 techniques were deprecated with this release. 2020 also saw the launch of ATT&CK for ICS, which is separate from ATT&CK for Enterprise and has its own site.
PRE-ATT&CK was deprecated with this release, and two new Tactics — Reconnaissance, and Resource Development — were added to the ATT&CK matrix to replace it. This release also added Network as a platform, with 13 techniques and 15 sub-techniques mapping adversary behavior against network infrastructure devices.
Containers and Google Workspace were added as platforms with this update, ballooning up the number of techniques and sub-techniques even further. IaaS (Infrastructure as a Service) platforms were consolidated under a single platform called IaaS.
The major change in this version is the addition of Data Sources and Data components, which represent the different types of telemetry that can be collected by sensors and logs.
This update brought major changes such as the restructuring of Detections, which are now tied to Data Source and Data Component objects in Enterprise ATT&CK. A beta release of ATT&CK for Mobile leveraging sub-techniques was also introduced.
Version 12 of ATT&CK brought updates to Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The most significant changes in this release were the addition of detections to ATT&CK for ICS and the introduction of Campaigns. Campaigns are defined as a grouping of intrusion activity conducted over a specific period of time with common targets and objectives, and the activity may or may not be linked to a specific threat actor.
The April 2023 (v13) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v13 were the addition of detailed detection guidance to some Techniques in ATT&CK for Enterprise, Mobile Data Sources,
It might not be part of the official timeline of ATT&CK, but in 2019, D3 was the first SOAR platform to embed the MITRE ATT&CK matrix for correlation of adversary techniques. That means you can detect and mitigate APTs faster with D3’s Smart SOAR platform, and use MITRE ATT&CK to disrupt the adversary’s kill chain. Book a one-on-one demo with our security experts to learn how we can transform your SecOps.