What is the MITRE ATT&CK Framework?

The MITRE ATT&CK Framework is a well-documented knowledge base of TTPs. TTPs are patterns of behaviour that real world actors employ. An example of this would be the infamous report published by FireEye on the Mandiant APT1 espionage group. Within the report, FireEye have documented behaviour patterns, techniques, tactics, software, indicator of compromises, exfiltrated data and the timeline of the attacks. MITRE ATT&CK framework simplifies these results to include a list of APTs with the techniques and tools that were found in the wild.

The MITRE ATT&CK Framework is a well-documented knowledge base of TTPs. TTPs are patterns of behaviour that real world actors employ. An example of this would be the infamous report published by FireEye on the Mandiant APT1 espionage group. Within the report, FireEye have documented behaviour patterns, techniques, tactics, software, indicator of compromises, exfiltrated data and the timeline of the attacks. MITRE ATT&CK framework simplifies these results to include a list of APTs with the techniques and tools that were found in the wild.

This can be further visualised with MITRE ATT&CK Navigator where a red or blue teamer can identify and define an adversary’s TTP. The framework is granular down to the different operating systems and cloud environments, as techniques are specific to its environment. MITRE ATT&CK also includes remediation and detection to help blue teamers to better protect and respond to these attacks.

As a supplement to the Cyber Kill Chain, MITRE ATT&CK framework comprises of a detailed list of tactics which includes: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control. Each of these tactics comprises a number of techniques which have grown over the years.

The purpose of a red team assessment is to replicate these attacks in a number of scenarios. A common misunderstanding is that a red team engagement is a one-off engagement. In fact, red teaming is an iterative and continuous process. Organisations should be getting repeated assessment to improve their own detection and response capabilities.

Jimmy Ly

Jimmy Ly is a Horangi CyberOps Consultant specializing in red team operations and penetration testing. He also works on developing offensive tools and techniques using Python, Go, C, C++ and C#.