What is MITRE ATT&CK Framework?

MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK). The MITRE ATT&CK Framework is a curated knowledge base and model used to study adversary behaviour of threat or malicious actors. It has a detailed explanation of the various phases of an attack and the platforms or systems that could be or are prone to attacks by threat actors. The framework was created back in 2013 by the MITRE Corporation. Since this framework or documentation was created based on real-world observations, it continues to evolve with the threat landscape and has become quite renowned in the industry to understand attacker models, methodologies and mitigation techniques.

MITRE ATT&CK Framework has three main components:

1. Tactics: These denote the goals that a threat actor or a malicious actor may want to achieve in order to attack a system or a network successfully.
2. Techniques: These describe the ways or the methods that the threat actor uses in order to achieve the respective tactical goals.
3. The framework also contains documented details about previous adversary usage of the techniques and some metadata related to those.

This framework has different iterations or ‘matrices’, its most famous iteration being the Enterprise Matrix. The Enterprise Matrix talks about the tactics and techniques employed by threat actors against enterprises or platforms such as Windows, macOS, Linux, Office 365 etc. The tactics mentioned under the Enterprise matrix are :

1. Reconnaissance: Covertly gathering information about a target or targets that could be useful while carrying out or planning an attack.

2. Resource Development: Deciding upon or gathering resources and tools to carry out an attack. 

3. Initial Access: Establishing an initial foothold over a system or network by gaining access to some usernames, passwords etc.

4. Execution: Deployment of the resources and tools to carry out the attack.

5. Persistence: Maintaining control or presence over a network even if mitigation techniques have been employed by the opposite party, but without getting detected.

6. Privilege Escalation: Getting much higher level controls such as administrator level or root level controls.

7. Defense Evasion: Trying to get past the security mechanisms applied on the network for protection, to avoid detection while compromising the system(s).

8. Credential Access: Gaining access to some important usernames and passwords.

9. Discovery: Trying to figure out the target environment.

10. Lateral Movement: It means to move deeper into the target network in order to get hold of some sensitive information or any kind of information that could be valuable to the party whose system or network is being compromised.

11. Collection: Collecting relevant data about the target that may help to achieve a goal.

12. Command & Control: Once all kinds of access has been gained by the attacker, and the systems have been compromised, he/she uses this tactic to finally establish control over the network or system and use it to his/her advantage.

13. Exfiltration: Stealing data from the compromised systems.

14. Impact: Manipulation, interruption or destruction of systems and the data inside.

In today’s world, data is very important. As the quantity of valuable data increases, So does the number of adversaries who want to gain access to it. This framework is one such tool for individuals, organizations and governments to avoid their systems and networks becoming targets for malicious actors in cyberspace.