MITRE ATT&CK Framework Flashcards
ATT&CK Framework
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. Since it was introduced in 2013, it has become one of the most respected and referenced resources for cyber security professionals. This model consists of tactics, techniques, and procedures and contains exhaustive information about types of attacks and their corresponding behavior. The primary use case of ATT&CK is for identifying the behavior of APTs and it explores the various ways that these APTs can compromise a computer and/or network.
As of writing, there are over 250 techniques that correspond with the tactics and would be too exhaustive to include here. Below is a screenshot of a small section of the Attack Navigator platform on Github.io. Take a look for yourself!
ATT&CK For Threat Intel
ATT&CK gives analysts a common language to structure, compare, and analyze threat intelligence.
Getting Started with ATT&CK: Threat Intelligence Blog Post: This blog post describes how you can get started using ATT&CK for threat intelligence at three different levels of sophistication
ATT&CKing Your Adversaries Presentation: This presentation covers how to use ATT&CK to take cyber threat intelligence and operationalize it into behaviors that can drive relevant detections.
Blog posts on threat intelligence: These blog posts explain the fundamentals of how to use ATT&CK for threat intelligence.
ATT&CKing the Status Quo Presentation: This middle part of this presentation provides an introduction to using ATT&CK for threat intelligence. Slides are also available.
ATT&CKing with Threat Intelligence Presentation: This presentation provides a perspective on how to use threat intelligence for ATT&CK-based adversary emulation. Slides are also available.
ATT&CK Navigator Use Case for Threat Intelligence: This demo provides an overview of the ATT&CK Navigator as well as a threat intelligence use case for how to compare group behaviors. A corresponding written tutorial on comparing Navigator layers is available here.
ATT&CK vs. Kill Chain
Similar to the Cyber Kill Chain by Lockheed Martin, ATT&CK is used to describe the phases of a cyber-attack. However, the primary difference between the two, is that the Cyber Kill Chain proposes a well-defined sequence of events, while an ATT&CK scenario defines the techniques used on a case-to-case basis. Using the ATT&CK framework helps identify specifically how an attack was performed and using their website, lets any security researcher explore both methods of attacks and APT groups that use them. The Cyber Kill Chain is an overall more generic method of identifying an attack and that is why many security professionals prefer the ATT&CK framework or a hybrid solution of both.
