ATT&CK

Last updated

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013. [1]

Contents

Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The framework consists of 14 tactics categories consisting of "technical objectives" of an adversary. [2] Examples include privilege escalation and command and control. [3] These categories are then broken down further into specific techniques and sub-techniques. [3]

The framework is an alternative to the Cyber Kill Chain developed by Lockheed Martin. [3]

ATT&CK Matrix for Enterprise

The ATT&CK Matrix for Enterprise is a comprehensive framework that is presented as a kanban board-style diagram. [4] It defines 14 categories of tactics, techniques and procedures (TTPs) used by cybercriminals with the associated techniques and sub-techniques.

CategoryDescriptionTechniques
Reconnaissance Gathering information about a target.10
Resource DevelopmentIdentifying and acquiring resources for the attack.8
Initial AccessGaining initial access to a system or network.10
Execution Running malicious code on a system.14
Persistence Maintaining access to a system or network.20
Privilege Escalation Obtaining elevated privileges within a system or network.14
Defense Evasion Disabling or evading security measures.43
Credential AccessObtaining credentials to access systems or data.17
DiscoveryIdentifying additional systems or information within a network.32
Lateral Movement Moving laterally within a compromised network.9
CollectionCollecting data from compromised systems.10
Command and Control Establishing communication with compromised systems.17
Exfiltration Transferring stolen data from a compromised system.9
ImpactTaking actions to achieve the attacker's objectives.14

Reconnaissance

Reconnaissance is the initial stage of information gathering for an eventual cyberattack. [5]

There are 10 techniques – including the use of network scanning, social engineering and Open-source intelligence (OSINT).

MITRE IDTechniquesSummary
T1595 Active Scanning Active reconnaissance by scanning the target network using a port scanning tool such as Nmap, vulnerability scanning tools and wordlist scanning for common file extensions and software used by the victim.
T1598 Phishing for Information Using social engineering techniques to elicit useful information from the target. Using a communication channel such as e-mail, including generic phishing and targeted spearphishing which has been specifically created to target an individual victim
T1592Gather Victim Host InformationDiscover the configuration of specific endpoints such as their hardware, software and administrative configuration (such as Active Directory domain membership). Especially security protections such as antivirus and locks (biometric, smart card or even a Kensington K-Slot).
T1590Gather Victim Network InformationDiscover the target network's configuration such as the network topology, security appliances (network firewall, VPN), IP address ranges (either IPv4, IPv6 or both), fully qualified domain names (FQDN) and the Domain Name System (DNS) configuration.

Related Research Articles

<span class="mw-page-title-main">Electromagnetic warfare</span> Combat involving electronics and directed energy

Electromagnetic warfare or electronic warfare (EW) is warfare involving the use of the electromagnetic spectrum or directed energy to control the spectrum, attack an enemy, or impede enemy operations. The purpose of electromagnetic warfare is to deny the opponent the advantage of—and ensure friendly unimpeded access to—the EM spectrum. Electromagnetic warfare can be applied from air, sea, land, or space by crewed and uncrewed systems, and can target communication, radar, or other military and civilian assets.

<span class="mw-page-title-main">Information warfare</span> Battlespace use and management of information and communication technology

Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.

<span class="mw-page-title-main">Mitre Corporation</span> American not-for-profit corporation

The Mitre Corporation is an American not-for-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others.

<span class="mw-page-title-main">Space warfare</span> Combat that takes place in outer space

Space warfare is combat in which one or more belligerents are situated in outer space. The scope of space warfare therefore includes ground-to-space warfare, such as attacking satellites from the Earth; space-to-space warfare, such as satellites attacking satellites; and space-to-ground warfare, such as satellites attacking Earth-based targets. Space warfare in fiction is thus sub-genre and theme of science fiction, where it is portrayed with a range of realism and plausibility. In the real world, international treaties are in place that attempt to regulate conflicts in space and limit the installation of space weapon systems, especially nuclear weapons.

A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization. Their work is legal, but can surprise some employees who may not know that red teaming is occurring, or who may be deceived by the red team. Some definitions of red team are broader, and include any group within an organization that is directed to think outside the box and look at alternative scenarios that are considered less plausible. This can be an important defense against false assumptions and groupthink. The term red teaming originated in the 1960s in the United States.

Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

The term kill chain is a military concept which identifies the structure of an attack. It consists of:

Cyberwarfare is a part of Iran's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">Domain fronting</span> Technique for Internet censorship circumvention

Domain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Stealth Falcon is a cybercrime group affiliated to the United Arab Emirates (UAE) which is associated with Project Raven.

<span class="mw-page-title-main">Albania–Iran relations</span> Bilateral relations

Albania and Iran have no diplomatic relations after Albania severed them in September 2022. Albania's alignment with the United States and their decision to allow the People's Mojahedin Organization of Iran to take refuge in the country had already strained relations between the two countries. Tensions came to a head when Albania suspended diplomatic ties, accusing Iran of an alleged major cyber attack.

Berserk Bear is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the group is composed of "FSB hackers," either those directly employed by the FSB or Russian civilian, criminal hackers coerced into contracting as FSB hackers while still freelancing or moonlighting as criminal hackers. Four accused Berserk Bear participants, three FSB staff and one civilian, have been indicted in the United States and are regarded by the United States Department of Justice as fugitives.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Breach and attack simulation (BAS) refers to technologies that allow organizations to test their security defenses against simulated cyberattacks. BAS solutions provide automated assessments that help identify weaknesses or gaps in an organization's security posture.

Pentera is a cybersecurity software company, specializing in automated security validation solutions. Originally founded as Pcysys in 2015, the company later rebranded as Pentera in 2021. The company is led by Amitai Ratzon (CEO) and Dr. Arik Liberzon. Pentera has entities in the US, Germany, UK, Israel, Dubai, and Singapore.

References

  1. "What is the MITRE ATT&CK Framework?". Rapid7. Retrieved 2022-04-18.
  2. "Tactics in the ATT&CK Framework". Exabeam. 2022-08-03.
  3. 1 2 3 "What is the Mitre Attack Framework?". crowdstrike.com. Retrieved 2022-04-18.
  4. "MITRE ATT&CK". mitre.org. MITRE. Retrieved 1 March 2024.
  5. "Reconnaissance". attack.mitre.org. MITRE. Retrieved 1 March 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.