What Is the MITRE ATT&CK Framework?

Cyberattacks pose a significant threat to businesses, government organizations, and even individuals as criminals attempt to access sensitive information such as finances or personal data. In 2023, the average cost of a data breach for organizations in the United States was $9.36 million [1]. MITRE ATT&CK was created in 2013 by MITRE—a non-profit organization that operates federally funded research and development centers—to help cybersecurity teams test defensive methods, develop incident response plans, and determine the overall ability to detect attacks. Two years later, MITRE ATT&CK was introduced to the public at no cost, and it continues to help cybersecurity teams keep systems secure.

What is MITRE ATT&CK?

Short for MITRE Adversarial Tactics, Techniques, and Common Knowledge, MITRE ATT&CK is a knowledge base detailing the different tactics and techniques that adversaries, or cyberattackers, use as well as the platforms they target, based on observations of real attacks that have occurred. Ultimately, MITRE ATT&CK improves communication throughout organizations, helping to better understand what the attacker is trying to accomplish and establishing defensive measures.

Having a free and widely available knowledge base, whether for individual or organizational use, is important since attackers' strategies and methods constantly evolve as new threats emerge. To keep up, new defensive techniques are also necessary to effectively safeguard infrastructure and data.

The building blocks of the MITRE ATT&CK framework

The MITRE ATT&CK framework contains several tactics, techniques, and procedures. Tactics describe the attacker's goal, while techniques describe how the attacker achieves that goal. Procedures illustrate how the attacker specifically implements the different techniques.

Tactics

The attacker's goal varies depending on the stage of the attack, so you have access to several MITRE ATT&CK tactics. For example, reconnaissance covers the stage where the attacker gathers information that they will then use to plan the attack. Another tactic is initial access. During this stage, the attacker's goal is to enter the network or system.

Techniques

The techniques described in MITRE ATT&CK provide insight into how attackers can reach their goals. The information provided here includes an overview of different techniques, corresponding sub-techniques, the software attackers use to perform the attack technique, and intrusion detection and prevention methods.

Procedures

Procedures provide insight into how attackers implement techniques and sub-techniques and the tools they can use. With this information, you can learn how to detect techniques and replicate the attack to gain an understanding of how attackers use techniques in real-life scenarios. 

Who can utilize the MITRE ATT&CK framework?

Anyone can utilize the MITRE ATT&CK framework, whether you belong to an organization or for your own use. However, MITRE ATT&CK is important in developing cybersecurity methods for government and public sector use cases. In specific careers where you can use the MITRE ATT&CK framework, it’s a valuable skill in any role that contributes to developing secure applications and systems. Some examples include penetration testers, security analysts, and security platform engineers and developers.

Types of ATT&CK Matrices

When classifying the different types of MITRE ATT&CK matrices, you can describe them as pre-ATT&CK enterprise, mobile, and ICS matrices. These classifications sort the various techniques used depending on the type of device or system they apply to.

Pre-ATT&CK

Certain techniques help attackers prepare before an actual attack occurs, and many of these techniques are challenging to detect because they don’t happen within the victim organization's infrastructure. Attackers instead use outside information, but Pre-ATT&CK matrices help ensure your information isn’t easily accessible from the outside.

Enterprise ATT&CK

Enterprise matrices entail techniques used on cloud platforms and Mac, Windows, and Linux environments. Information provided within the enterprise matrix includes specific details relating to enterprise attacks, including how to identify and mitigate the threat of attacks during different stages, the tools and techniques used, and how attacks happen. 

Mobile ATT&CK

Mobile matrices cover information regarding mobile device attacks, including attacks on Android and iOS operating systems. These attacks can feature data exfiltration, privilege escalation, and network-based attacks, where the attacker can infiltrate a mobile device without physical access.

ICS ATT&CK

Concerning industrial control systems, ICS matrices highlight the different attacks that attackers can use to target industrial control systems, such as transportation systems or power grids. These critical services use ICS matrices to openly communicate defense strategies and gain knowledge about how these threats occur.

How to use MITRE ATT&CK

MITRE ATT&CK has four primary use cases: detections and analytics, threat intelligence, adversary emulation, red teaming, and assessment and engineering. You can use ATT&CK analytics to build analytical detection tools to spot alarming behaviors and detect specific techniques. Threat intelligence enables communication so you can share threat intelligence information. Adversary emulation and red teaming allow for replicating threats and developing plans to defend against them. Lastly, one common way you can use MITRE ATT&CK is to assess your organization's tools and overall capabilities so you can make better engineering decisions. 

Pros and cons of implementing MITRE ATT&CK

Implementing MITRE ATT&CK has several benefits, including reducing the risk of cyber threats, developing better security, and improving threat detection and attack resolution. It also ensures that you have the necessary information to defend against new techniques.

Some challenges do exist with MITRE ATT&CK as well. For example, you need to have the right skills and knowledge in place for proper implementation. With such many techniques throughout MITRE ATT&CK, this can mean a significant time commitment. Additionally, the framework is sometimes biased toward new techniques due to the frequency with which they’re reported and difficulty detecting certain techniques.

Best practices for using MITRE ATT&CK

When utilizing MITRE ATT&CK, remember that not all techniques will apply to your unique situation. Instead, focus on the most relevant ones rather than trying to understand each and every one. Also, remember that techniques may have several ways of working, so even though you’ve identified a threat and the way the attackers implemented it, that doesn’t mean alternative strategies don’t exist, so be sure to explore all possibilities. 

MITRE ATT&CK plays an important role in cybersecurity. With the knowledge it provides, you can help set your organization up for success by protecting valuable data and infrastructure, even against the latest emerging threats. 

Learning more with Coursera

On Coursera, you can find highly rated courses on which to continue learning about MITRE ATT&CK and cybersecurity. Threat Analysis from Cisco covers information from the MITRE ATT&CK framework and the classic kill chain model for network security incident analysis.

To learn about cybersecurity fundamentals, Cybersecurity for Everyone from the University of Maryland looks at policy considerations, risk management, and important cybersecurity principles.