Mastering MITRE's ATT&CK MatrixThis breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.
1 of 12
When talk turns to rigorous analysis of attacks and threats, the conversation often includes the Mitre ATT&CK model. Originally developed to support Mitre's cyberdefense work, ATT&CK is both an enormous knowledge base of cyberattack technology and tactics and a model for understanding how those elements are used together to penetrate a target's defenses.
ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, continues to evolve as more data is added to the knowledge base and model. The model is presented as a matrix, with the stage of event across one axis and the mechanism for that stage across the other. By following the matrix, red team members can design an integrated campaign to probe any aspect of an organization's defense, and blue team members can analyze malicious behavior and technology to understand where it fits within an overall attack campaign.
Mitre has defined five matrices under the ATT&CK model. The enterprise matrix, which this article will explore, includes techniques that span a variety of platforms. Four specific platforms — Windows, Mac, Linux, and mobile — each have their own matrix.
The four individual platform matrices echo the horizontal axis of the enterprise matrix with the exception of the mobile matrix, which divides the first stage, initial access, into six separate possibilities because of the nature of mobile devices and networks.
While the Mitre ATT&CK matrix is useful and frequently referenced in the security industry, it is not the only attack model in use. Many organizations, for example, reference the Lockheed Martin "Cyber Kill Chain" in their security planning. Dark Reading will take a closer look at the Cyber Kill Chain in the future.
Do you or your organizations use the ATT&CK matrix or model in your security work? If so, tell us how you use it and whether you find it effective. If there's another model that you find even more useful, we'd like to hear about it, too. Let us know in the comments, below.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
1 of 12