Threat Intelligence

8/6/2018
09:50 AM
100%
0%

Mastering MITRE's ATT&CK Matrix

This breakdown of Mitre's model for cyberattacks and defense can help organizations understand the stages of attack events and, ultimately, build better security.
Previous
1 of 12
Next

When talk turns to rigorous analysis of attacks and threats, the conversation often includes the Mitre ATT&CK model. Originally developed to support Mitre's cyberdefense work, ATT&CK is both an enormous knowledge base of cyberattack technology and tactics and a model for understanding how those elements are used together to penetrate a target's defenses.

ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, continues to evolve as more data is added to the knowledge base and model. The model is presented as a matrix, with the stage of event across one axis and the mechanism for that stage across the other. By following the matrix, red team members can design an integrated campaign to probe any aspect of an organization's defense, and blue team members can analyze malicious behavior and technology to understand where it fits within an overall attack campaign.

Mitre has defined five matrices under the ATT&CK model. The enterprise matrix, which this article will explore, includes techniques that span a variety of platforms. Four specific platforms — Windows, Mac, Linux, and mobile — each have their own matrix.

The four individual platform matrices echo the horizontal axis of the enterprise matrix with the exception of the mobile matrix, which divides the first stage, initial access, into six separate possibilities because of the nature of mobile devices and networks.

While the Mitre ATT&CK matrix is useful and frequently referenced in the security industry, it is not the only attack model in use. Many organizations, for example, reference the Lockheed Martin "Cyber Kill Chain" in their security planning. Dark Reading will take a closer look at the Cyber Kill Chain in the future.

Do you or your organizations use the ATT&CK matrix or model in your security work? If so, tell us how you use it and whether you find it effective. If there's another model that you find even more useful, we'd like to hear about it, too. Let us know in the comments, below.

(Image: EVorona)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 12
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
fredheen
50%
50%
fredheen,
User Rank: Apprentice
8/8/2018 | 5:57:47 AM
My opinion
In my opinion, it's quite interesting to read 
Sbdr204
100%
0%
Sbdr204,
User Rank: Apprentice
8/9/2018 | 10:46:11 AM
Red Team Integration
Great article! We've integrated the MITRE framework in our red team engagements to drive more value to our customers. Traditional red team penetration testing is dead, or it should be. Just going after privileged access like DA is a waste of time, as it's almost always easily accomplished through SE, MiTM, or trivial payload obfuscation. A much more valuable pentest involves evaluating the effectiveness of your controls against a number of probable attack vectors. That's where MITRE comes in. MITRE does a great job of identifying a wide range of attacks, and allows you to understand how effective your controls are in detecting and preventing it. Not to mention providing interpretable metrics that better establish what your organizations risk really is.
Kunchen
100%
0%
Kunchen,
User Rank: Apprentice
8/9/2018 | 2:20:02 PM
Good post
This is indeed a very good post.  I enjoyed reading and I see a sequel in the future? "What happens after C&C?" At least from a an IR, CIRT, or from a security team's perspective.  Lessons learned? Controls review? Mitigation of damages? Investigation? Handling with LEO? 
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-6461
PUBLISHED: 2019-03-21
Remote file inclusion allows an attacker to craft a specific URL referencing the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC web server, which, when launched, will result i...
CVE-2015-6462
PUBLISHED: 2019-03-21
Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, ...
CVE-2018-13798
PUBLISHED: 2019-03-21
A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V14), SICAM A8000 CP-802X (All versions < V14), SICAM A8000 CP-8050 (All versions < V2.00). Specially crafted network packets sent to port 80/TCP or 443/TCP could allow an unauthenticated remote attacker to cause a D...
CVE-2019-5490
PUBLISHED: 2019-03-21
Certain versions between 2.x to 5.x (refer to advisory) of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. Any platform listed in the advisory Impact section may be affected and should be upgraded to a fixed...
CVE-2019-8997
PUBLISHED: 2019-03-21
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted X...