The MITRE ATT&CK Framework is a collection of techniques used by attackers during a breach. The ATT&CK breaks down the techniques into the following tactics: 

Initial Access – Techniques that use various entry vectors to gain a foothold. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or maybe limited use due to changing passwords.

Execution – Techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals.

Persistence – Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. 

Privilege Escalation – Techniques that adversaries use to gain higher-level permissions on a system or network. The techniques often overlap with Persistence techniques.

Defense Evasion – Techniques that adversaries use to avoid detection throughout their compromise.

Credential Access – Techniques for stealing credentials, like account names and passwords.

Discovery – Techniques an adversary use to gain knowledge about the system and internal network. Native operating system tools are often used toward this post-compromise information-gathering objective. 

Lateral Movement – Techniques that adversaries use to enter and control remote systems on a network.

Collection – Techniques adversaries use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.

Command and Control – Techniques that adversaries use to communicate with systems under their control within a victim network.

Exfiltration – Techniques that adversaries use to steal data from your network.

Impact – Techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operations processes.

Knowing and understanding the ATT&CK framework, tactics (the adversary’s goals), techniques (how those goals are achieved), and procedures (specific implementations of techniques) can be useful for cyber threat intelligence engineers, SOC analysts.

Leave a Comment

Your email address will not be published.