The MITRE ATT&CK Framework is a collection of techniques used by attackers during a breach. The ATT&CK breaks down the techniques into the following tactics:
Initial Access – Techniques that use various entry vectors to gain a foothold. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or maybe limited use due to changing passwords.
Execution – Techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals.
Persistence – Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Privilege Escalation – Techniques that adversaries use to gain higher-level permissions on a system or network. The techniques often overlap with Persistence techniques.
Defense Evasion – Techniques that adversaries use to avoid detection throughout their compromise.
Credential Access – Techniques for stealing credentials, like account names and passwords.
Discovery – Techniques an adversary use to gain knowledge about the system and internal network. Native operating system tools are often used toward this post-compromise information-gathering objective.
Lateral Movement – Techniques that adversaries use to enter and control remote systems on a network.
Collection – Techniques adversaries use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.
Command and Control – Techniques that adversaries use to communicate with systems under their control within a victim network.
Exfiltration – Techniques that adversaries use to steal data from your network.
Impact – Techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operations processes.
Knowing and understanding the ATT&CK framework, tactics (the adversary’s goals), techniques (how those goals are achieved), and procedures (specific implementations of techniques) can be useful for cyber threat intelligence engineers, SOC analysts.