MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.
ATT&CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&CK is also available as a STIX/TAXII 2.0 feed which makes it easy to ingest into existing tools that support those technologies.
MITRE has made a significant contribution to the security community by giving us ATT&CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.
ATT&CK is valuable in a variety of everyday settings. Refer to our dedicated MITRE ATT&CK page to learn what MITRE ATT&CK is and how it is useful along with best practices and challenges.
About the Author
Travis Farral is the Director of Security Strategy for Anomali. With over 20 years of security industry experience, he has developed a strong background in threat intelligence, incident response, and Industrial Control Systems security. Previously Travis ran the Cybersecurity Intelligence & Strategic Services team at ExxonMobil and spent several years at companies such as Nokia and XTO Energy.