Introduction to the MITRE ATT&CK Framework
What is the MITRE ATT&CK Framework?
WhoAmI
Hey, I am Nour I am a Software engineering student, and here are some of the communities that I am part of:
- IBM Community leader and IBMZ Student Ambassador
- AWS Community Builder
- Microsoft Student Ambassador
also, I love solving and creating OSINT CTFs at @Hacktoria connect with me on LinkedIn and Twitter
In this series of articles, we will learn about the MITRE ATT&CK Framework
What is it?
Why is it important?
How to use it?
How to simulate APT attacks using the MITRE ATT&CK Framework?
and a lot more …
….
Introduction
What is MITRE ATT&CK Framework?
According to their official website, MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Huh?! I don’t understand anything
After a little bit of research, I found out that they are like documentation of all the attacks and techniques used by the black hat hackers IRL.
Also, ATT&CK stands for Adversarial Tactics Techniques & Common Knowledge.
When was it created? and why?
According to Trellix MITRE ATT&CK was created in 2013 as a result of MITRE’s Fort Meade Experiment (FMX) where researchers emulated both adversary and defender behavior in an effort to improve post-compromise detection of threats through telemetry sensing and behavioral analysis.
MITRE ATT&CK Domains
MITRE ATT&CK is available for 3 main domains which are Enterprise, Mobile, and ICS
MITRE ATT&CK For Enterprise is focused on Windows, Linux, and the Cloud.
MITRE ATT&CK For Mobile is focused on Android and IOS.
MITRE ATT&CK For ICS is focused on ICS networks.
now let's take a quick look at the framework itself
MITRE ATT&CK Matrix
As we saw before the framework is like the steps that malicious hackers take to achieve an objective those objectives are called tactics and inside each tactic, there are different techniques (ways) to achieve that tactic (objective)
There are 14 main tactics in the MITRE ATT&CK Enterprise Framework, we will take a quick look at them now and discuss them in detail in future articles.
Tactics (Objectives)
Reconnaissance:
It is the process of gathering information (Actively and Passively) about the target
Resource Development:
Getting everything that will be needed ready, like C&C (Command and Control)
Initial Access:
Getting a foothold in the network
Execution:
The process of executing malicious code on a local/remote system
Privilege Escalation:
Maintaining access to the network
Defense Evasion:
Trying not to get detected by the defensive measures
Credential Access:
Trying to steal usernames and passwords
Discovery:
Trying to get to know the environment
Lateral Movement:
Trying to move from one machine to another one in the environment
Collection:
In this step, malicious hackers try to gather data related to their main goal
Command and Control:
Communicating with the target system and controlling it
Exfiltration:
Stealing the data
Impact:
In this step, the malicious hackers try to manipulate, interrupt, or destroy the system and data.
You can view the MITRE ATT&CK matrix for mobile and ICS from the provided links
Let’s wrap it up
In this blog, we learned about the MITRE ATT&CK framework, when was it made, and why.
In the next blog, we will learn more about the first tactic (objective) which is recon we will learn about the different techniques and we will take a look at real-world examples.
Newsletter
I will be sharing my learning journey, cyber security news, new CVEs and study resources, and more, feel free to subscribe 😊 and please don’t forget to drink water 🌊
