Cyber Teams

10 min read

How to apply the MITRE ATT&CK framework to your cybersecurity strategy

The MITRE ATT&CK framework is a knowledge base of cyber attacks based on real-world attack scenarios. Learn how to apply this to your cybersecurity strategy in our guide.

Howard Poston avatar

Howard Poston,
Jul 17
2024

What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is a knowledge base of cyber attacks based on real-world attack scenarios. It breaks a cyber attack into high-level objectives, called Tactics, and identifies the various Techniques used to achieve them.

  • Tactics: The high-level goals that attackers want to achieve at different stages of an attack. Examples include Reconnaissance, Execution, and Defense Evasion. 

  • Techniques: Describe the "how" behind a tactic. For example, the Reconnaissance Tactic has concrete steps with techniques like Active Scanning, Vulnerability Scanning, Gather Victim Identity Information, etc.

MITRE Corporation designed the framework to provide insight into the stages of a cyber attack and create a common language for how an attacker can achieve their goals. 

The most commonly used MITRE ATT&CK framework is the Enterprise framework, but there are also ATT&CK matrices for mobile devices and industrial control systems (ICS) as well.

MITRE ATT&CK provides a wealth of information about the anatomy of a cyber attack. 

In addition to describing the various offensive techniques an attacker may use, it also outlines methods that organizations can use to detect, prevent, or mitigate these techniques. 

MITRE ATT&CK can be invaluable for developing defenses, planning penetration tests, and understanding the capabilities of a particular threat actor, attack campaign, or malware variant.

MITRE ATT&CK Tactics and Techniques 

The MITRE ATT&CK framework is organized around Tactics that describe an attacker’s key tasks or goals. These Tactics include:

mitre att&ckr
  • Reconnaissance: Exploring the target and identifying potential vulnerabilities.

  • Resource Development: Developing C2 infrastructure, malware, or other resources to support attacks.

  • Initial Access: Gaining an initial foothold on target systems.

  • Execution: Running malware on an infected system.

  • Persistence: Protecting the attacker’s foothold against restarts, etc.

  • Privilege Escalation: Gaining higher-level permissions on an infected machine.

  • Defense Evasion: Defending against antivirus and other security solutions.

  • Credential Access: Stealing passwords, API keys, SSH keys, etc.

  • Discovery: Exploring an infected network from the inside.

  • Lateral Movement: Moving from one system to another within a network.

  • Collection: Collecting sensitive and useful data from compromised systems.

  • Command and Control: Communicating between malware and its operator.

  • Exfiltration: Moving data out of the infected network.

  • Impact: Attacking system confidentiality, integrity, or availability.

Under each of these Tactics are a number of Techniques and Sub-Techniques used to achieve these goals. In total, MITRE has over 200 Techniques and over 450 Sub-Techniques.

Organizations have the need to develop threat models, evaluate security tool efficacy, develop detection strategies, and prioritize security investments. For this reason, we carefully mapped our courses and labs to the MITRE ATT&CK framework.

Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.