Following last year’s exceedingly successful inaugural MITRE ATT&CK™ conference, this year’s highly anticipated ATT&CKcon 2.0 conference will be held from Oct 28-30 at MITRE’s McLean headquarters.

MITRE’s always open to hearing feedback about the limitations of the ATT&CK framework and how to make ATT&CK more useful. Today, I want to look at the structure of ATT&CK content.

Part I: ATT&CK—A Taxonomy of Adversarial Behavior

The MITRE ATT&CK framework is often described as a taxonomy of adversarial behavior based on real-world observation of APT campaigns. The goal is to standardize our knowledge and understanding of cybersecurity from an adversary’s perspective. Specific behaviors or actions, called techniques, classified under categories, called tactics, which reflect various phases of an adversarial attack lifecycle—like Lockheed’s cyber kill chain but with an emphasis on perspective and finer granularity.

ATT&CK Structure

For example, by using utilities such as the Windows Task Scheduler or by placing an entry in the Startup Folder, adversaries can maintain a presence on a system even through a reboot. These are two techniques classified under the common tactic Persistence, and persistence is an important tactical concept because adversaries often need to maintain access to a system, through interruptions, in order to carry out their objectives. Tactics categories include Discovery, Initial Access, Execution, Lateral Movement, and Exfiltration among others. Some techniques are classified under multiple tactics as some actions can have multiple functions. Bypassing User Account Control, for instance, is both a way to Escalate Privilege and a way to Evade Defenses.

People, including myself, love the philosophy of ATT&CK. A domain taxonomy is tremendously valuable because it gives us a classification of information to better communicate, collaborate, account for, and reason about the domain in a scientific manner. ATT&CK is particularly useful as a (Read more...)