MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It serves as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.
Definition and purpose
The ATT&CK Framework aims to describe and categorize the actions adversaries may take after they have compromised and gained access to systems. It provides a detailed understanding of attacker actions, organized into matrices of tactics (objectives) and techniques (how those objectives are achieved). By having this information, organizations can better understand the threat landscape, adjust their defenses accordingly, and carry out more effective incident response.
The MITRE Corporation, a not-for-profit organization that operates research and development centers sponsored by the U.S. government, is the governing body for the ATT&CK Framework.
The most recent update was released in April 2023.
The MITRE ATT&CK Framework is industry-agnostic and is applicable to any organization or entity interested in understanding cyber adversary behavior and improving their cybersecurity posture. This includes government agencies, private sector companies, academic institutions, and cybersecurity professionals across all industries.
Controls and requirements
The ATT&CK Framework is not a control framework in the traditional sense. Instead, it organizes information into matrices of tactics (columns) and techniques (rows). Some of the tactics include:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
Under each tactic are multiple techniques that adversaries might employ to achieve that tactic. Each technique further includes detailed information, examples, and mitigations.
Please refer to the official MITRE ATT&CK documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
The MITRE ATT&CK Framework is primarily a descriptive model rather than a prescriptive set of requirements. As such, it's not used directly for audits. However, organizations can utilize it as a reference or basis for red team exercises, threat hunting, or other security assessments.
Since the framework itself isn't a standard for compliance, there's no set frequency for assessments or audits based on it. However, the frequency of related activities (like red teaming or threat hunting) will vary based on an organization's specific security program and risk tolerance.