MITRE ATT&CK™, What’s the Big Idea?

By on Jan 14, 2020

MITRE describes ATT&CK™ as “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”  While this is a fine definition, it helps to understand the significance this framework enables.

The tactics, techniques, and procedures (TTPs) represented in ATT&CK allow organizations to understand how adversaries operate.  Once you have this understanding, you can take measures to mitigate those risks.

So, in the end, ATT&CK is about risk management. 

                  Cycle of Mitigation

ATT&CK In Action

At the MITRE ATT&CKcon 2.0 conference, industry leaders from Nationwide presented on Using Threat Intelligence to Focus ATT&CK Activities.  They described the process of taking the larger ATT&CK Matrix and reducing it to a more contextual and manageable set of items they could action; to mitigate the most relevant vectors for their organization.

One great aspect of ATT&CK is that the data is available for all to see.  Leveraging the collective base of reports, we can build a prevalence view of the matrix.  As of January 2020, there were some 266 techniques, referenced across 449 actors and tools.

              MITRE ATT&CK™ Enterprise Treemap (October 2019)

Here we see that the Remote File Copy technique was used by 42% of the referenced actors and tools.  Indeed, this is an important and heavily used technique present in attacks carried out by various actors including APT3 and ATP38, as well as noteworthy malware attacks such as Shamoon and WannaCry, just to name a few.

MITRE ATT&CK Evaluation

In 2019, MITRE began evaluating security vendors using these techniques to measure their ability to See the activities of an adversary. The first evaluation, or Round 1, was based on an APT3 style attack, and included many of the items on the treemap above.  As you might expect, Remote File Copy was represented.  During the evaluation, MITRE copied a DLL to a remote system (something that the Petya malware does).  While several vendors were able to show telemetry for this action, thanks to MVISION EDR, McAfee was one of only two vendors that showed a Specific Behavior alert for this activity (see 7.B.1 on the technique comparison).  This designation reserved for the most descriptive of all detection categories.  (See Round 1 Detection Categories).  For more information on McAfee’s Round 1 results, see: MITRE ATT&CK™ APT3 Assessment

Putting It All Together

Having the necessary visibility into the actions taken by an attacker is a key component in understanding the risks an organization faces.  Armed with this information, a response can be carried out and a mitigation plan created and rolled out to thwart future attacks.

MITRE ATT&CK is a great advancement in enabling organizations to characterize and subsequently manage risk.


About the Author

Craig Schmugar

Craig Schmugar is a Sr. Principal Engineer at McAfee. Since joining McAfee in 2000 he has worked in different areas of research, from Malware Operations to Innovation Research. More recently Craig has been focused on endpoint product efficacy; assessing detection effectiveness and seeking opportunities to make it stronger. He has over a dozen pending or ...

Read more posts from Craig Schmugar

Categories: Endpoint Security

Subscribe to McAfee Securing Tomorrow Blogs