ATT&CK background

MITRE It is a research institution funded by the U.S. government , The company is 1958 Years from MIT separate from , And participated in many commercial and top secret projects . It includes developing FAA Air traffic control system and AWACS Airborne radar system .MITRE At the National Institute of standards and Technology （NIST） Has engaged in a large number of network security practices under the support of .MITRE stay 2013 Introduced in the ATT&CK Model .

ATT&CK What is it?

MITRE ATT&CK It is a well planned knowledge base and model for the behavior of network opponents , It reflects the various stages of the opponent's attack life cycle and their known target platforms .ATT&CK Focus on how external rivals compromise and operate in Computer Information Networks .

It originated from a project , The project records and classifies the post invasion attacks against Microsoft Windows Opponent tactics of the system 、 Technology and procedures (TTPs), To improve the detection of malicious behavior . Later it developed to include Linux and macOS, And expand to cover behaviors that lead to environmental compromise , And key areas of Technology , Like mobile devices 、 Cloud based systems and industrial control systems . At a high level ,ATT&CK It's a behavior model , It consists of the following core components ：
• tactical , Indicates a short period during the attack 、 Tactical opponent target ;
• technology , Describe the opponent's means of achieving tactical goals ;
• Sub Technology , Describe a more specific means for an opponent to achieve tactical goals at a lower level than technology ;
• Record the technology used by the opponent , Their process , And other metadata .ATT&CK It is not an exhaustive list of attack vectors against software .

Detailed see MITRE Official documents , See My resources

ATT&CK matrix

The most famous is ATT&CK Matrix , The picture below is from Official website Intercepted . The above describes the process of each step of the red team attack .

Can't understand google Translate

ATT&CK It is mainly used for the following four use cases ： Threat Intelligence 、 Detection and analysis 、 Opponent simulation and red team , as well as Evaluation and Engineering . Each use case has a different level of complexity .
The official website also gives tutorials of these four use cases ：https://medium.com/mitre-attack/getting-started/home

ATT&CK The navigation bar ：https://mitre-attack.github.io/attack-navigator/
You can select the characteristics of each process for analysis

Use scenarios

（1） Confrontation simulation

ATT＆CK It can be used to create confrontational simulation scenarios , Test and verify defense solutions for common countermeasures .

（2） The red team / Penetration testing activities

The red team 、 Planning of purple team and penetration test activities 、 Execution and reporting can use ATT＆CK, So that there is a common language between the defender and the report receiver and within them .

（3） Develop a behavior analysis program

ATT＆CK It can be used to build and test behavior analysis schemes , To detect confrontational behavior in the environment .

（4） Defense gap assessment

ATT＆CK It can be used as a common confrontation model with behavior as the core , To evaluate the tools in the existing defense plan within the organization 、 Monitoring and mitigation measures . Research on MITRE ATT＆CK when , Most security teams tend to work for Enterprise Each technology in the matrix attempts to develop some kind of detection or preventive control measures . Although this is not a bad idea , however ATT＆CK The techniques in the matrix can usually be implemented in many ways . therefore , One method of preventing or detecting the execution of these technologies does not necessarily cover all possible methods of executing the technology . Because some tool prevents the adoption of this technology in another form , And the organization has adopted this technology appropriately , This may lead to a false sense of security . however , Attackers can still successfully adopt this technology in other ways , But the defender has no detection or preventive measures .

（5）SOC Maturity assessment

ATT＆CK Can be used as a measure , determine SOC In detection 、 Effectiveness in analyzing and responding to intrusion .SOC The team can refer to ATT＆CK Technologies and tactics detected or not covered . This helps to understand where defense strengths and weaknesses are , And verify mitigation and detection control measures , Configuration errors and other operation problems can be found .

（6） Cyber threat intelligence gathering