Sector 7G's Learning Center
Articles • Tips • Tutorials
Beyond The Kill Chain®: MITRE’s ATT&CK®
Intro
Kill Chain Primer introduced focusing cyber defense on actor behavior, namely attackers’ tactical steps. It also noted that derivations of the Kill Chain® have spawned since its debut. This post highlights a particularly-notable derivation: The MITRE Corporation’s ATT&CK® (“Adversarial Tactics, Techniques, and Common Knowledge”).
ATT&CK® is both a framework and knowledge base extending and refining the Kill Chain’s® domain, details techniques, exploits and mitigations and, critically, proposes and maintains a cyber terminology system-of-record.
Detailed coverage of ATT&CK’s® history and ATT&CK® matrices themselves are quite beyond this post’s scope, but should the reader wish to review:
- MITRE ATT&CK: Design and Philosophy
- ATT&CK Enterprise Matrix:
- ATT&CK Mobile Matrices
Background
The MITRE Corporation is a non-profit founded in the late 1950s and the ATT&CK model was “created out of a need to systematically categorize adversary behavior”, is intended to be authoritative, and debuted publicly in 2015.1
ATT&CK® is organized contextually and presented as matrices with tactics horizontally and associated techniques vertically. They’re interactive with the ability to choose, e.g., enterprise, mobile, operating system, containers2, technique and sub-technique drill-downs, potential mitigations, definitions, and other aspects.
In the interests of brevity and appealing to both technical and non-technical readers, and reiterating an introductory point, this post does not detail ATT&CK® (plus, as a living repository, its substance necessarily changes as attacks and mitigation evolve and knowledge accumulates). Again, while the reader is certainly free to review (and interact with) ATT&CK® matrices, this post’s remainder focuses on its value as a reference base rather than, e.g., tactical, technical, and other detail.
ATT&CK’s Reference Base Relevance
As delivery pressure increases for new and enhancing and patching existing products, organizations are faced with the proverbial “firehose” of cyber defense information, much of which replete with new terminology and generally following each headlining cyber incident. Teams (and even individuals/consumers) may understandably adopt and implement, but in so doing cyber defense complexity and uncertainty may increase. This effectively creates a feedback loop, may appear lacking a defined course, and can worsen defensive posture.
This assertion may be bold, but is based on empiricism and not contrived. For example, the following CrowdStrike excerpts from its Faster Response with CrowdStrike and MITRE ATT&CK® 3 parallel the sentiment:
- “The growing sophistication of alerts and the language disparity between the increasing number of cybersecurity solution providers clearly defines a need for more global consistency in cybersecurity terminology.”
- “Mature industries such as healthcare, finance and even sports have long realized that standardized nomenclature is essential for their success. Having one common term for a specific item accelerates understanding and reduces the risk of confusion and error.”
- “Since the ATT&CK framework was created to give security professionals a common language to exchange information, it facilitates collaboration between security teams or other third-party security entities. Its common language and structure allow for threat information to be shared, compared, and analyzed from various sources with more speed, precision and efficiency.”
Final Thoughts
Virtually nothing is incapable of course-correction. Although threats are increasing in both impact and frequency, the purpose of language is communication4, underscored by the CrowdStrike excerpts. Additionally, since threats’ first step is “reconnaissance” (at its core, information gathering), it follows that defensive strategy should initiate and proceed likewise but is impeded without a common language. In the vein of CrowdStrike’s analogies, cyber defense must not be a “play it by ear”5 exercise and one may confidently assume adversaries are not hampered by disparate terminology.