MITRE ATT&CK Framework

Model:

Summary:

The Model above compares the Cyber Kill Chain and the MITRE ATT&CK framework by comparing their respective stages and tactics. Here is a detailed summary:

1. Cyber Kill Chain Overview: The Cyber Kill Chain is a framework developed by Lockheed Martin that outlines the stages of a cyberattack. It helps in understanding and defending against the different phases of cyber threats.
2. MITRE ATT&CK Overview: The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by cyber adversaries. It provides a detailed understanding of the methods attackers use to infiltrate and compromise systems.
3. Reconnaissance: Both frameworks start with reconnaissance, where attackers gather information about their targets. This stage involves identifying vulnerabilities and collecting intelligence to plan the attack.
4. Weaponization vs. Resource Development: In the Cyber Kill Chain, weaponization involves creating malicious payloads. In MITRE ATT&CK, resource development includes obtaining resources such as malware, infrastructure, and tools necessary for the attack.
5. Delivery vs. Initial Access: The delivery stage in the Cyber Kill Chain is about transmitting the weaponized payload to the target. In MITRE ATT&CK, initial access refers to techniques used to gain a foothold in the target network, such as phishing or exploiting vulnerabilities.
6. Exploitation vs. Execution: Exploitation in the Cyber Kill Chain is where the malicious payload is triggered. Execution in MITRE ATT&CK involves running malicious code on the target system, which is a broader concept encompassing various methods to achieve this.
7. Installation vs. Persistence: Installation in the Cyber Kill Chain is the step where malware is installed on the target system. MITRE ATT&CK’s persistence tactic focuses on techniques that allow adversaries to maintain their foothold, ensuring long-term access.
8. Command and Control: Both frameworks include a command and control stage, where the attacker establishes a communication channel to remotely control the compromised system and send further commands.
9. Actions on Objectives vs. Additional Tactics: In the Cyber Kill Chain, actions on objectives involve achieving the attacker’s goals, such as data exfiltration or system disruption. MITRE ATT&CK provides additional tactics like privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact to describe various methods used during an attack.
10. Comparative Insight: While the Cyber Kill Chain offers a linear view of the stages of an attack, MITRE ATT&CK provides a more granular and detailed mapping of tactics and techniques, allowing for a deeper understanding of adversary behavior and enhancing defensive measures.

MITRE ATT&CK FRAMEWORK

The MITRE ATT&CK framework is called such because it was developed by the MITRE Corporation, a not-for-profit organization that operates federally funded research and development centers (FFRDCs). "ATT&CK" stands for Adversarial Tactics, Techniques, and Common Knowledge.

Here’s a breakdown of the name and its components:

1. MITRE: This is the name of the organization that created the framework. MITRE is known for its work in systems engineering, information technology, and cybersecurity, among other fields.
2. ATT&CK: This acronym stands for:
• Adversarial: Relating to adversaries or attackers.
• Tactics: The general objectives or goals that adversaries aim to achieve during an attack (e.g., initial access, persistence, privilege escalation).
• Techniques: Specific methods or ways adversaries achieve their tactical goals (e.g., spear-phishing, credential dumping, lateral movement).
• Common Knowledge: Information and observations about the tactics and techniques that adversaries use, gathered from real-world cyber incidents and shared within the cybersecurity community.

The MITRE ATT&CK framework is designed to provide a comprehensive and detailed model of the behaviors and methodologies used by cyber adversaries. It helps organizations understand how attacks are conducted, identify gaps in defenses, and improve their cybersecurity posture by mapping their defenses to known adversarial techniques.

Sources:

Quotes:

"The key to understanding how cyberattacks work is to think like an attacker. The cyber kill chain provides a valuable perspective on the adversary’s tactics, techniques, and procedures." - Bruce Schneier

Tools:

SaaS Attack Matrix Tool