Databricks Data Lakehouse vs. a Data Warehouse: What’s the Difference? Read Our Latest Blog...
Databricks Data Lakehouse vs. a Data Warehouse: What’s the Difference? Read Our Latest Blog...
Start Free Trial

ChaosSearch Blog

16 MIN READ

How To Use the MITRE ATT&CK Framework

How to Use the MITRE ATT&CK Framework | ChaosSearch
16:00

MITRE ATT&CK® is an invaluable resource for IT security teams, who can leverage the framework to enhance their cyber threat intelligence, improve threat detection capabilities, plan penetration testing scenarios, and assess cyber threat defenses for gaps in coverage.

In this week’s blog post, we’ll explain more about MITRE ATT&CK and how organizations can use the framework to support their security log analytics initiatives, enhance threat defenses and protect their infrastructure and data from cyber adversaries.

 

Step-by-Step Guide for Deploying MITRE ATT&CK Framework

 

What is the MITRE ATTACK Framework?

The MITRE ATT&CK framework derives its name from the MITRE Corporation that maintains it and the acronym ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly accessible and serves as a knowledge base of techniques used by cyber adversaries to target enterprise IT systems.

Techniques are the building blocks of the MITRE ATT&CK Matrix. All ATT&CK techniques described in the framework have been used by cyber attackers and criminal organizations in the real world to infiltrate the networks of targeted organizations and steal their data. At the time of writing, the framework contains information on 235 different techniques. In 2024, MITRE introduced ATT&CK v.15, addressing both well-known and emerging behaviors used by threat actors, such as using generative AI to support malicious activities.

For each ATT&CK technique, the framework includes:

  • A description of the technique.
  • A list of sub-techniques related to the technique.
  • A list of known mitigation methods for the technique.
  • A list of known detection methods for the technique.
  • Some metadata related to the technique.
  • References and additional resources related to the technique.

 

Active Scanning

Image Source: MITRE ATT&CK Framework - Active Scanning

The adversarial technique Active Scanning is described in the MITRE ATT&CK framework as probing the victim’s infrastructure via network traffic. The listed sub-techniques describe two ways adversaries can do this: by scanning IP blocks, or by scanning the target host for vulnerabilities to a known exploit. Active Scanning is categorized as a reconnaissance technique, meaning that it’s used to collect information from the target organization before escalating adversarial activities.

 

Techniques in the MITRE ATT&CK framework are categorized under 14 tactics that span the entire cyber kill chain - from initial information-gathering, through to data exfiltration and additional impacts of the attack.

 

MITRE ATTACK Framework Image

Image Source

The MITRE ATTACK framework provides cyber resiliency tactics, techniques, and procedures for defending your systems against threat actors throughout the cyber attack lifecycle, otherwise known as the cyber kill chain.

 

When cyber criminals target organizational IT, we know their ultimate goal is going to be data exfiltration.

 

How Cyber Criminals Take Data from Corporate Systems

We can predict what the adversary behavior will be:

  1. Get access to the network and avoid detection.
  2. Explore the network to discover valuable data assets.
  3. Secure the permissions needed to enable data exfiltration.
  4. Steal organizational data and damage network systems.

The 14 tactics described in the MITRE ATT&CK framework are an extension of this general pattern of action. They cover all of the short-term goals and objectives that cyber adversaries try to accomplish on their way to successfully stealing your data. Techniques are the specific methods used to accomplish these tactical objectives - that’s why each technique is listed according to the tactic it serves.

 

The Threat Hunter's Handbook: Using Log Analytics to Find & Neutralize Hidden Cyberthreats. Get you handbook.

 

MITRE ATT&CK Tactics: 14 Ways Cyber Attacks Can Happen

The 14 tactics can be summarized as follows:

  1. Reconnaissance - Collecting information from the target organization to prepare future adversarial activities.
  2. Resource Development - Acquiring infrastructure and resources to support adversarial activities against the target organization.
  3. Initial Access - Gaining initial access to the target network.
  4. Execution - Techniques for running malicious code on the network, usually to explore or steal data.
  5. Persistence - Maintaining access to the target network over time by circumventing measures like credential changes or restarts that could interrupt access.
  6. Privilege Escalation - Gaining administrator or other high-level permissions on the target network.
  7. Defense Evasion - Avoiding detection by security software and IT security teams.
  8. Credential Access - Stealing account names and passwords, allowing the adversary to circumvent security measures by accessing the network with legitimate credentials.
  9. Discovery - Exploring the network and collecting information, such as which applications and services are running, what accounts exist, what resources are available, etc.
  10. Lateral Movement - Accessing and controlling remote services on the target network.
  11. Collection - Aggregating data from a variety of sources on the target network.
  12. Command and Control - Techniques for communicating with systems under the adversary’s control within the target network.
  13. Exfiltration - Techniques for stealing data from the target network and transferring it to an external server controlled by the adversary.
  14. Impact - Techniques for destroying data or disrupting the availability of applications, services, or the target network itself.

 

The MITRE ATT&CK framework also contains information about known cyber threat groups around the world.

For each known threat group, the framework describes what kinds of organizations they target, the techniques they’ve used in past attacks, and software programs they’ve used to attack target networks.

Finally, the framework includes a database of software programs that were used in malicious cyber attacks.

 

MITRE ATTACK Matrix Tactics for Enterprise Data Security

MITRE ATT&CK Framework image depicts the MITRE ATT&CK Matrix, with 14 tactics detailed, along with techniques and sub-techniques threat actors use to exfiltrate data.

 

How to Use the MITRE ATTACK Framework

  1. Cyber Threat Intelligence
  2. Threat Intelligence & Analytics
  3. Penetration Testing & Adversary Emulation
  4. Threat Coverage Gap Assessment

 

If cyber security was an exam, the MITRE ATT&CK framework is like a cheat sheet for detection and response.

The framework can tell your organization which cyber threat groups to watch out for, which specific techniques or software programs might be used to target your business, and how to detect and mitigate against the adversarial techniques described in the framework.

With high-quality information on adversary groups, the techniques they’re likely to use, and how they will behave once they access the target network, IT security teams can make targeted improvements to threat detection systems that increase the likelihood of containing and eradicating a threat before a data breach occurs.

 

MITRE ATTACK Framework Tutorial

To use the MITRE ATT&CK framework effectively, organizations can map detected adversary behaviors to the techniques in the framework. This helps in identifying gaps in defenses and prioritizing security measures. Security teams can utilize the framework for threat hunting in a security lake, red teaming, and improving incident response strategies. By understanding the specific techniques used by adversaries, organizations can create more robust and targeted defenses. The framework also supports sharing of threat intelligence, allowing for a collaborative approach to cybersecurity across different sectors.

By using the MITRE ATT&CK framework for threat hunting, security teams can proactively search for signs of malicious activity within their networks. This approach shifts the focus from reactive to proactive defense, enabling teams to detect and mitigate threats before they cause significant damage. For instance, by identifying patterns of lateral movement or unusual data collection, security professionals can intervene early, stopping adversaries from progressing through their attack lifecycle. Red teaming exercises, which simulate real-world attacks, can also benefit from the ATT&CK framework by using it to design realistic attack scenarios that test the organization’s defenses against known techniques. We’ll explore more of these MITRE ATTACK Framework use cases in the next section.

Finally, the MITRE ATT&CK framework can significantly enhance incident response strategies. When an incident occurs, having a detailed understanding of the adversary’s techniques allows responders to quickly pinpoint the methods used and predict possible next steps. This insight speeds up the containment and eradication phases of incident response, minimizing the impact on the organization. Plus, documenting incidents in the context of the ATT&CK framework facilitates better post-incident review and lessons learned. This continuous improvement cycle strengthens the organization’s overall security posture, making it more resilient against future attacks.

 

Take the Fight to the Fraudsters... Build a Security Data Lake with ChaosSearch!

 

4 MITRE ATT&CK Framework Use Cases - Getting Started with MITRE ATTACK

Cyber Threat Intelligence

Cyber threat intelligence is all about understanding the cyber threat groups that matter to your organization, including their motives, typical targets, behaviors, and preferred software/techniques. IT security teams can use the MITRE ATT&CK framework to access specific information on the behaviors of known threat groups, then identify strategies to detect and mitigate their preferred techniques.

IT analysts can leverage the framework to categorize and better understand network security events. When suspicious activity is detected on the network, analysts can investigate the behavior to determine:

  1. What was the overall goal or objective (tactic) of the behavior?
  2. What method was used (technique) to try and achieve the goal?

From there, security analysts can start correlating the suspicious activity to known threat groups or software programs and identifying ways to shut down the attack.

Ultimately, cyber threat intelligence should allow the organization to prioritize which techniques and tactics to defend against based on the perceived threat level from malicious groups.

 

Threat Detection & Security Analytics

Each technique in the MITRE ATT&CK framework includes a metadata field called “Data Sources”. This field lists specific types of data that organizations should collect to gain the visibility needed to detect that technique.

Common data sources include user authentication logs, file and registry monitoring, packet capture, process monitoring, Windows registry, Windows event logs, and process command-line parameters.

 

How IT SecOps Detect Active Scanning

Image Source: MITRE ATT&CK Framework - Active Scanning

The framework tells us that IT security teams can enhance their ability to detect Active Scanning by capturing, storing, and analyzing packets and network device logs.

 

To enable threat detection and threat hunting using log analytics, organizations must be able to capture log and event data from these sources and store the data in a centralized repository, such as a security data lake. From there, the data must be cleaned and indexed before it can be queried by the organization’s log analytics/SIEM tool.

Many organizations are using the ELK stack (Logstash + Elasticsearch + Kibana) to support their threat detection efforts, but there’s now an even better way: ChaosSearch streamlines the threat detection process by empowering organizations to analyze log files and conduct SIEM analytics directly in Amazon S3 buckets with no data movement and no ETL process.

 

Can You Use an ELK Stack as a SIEM? Check out this blog for a fresh take!

 

Leveraging the Elastic API and an integrated Kibana dashboard, ChaosSearch allows IT security teams to index log files at scale for unlimited data retention, build queries and analytics to detect known cyber threat signatures, and utilize monitoring and alerts to notify IT personnel of suspicious behavior and streamline incident response. These techniques can help teams embrace proactive security engineering best-practices.

Organizations can visit the MITRE Cyber Analytics Repository to access threat-detection analytics written by the global cybersecurity community. Other cybersecurity resources, such as the OCSF Framework, can also be incredibly valuable for threat hunting.

 

Penetration Testing & Adversary Emulation

A third use case for the MITRE ATT&CK framework is penetration testing and cyber threat emulation.

Once your security team writes an analytic or configures security monitoring to detect an adversarial technique, penetration testing or adversary emulation can be used to evaluate the effectiveness of the implemented threat detection measures.

As a starting point, IT security teams can access Atomic Red Team, a collection of scripts used to simulate adversarial behaviors so organizations can test their threat detection capabilities and verify that monitoring/alerts are working as planned.

 

Atomic Test

Image Source: Atomic Red Team

Atomic Red Team builds security tests that are mapped to specific techniques in the MITRE ATT&CK framework, allowing IT security teams to quickly and easily test their defenses against known adversarial techniques.

 

The process here is simple:

  1. Choose a technique from the ATT&CK framework and build analytics to detect it on your network.
  2. Choose a test for that technique from Atomic Red Team.
  3. Run the test and check whether your analytics/monitoring/alerting system detected the threat.
  4. Improve and refine your threat defenses to increase the detection rate and eliminate false positives.

Organizations with red team/blue team capabilities can construct more complex adversary emulation scenarios using the MITRE framework. Red teams can map their activities onto the framework or model adversarial behaviors in an emulation scenario on the preferred techniques of a known threat group.

Once the scenario is finalized, the red team will stage an attack on the network while the blue team works to detect, investigate, and contain threats. Following the exercise, red and blue teams can work together to evaluate the effectiveness of threat detection systems and identify opportunities for improvement.

 

Threat Coverage Gap Assessment

A final use case for the MITRE ATT&CK framework is threat coverage gap assessment.

IT security teams can map existing threat detection capabilities onto the MITRE ATT&CK framework to identify gaps in their defenses. They can identify the cyber threat groups which are most likely to target them and compare their threat coverage to the preferred techniques used by those organizations.

This process can help reveal the highest-priority areas where security teams should focus on implementing threat detection or mitigation solutions.

 

Strengthen Your Security Posture with Log Analytics and the MITRE ATTACK Framework

The MITRE ATT&CK framework provides techniques, procedures, and tips rooted in real-world observations, on how threat actors infiltrate targeted networks and steal data. Most importantly, the framework tells IT security teams how to detect each technique and which types of log data they’ll need to succeed.

Armed with this information, IT security teams can use log analytics software to collect log and event data from the necessary sources, build custom analytics and alerts to detect threats, and strengthen the organization’s overall security posture against cyber threat groups. When combined with a security data lake like Amazon Security Lake, log analytics tools can be powerful parts of a proactive threat hunting strategy.

 

Amazon Security Lake and ChaosSearch. Delivering security analytics with industry-leading cost and unlimited retention. Learn how!

About the Author, Thomas Hazel

Thomas Hazel is Founder, CTO, and Chief Scientist of ChaosSearch. He is a serial entrepreneur at the forefront of communication, virtualization, and database technology and the inventor of ChaosSearch's patented IP. Thomas has also patented several other technologies in the areas of distributed algorithms, virtualization and database science. He holds a Bachelor of Science in Computer Science from University of New Hampshire, Hall of Fame Alumni Inductee, and founded both student & professional chapters of the Association for Computing Machinery (ACM). More posts by Thomas Hazel