MITRE ATT&CK: What is it and how does it work?

The MITRE ATT&CK matrix, designed by the MITRE Corporation, is used to describe and catalog fraudulent behaviors in cybersecurity. To do this, it relies on tactics and techniques commonly used by cybercriminals to prevent users from such attacks.

The use of specific tools or procedures is essential to understand the threats a company faces and to design a strategy for preventing cyberattacks or system failures that could lead to a subsequent cyberattack.

Under the acronyms for tactics, techniques, and common knowledge of the adversary, MITRE ATT&CK is a matrix that allows for the tracking and analysis of incidents detected in the industrial field, collecting a wide variety of tactics, techniques, and procedures employed.

How does MITRE ATT&CK work?

This matrix, presented in 2013, aims to establish a series of general parameters for classifying cybercriminals in terms of tactics, techniques, and procedures. Initially, this matrix was only applied to certain sectors, but it is now applicable to different areas, allowing for the detection and prevention of cyberattacks in more business sectors.

The matrices are based on tactics and techniques.

Tactics refer to the specific methods employed to achieve a particular objective.

Techniques describe the way in which specific actions are carried out to achieve that objective.

The tactics used to develop the MITRE ATT&CK are as follows:

• Recognition. Collecting data to plan future operations of the adversary, i.e., information about the target organization.

• Resource development. Allocating the necessary resources to carry out the attack operation.

• Initial access. Entering the target organization or company's system.

• Execution. Executing adversary-controlled malicious code on a local or remote system.

• Persistence. Maintaining access to compromised systems in case of shutdowns or reconfigurations.

• Privilege escalation. Escalating privileges to reach an administrator level in the target system.

• Defense evasion. Avoiding detection of the intrusion in the affected system.
  

• Credential access. Stealing personal credentials such as usernames or passwords.

• Discovery. Implementing techniques to better understand the compromised system and the internal network.

• Lateral movement. Gaining access to additional information or data from the affected system.

• Collection. Gathering information about the attack target to later encrypt or exfiltrate it.

• Command and control. Establishing communication with compromised systems to control them, mimicking regular web traffic to interact with a victim network.

• Exfiltration. Transferring the stolen data to a cloud account.

• Impact. Encrypting the compromised organization's data with ransomware.

What is MITRE ATT&CK used for?

This matrix is of great use to organizations in preparing for and preventing possible cyberattacks on their infrastructures. The goal of this methodology is to democratize the knowledge that exists about cybercriminal behaviors.

Additionally, MITRE ATT&CK includes tools such as ATT&CK Navigator, which simplifies the exploration and use of the ATT&CK matrix, offering an effective way to manage information about the tactics and techniques employed by attackers.

Detection and response

It allows response teams to better understand the tactics and techniques used in an attack, facilitating a faster and more accurate analysis. Based on the matrix, companies can develop more effective response plans tailored to the specific threats they face and the potential security gaps that exist in their systems.

Security evaluation

The matrix helps companies identify potential vulnerabilities and gaps in their security systems by analyzing attack techniques that could be used by cybercriminals.

It also provides detailed guidance on how attackers operate, enabling companies to develop and strengthen their defenses against the tactics and techniques outlined in the matrix.

Educación y entrenamiento

The matrix is useful for training and educating security teams based on the techniques and tactics outlined in the matrix. To train teams, cyberattack simulations are conducted to enhance system responsiveness against potential cyberattacks.

ESED Attack, ESED's solution based on MITRE ATT&CK

At ESED, we believe that to prevent and/or avoid any cyberattack, we must first understand what we are up against. To identify the threats to which a system is vulnerable, we have designed and developed our solution, ESED Attack.

With ESED Attack, we conduct controlled and harmless attacks against a computer system to assess its security level and detect vulnerabilities that could jeopardize any company's information. To launch and categorize these attacks, we rely on the MITRE ATT&CK cybersecurity framework.

We use the MITRE matrix to simulate attacker techniques with specific actions aimed at systems. These are real techniques, but without the use of malware or malicious code, used to detect security gaps.

For more information about ESED Attack, you can download the complete manual through the following link.