MITRE ATT@CK®: What it is and how it improves security

You might have heard or seen the term “MITRE ATT@CK” in the context of cybersecurity, and you may be wondering what exactly it refers to. The short answer is, it’s a powerful new framework for categorizing cyberattack tactics and techniques in order to improve risk assessment and mitigation and to standardize communications about threats.

First, though, let’s look at the basic terminology. MITRE is a not-for-profit research organization that was spun off from the Massachusetts Institute of Technology (MIT) in 1958. It includes a number of subsidiary organizations that receive government funding to conduct a wide range of research and development projects. Its name, curiously enough, is not an acronym for MIT Research and Engineering or anything else; one of its founders simply thought it was a catchy and memorable name.

ATT@CK, on the other hand, is an acronym, for “adversarial tactics, techniques, and common knowledge.” It consists of a publicly accessible knowledge base of, well, tactics and techniques used by cyberattackers. These are arranged in three matrices:

• Enterprise ATT@CK, listing the actions taken by attackers to penetrate and operate within corporate networks


• PRE-ATT@CK, which describes the actions taken by attackers in preparation for an attack, such as reconnaissance and selection of points of entry


• Mobile ATT@CK, a compilation of attack techniques and tactics used against mobile devices

So let’s get a little more detailed about the terminology. “Tactics” refers to high-level actions or objectives. Currently the Enterprise ATT@CK matrix includes 14 tactics:

1. Reconnaissance


2. Resource Development


3. Initial Access


4. Execution


5. Persistence


6. Privilege Escalation


7. Defense Evasion


8. Credential Access


9. Discovery


10. Lateral Movement


11. Command & Control


12. Collection


13. Exfiltration


14. Impact

Each of these tactics, in turn, is associated with a number of “techniques.” For example, in the Enterprise ATT@CK matrix, tactic 3, Initial Access, is currently associated with nine techniques, including Drive-by Compromise, Phishing, Supply Chain Compromise, etc. And several of these techniques include sub-techniques. For example, Phishing has three sub-techniques listed (Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service). As of this writing, the Enterprise ATT@CK matrix lists 185 techniques and 367 sub-techniques, but MITRE adds more as they are discovered. And each technique and sub-technique has a unique numerical ID. Spearphishing Link, for example, is ID: T1566.002.

Purpose and benefits

Prior to the development of ATT@CK, cybersecurity strategies and technologies were organized around the goal of identifying Indicators of Compromise (IOC). That is, the aim was to categorize signals and events that indicated that a system or data store had been compromised.

A major drawback of that approach is that it is primarily reactive — once you spot an IOC, the attack is already well underway if not already completed. Furthermore, given the variety of systems and technologies vulnerable to compromise, and the vast number of potential indicators that a system has been compromised, maintaining a reliable catalog of IOCs is impractical. Of course, it is still important to be able to detect IOCs, but that is no longer the primary goal of a modern cybersecurity system.

The ATT@CK framework, by contrast, provides a much more manageable list of adversary actions. And by focusing on detecting techniques and tactics, it is more likely that security systems can identify an attack in progress before any damage has been done. This also creates a framework for assessing and addressing an organization’s vulnerabilities to specific techniques in advance of any attacks, in order to reduce risk.

How to use it

For IT security professionals, MITRE ATT@CK is a powerful tool with several practical uses. When conducting tabletop exercises, it serves as a guide for crafting specific simulated attacks and practicing responses. For security auditing and risk assessment, it is a framework that makes it simple to systematically assess your organization’s vulnerabilities to specific tactics and techniques.

Because it provides a common, clearly defined terminology, it can also eliminate ambiguity in communications about vulnerabilities and security capabilities, for example between security and DevOps teams, between teams participating in penetration testing, and between security solution buyers and vendors.

At Barracuda, MITRE ATT@CK is a key tool for planning and developing new technological capabilities and for tailoring effective solution packages to address specific customer needs. In addition it helps us work with customers to gain a shared understanding of how to think about and prioritize risks and vulnerabilities, and how to address them most effectively.

Video: Delving into the latest insights in security threats and trends