Blog

What is MITRE ATT&CK™?

Learn how MITRE ATT&CK is useful. MITRE has made a significant contribution to the security community by giving us ATT&CK and its related tools and resources.

Travis Farral
November 29, 2018
Table of contents
<p><a href="https://www.mitre.org/" target="_blank">MITRE</a> introduced <a href="https://attack.mitre.org/" target="_blank">ATT&amp;CK</a> (Adversarial Tactics, Techniques &amp; Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&amp;CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.</p><p>ATT&amp;CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&amp;CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&amp;CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&amp;CK is also available as a <a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank">STIX/</a><a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank">TAXII</a><a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank"> 2.0</a> feed which makes it easy to ingest into existing tools that support those technologies.</p><p>MITRE has made a significant contribution to the security community by giving us ATT&amp;CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&amp;CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&amp;CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.</p><p>ATT&amp;CK is valuable in a variety of everyday settings. Refer to our <a href="https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful" target="_blank">dedicated MITRE ATT&amp;CK page</a> to learn what MITRE ATT&amp;CK is and how it is useful along with best practices and challenges.</p><p style="text-align: center;"><a class="button button-xlarge button-rounded button-blue-grad" href="https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful" target="_blank">MORE INFO</a></p>
Travis Farral

Travis Farral is the former Director of Security Strategy at Anomali. Travis is a seasoned IT security professional with extensive background in corporate security environments.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

November 29, 2018
-
Travis Farral
,

What is MITRE ATT&CK™?

<p><a href="https://www.mitre.org/" target="_blank">MITRE</a> introduced <a href="https://attack.mitre.org/" target="_blank">ATT&amp;CK</a> (Adversarial Tactics, Techniques &amp; Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&amp;CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.</p><p>ATT&amp;CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&amp;CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&amp;CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&amp;CK is also available as a <a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank">STIX/</a><a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank">TAXII</a><a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/attck%E2%84%A2-content-available-in-stix%E2%84%A2-20-via" target="_blank"> 2.0</a> feed which makes it easy to ingest into existing tools that support those technologies.</p><p>MITRE has made a significant contribution to the security community by giving us ATT&amp;CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&amp;CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&amp;CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.</p><p>ATT&amp;CK is valuable in a variety of everyday settings. Refer to our <a href="https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful" target="_blank">dedicated MITRE ATT&amp;CK page</a> to learn what MITRE ATT&amp;CK is and how it is useful along with best practices and challenges.</p><p style="text-align: center;"><a class="button button-xlarge button-rounded button-blue-grad" href="https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful" target="_blank">MORE INFO</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.