In the cybersecurity community, there always seems to be a new acronym to learn. ATT&CK, however, has been a well-respected model that many professionals have stood behind for years.
Because this is such an important concept in the cybersecurity landscape, we wanted to explain exactly what the framework is, and educate you on how this security model can help to protect your business from costly cyber attacks.
What is ATT&CK?
Don’t you wish you could get into the mind of a hacker? What if you could understand the exact path their mind takes from the conception of an attack to breaking into your systems? Unless you’re a cybersecurity expert, you probably didn’t even realize the cyber attack lifecycle consists of seven separate stages, with further steps within each.
In the cybersecurity community, many security safeguards focus nearly exclusively on the first four phases of the life cycle: recon, weaponize, deliver, and exploit. But there is an entire set of phases that happen after the attacker gets in, including ways the bad actor controls your device and systems, how they execute further infiltration, and how they maintain reach by gaining deep access or:
- Control
- Execute
- Maintain
The ATT&CK model focuses on the behaviors and actions an attacker may take post-exploit. This allows us to understand tactics and techniques that indicate an attack is in progress and catch it early on.
Why are these post-exploit stages so important? According to M-Trends, the median number of days an adversary will sit inside a network undetected is an incredible 146 days. That’s a long time for a hacker to tinker around in your backend, uncovering complex insights and wealths of data all behind the curtain. By focusing on the last stages of the cyber attack lifecycles, companies can detect these idle threats far before they become not-so-idle!
The ATT&CK Framework
The ATT&CK acronym stands for:
- Adversarial
- Tactics
- Techniques
- &
- Common
- Knowledge
MITRE developed a knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. MITRE compiled this massive database by— you guessed it!— digging through data themselves and finding commonalities and patterns. They scoured through a large set of publicly available threat reports and analyses and used a Red Team to test and refine their model.
In the end, they discovered 10 high level tactics within the three post-exploit phases (control, execute, and maintain) that adversaries try to achieve once they get into a network:
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
The fact that these tactics are supported by real-life analysis, makes them crucial patterns to understand— essentially, the top attack paths and behaviors bad actors will take to compromise your business. And it’s why cybersecurity experts use this database to plan for possible attack patterns.
The Advantages of Using ATT&CK
There are a number of ways the ATT&CK model could serve your business’s security posture, but here are some key advantages:
- ATT&CK helps you to stay ahead of the curve. MITRE’s findings come from deep analysis and experimental testing of the common attack paths taken by real bad actors. By classifying attacks like this, it’s easier for cybersecurity experts and internal IT teams alike to see common patterns and prevent or catch future system compromises.
- ATT&CK is constantly improving. The ATT&CK framework is not a stagnant model. MITRE is always working to improve upon the tactics and techniques outlined, looking at fresh data to stay up-to-date with the latest ploys in the hacker’s community. Currently, they’re on version four, but updates are always on the horizon to ensure your organization is in-the-know and staying sharp.
- ATT&CK allows us to truly understand our adversary and be on the defense. The tactics and techniques that the ATT&CK model reveals provide us with an understanding of the direction bad actors could take, as well as mitigation options for each technique. By knowing exactly how real hackers have acted in the past, we learn valuable real-life lessons to improve our defenses and stay alert, even after an exploit occurs.
How Prepared are You for an Attack?
With today’s threat landscape constantly evolving, it’s important to understand the behaviors and attack paths of adversaries, and to stay-up-to-date on new threat prevention tactics.
Do you know how well your team would handle social engineering attempts posed by a malicious hacker? Put your employees to the test with Social Engineering Strength Testing or Security Awareness Training from Kevin Mitnick and his Global Ghost Team.