MITRE Attack Matrix is a knowledge base repository (TTPs) represents the adversaries that are used in threat attack to steal the valuable information from any vulnerabilities present in any enterprise network. The focus of MITRE Attack framework is on how adversaries interact with enterprise systems to accomplish their objectives.
MITRE Attack framework represents the following phases of an attack.
MITRE Attack Tactic |
Description |
Reconnaissance |
Gather data for future operations |
Resource Development |
Establish resources to support operations |
Initial access |
First time login to the network |
Execution |
Run malicious code |
Persistence |
Maintain and stabilize foothold |
Privilege Escalation |
Gain higher level permissions |
Defense Evasion |
Avoid detection |
Credential Access |
Steal login IDs and passwords |
Discovery |
Figure out your environment |
Lateral Movement |
Move through your environment |
Collection |
Gather data |
Command and Control |
Gain command and control over the required systems |
Exfiltration |
Steal Data |
Impact |
Manipulate, interrupt, or destroy your systems and data |
MITRE Tactics, Techniques, and Sub-techniques
MITRE Attack matrix consists of 14 tactics and these tactics are further classified into the 188 techniques and sub-techniques.
Tactics represent 'What' and 'Why' of an attack technique or sub-technique. These are the adversaries' tactical goals, the reason for performing an action, what they are trying to achieve. For example, an adversary trying to gain credentials to access your data.
Techniques represent 'How' an adversary gain access to any system to achieve tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
Sub-techniques represent more detailed information of the behavior to achieve an adversary's goal. For example, these are behaviors under OS credential dumping technique that describe specific methods to perform the technique. Click here for more detailed view of MITRE Attack Matrix.
How an Organization benefits from the MITRE Attack Framework
The methodology leverages the information in the ATT&CK knowledge base and its underlying data model to create context that is then used to select security controls to map to a given technique or sub-technique.
A mapping between a security control and an ATT&CK technique or sub-technique means that the security control may prevent successful execution of the technique or sub-technique. This methodology does not define degrees of mapping or control effectiveness. Controls are either mapped or not mapped to a given technique or sub-technique. In this way the mappings provide an easily understood foundational resource that is intended to inform risk management decisions.
ATT&CK’s mitigations connect adversary behavior (tactics and techniques) to the security controls that mitigate those behaviors.
The process incrementally builds understanding of ATT&CK techniques and sub-techniques in the context of mitigation to select relevant security controls to map.
-
ATT&CK Mitigation- Analyze each mitigation.
-
ATT&CK Technique- Understand adversary objectives and goals a technique or sub-technique is designed to carry out.
-
Security Control - Examine security controls in the context of mitigation and specific techniques.
-
Create a Mapping - Identify and create security control mappings to ATT&CK technique and sub-techniques.
Comments
0 comments
Please sign in to leave a comment.