MITRE ATT&CK MATRIX
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Matrix is a globally recognized framework for describing cyber threat actors' tactics and techniques, helping organizations bet
Uses?
The ATT&CK Matrix is a basic framework of a cyber attack and the common steps that an attacker may use, as well as the techniques used in each step of the method. It is a very linear path that highlights each main step from the pre-attack reconnaissance all the way to the exfiltration of (likely valuable) data.
Steps:
Reconnaissance: Gathering the information on the host device/network/etc that is going to be exploited or attacked. This often includes IP addresses, Open ports, Running services, OS versions, etc.
Resource Development: After doing the initial reconnaissance, the attacker can now begin searching and collecting information on popular exploits or ways to attack the server. A very popular database for possible exploits is https://exploit-db.com.
Initial Access: This is when the attacker makes attempts at gaining access to the network. This could be done through social engineering, phishing, or a multitude of other ways. Read more about the social engineering toolkit here.
Execution: Once the attacker has gotten into the network, they can begin execution of the exploits. This is commonly where the attack is thought to begin.
Persistence: After initial access, the attacker must remain in the system to continue the attack. This step of working to maintain the presence is called persistence. It can be done in many ways such as altering different configurations, uploading shells, etc.
Privilege Escalation: Likely, after the attacker gains initial access, they will not be a root/admin user and will need to find ways to escalate permissions in order to continue exploiting the device. Gaining root access can be a struggle, but will grant much greater access to the systems that are being attacked and make the attacker that much more powerful in their exploitation.
Defense Evasion: In order to continue being able to attack or remain in the systems at all, the attacker must be sure to sidestep or avoid any security systems. If a malware was going to be uploaded or used within the attack, the attacker must be sure that it is uploaded in a way that doesn't set off any flags within the defense system.
Credential Access: Another method to defense evasion is to look around for real credentials for users that exist already within the network. Credentials are some of the most useful pieces of data that can be found as it not only allows guaranteed access to the system, but it also acts as a cloak for the attacker to hide behind.
Discovery: After valid credentials are gathered, the environment is explored in a step called discovery. This allows the attacker to find out what they have access to, what they can control. This step is similar to recon, but is done internally in order to see what else is accessible.
Lateral Movement: This is done after more of the network or organization is discovered. The act of hopping around between devices within the environment and continuing the attack across multiple devices is known as lateral movement.
Collection: Exactly what it sounds like, the gathering of valuable information that relates to the attackers end-goal. This can vary from attack-to-attack, but often this is in the form of credentials, personal information such as card numbers, or confidential files relating to the organization.
Command and Control: Using the compromised network, the attacker now focuses on commanding and controlling it in order to communicate with the victims or cause delay in the work being done on the network.
Exfiltration: Stealing the data and exporting it from the systems they had started on to the attacker's device.
Impact: Manipulation of the system in order to create a direct impact to the workflow of the attacked organization. Deleting files, destroying systems, using ransomware, etc. are all examples of this step.
Last updated