Back to all videos

Overview on MITRE | ATT&CK Framework

By F5 DevCentral Community

Cybersecurity FrameworksThreat IntelligenceIncident Response
Share:

Key Concepts

  • MITER ATT&CK Framework: A globally recognized knowledge base of adversary tactics and techniques based on real-world observations.
  • Tactics: The why of an attack – the attacker’s objective. (e.g., Initial Access, Execution)
  • Techniques: The how of an attack – how an attacker achieves a tactical goal. (e.g., Phishing, Command Scripting Interpreter)
  • Sub-techniques: More granular details about exactly how a technique is implemented. (e.g., Spearphishing Link, Unique Shell)
  • MITER Enterprise ATT&CK Matrix: A visual representation of tactics and techniques, illustrating an attacker’s progression.
  • Lateral Movement: An attacker moving through a compromised network to access further systems and data.

Introduction to the MITER ATT&CK Framework

The MITER ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a non-profit organization’s globally recognized system for documenting attacker behavior during cyber attacks. Unlike focusing solely on vulnerabilities, MITER ATT&CK analyzes attacker actions throughout the entire attack lifecycle, aiding in improved defensive capabilities. The framework is structured around 14 tactics, encompassing 250 techniques and over 700 sub-techniques.

Understanding Tactics, Techniques, and Sub-techniques

Tactics define the attacker’s goals – what they are trying to achieve. Examples include Initial Access (gaining entry) and Execution (running malicious code). Techniques describe how the attacker attempts to reach those goals. For instance, Phishing and Command Scripting Interpreter are techniques used to achieve Execution. Sub-techniques provide the most specific detail, outlining the precise methods employed. Examples include Spearphishing Link and Unique Shell.

The MITER Enterprise ATT&CK Matrix visually represents these elements, displaying tactics sequentially from left to right to illustrate an attacker’s progression. This visualization assists security teams in understanding attack paths, identifying visibility gaps, and aligning detection and mitigation strategies. A table exists summarizing MITER tactics, techniques, and sub-techniques, and how FA (presumably F5) products address them across different attack stages. Common attacks observed in customer environments are also mapped to specific MITER ATT&CK tactics and techniques.

Incident Response Measures

When an attack occurs, key response measures include: removing compromised data and accounts, isolating impacted systems, initiating containment procedures, preserving logs for forensic analysis, and actively checking for lateral movement within the network.

MITER ATT&CK vs. OWASP

A frequent question arises regarding whether to utilize MITER ATT&CK or OWASP (Open Web Application Security Project) during an attack. The answer depends on the objective. MITER ATT&CK focuses on the entire attack lifecycle and attacker behavior, providing a holistic view. OWASP, conversely, concentrates on specific web application vulnerabilities. Therefore, if the goal is to understand the attack’s unfolding and potential future actions, MITER ATT&CK is the preferred choice. A response or mitigation plan, coupled with further attack analysis, is recommended in all cases, and MITER ATT&CK is a valuable tool for this.

Walkthrough Examples

Example 1: Execution (T1059)

The tactic of Execution involves attackers running malicious code. A specific technique within this tactic is Command and Scripting Interpreter (T1059), with the sub-technique Unique Shell (T1059.004). This involves executing malicious commands through a Linux shell. FA products – specifically Big IP, Engineix, and FI Distributed Cloud – can detect and mitigate this activity.

Example 2: Initial Access (T1189)

Initial Access focuses on how attackers initially gain entry into a system. Supply Chain Compromise (T1189) is a technique within this tactic, and Compromise Software Dependencies and Development Tools (T1189.001) is a corresponding sub-technique. FA solutions help reduce risk by enforcing security controls and providing visibility at critical points in the supply chain.

Resource Availability and Feedback Mechanisms

FI (again, presumably F5) field teams can access MITER ATT&CK documentation, including tactics and supported mitigations for products like Big IP, Engineix, and FI Distributed Cloud, through FI SharePoint. Feedback can be submitted directly through the SharePoint comment section.

Customers can find MITER-related information through articles on FI Dev Central. Questions and feedback can be posted in the article comment sections or directed to their local FIA (F5’s technical community) account teams.

Key Resources

Conclusion

The MITER ATT&CK framework provides organizations with a crucial understanding of attacker behavior and the complete attack lifecycle. FA solutions are closely aligned with MITER ATT&CK tactics and techniques, enabling effective defense and mitigation strategies. The framework’s comprehensive nature and detailed categorization empower security teams to proactively address threats and improve their overall security posture.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Overview on MITRE | ATT&CK Framework". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video