Inhalt
What is the MITRE ATT&CK framework?
The MITRE ATT&CK framework is a comprehensive, publicly available database that documents cyber attackers’ tactics, techniques and procedures (TTPs) in a standardized and detailed form. It is based on real observations from real attacks and is used worldwide to create a better understanding of the methods and goals of threat actors. IT decision-makers and security managers can use the framework to develop targeted defense measures and continuously improve existing security architectures. The framework is considered the universal “language” of cyber security as it provides a common basis for threat analysis and defense and is supported by a variety of tools and security solutions.
How is the ATT&CK framework structured?
The framework is organized in a matrix that shows the entire process of a cyberattack and is divided into different phases. These phases or categories are referred to as “tactics” and represent the attacker’s objectives in the different phases of an attack, such as Initial Access, Execution, Persistence and Privilege Escalation. Under each tactic are several techniques that describe exactly how attackers might accomplish their goals. Each technique gives a detailed insight into the methods attackers use to accomplish their tasks. This allows security teams to develop targeted defense strategies by understanding which techniques are used for specific tactics.
How can the ATT&CK framework be used in practice?
The ATT&CK framework has several practical use cases. It serves as a basis for threat detection and helps to prioritize defensive measures. Companies can use the framework to analyze their security measures and gaps and develop targeted defense strategies. One example of this is the so-called threat hunting strategy: here, the framework is used to identify threat actors who may already have access to company systems without an active attack being directly recognizable. The framework also supports the optimization of security policies and response plans, as it helps to create threat models based on specific attack scenarios. For training security teams, the framework provides valuable information on attack techniques that they can practice in simulated environments.
What tactics and techniques are included in the ATT&CK framework?
The framework includes a wide range of tactics and techniques that are constantly updated to reflect current threats. The tactics in the ATT&CK framework start from the initial access to the system, through the execution and obfuscation of activities, to the final extraction of data or destruction of information. Examples of techniques include phishing (to gain access), credential dumping (to gain credentials) or command-and-control (to maintain communication with a compromised system). Each company can select the techniques relevant to its risk and threat profile from the catalog and specifically check its own systems for them.
How does the ATT&CK framework differ from other models such as the Cyber Kill Chain?
While the Cyber Kill Chain is a more linear model that describes the different phases of an attack from reconnaissance to execution, the ATT&CK framework provides a more detailed and flexible structure. The Cyber Kill Chain is useful for understanding attack sequences, but it often does not cover the variety of techniques that attackers may use. The ATT&CK framework, on the other hand, shows a detailed list of techniques and tactics that can build on each other or run in parallel, and can be easily adapted to the specifics of different attacks. The framework is modular and allows attack phases to be analyzed and defended independently of each other. This makes it particularly useful for modern, complex attacks that are dynamic and flexible.
How is the ATT&CK framework updated?
MITRE continuously updates the framework based on threat information from the real world. Researchers and analysts worldwide contribute to the development of the framework by identifying new attack techniques and observing cyber attackers. Regular updates ensure that the ATT&CK framework is always up to date and can cover threats that have developed in the real world. This ensures that companies can develop and adapt their defense strategies based on the latest information.
Is the ATT&CK framework available free of charge?
The ATT&CK framework is designed as an open resource and is accessible free of charge. Organizations, security researchers and experts, and government agencies around the world can use the framework without restriction to improve their security posture. This openness helps to strengthen global cyber security, as companies can design their measures based on a recognized, comprehensive standard.
Zurück zur Übersicht des Glossars
