MITRE ATT&CK Fundamentals: A Practical Guide to Tactics, Techniques, and Procedures

Hey there, fellow threat hunters! 👋 Today we're looking at MITRE ATT&CK - a framework that's become essential for understanding and documenting cyber threats. Let's break down what it is and why it matters.

Understanding MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It's essentially a structured approach to documenting how attackers operate in the cyber domain.

MITRE ATT&CK Domains

MITRE ATT&CK actually covers three distinct domains, each focusing on different types of environments:

  1. Enterprise ATT&CK
    • Covers techniques used against traditional IT systems
    • Includes Windows, macOS, Linux, and cloud environments
    • This is what we'll focus on in this blog post
  2. Mobile ATT&CK
    • Specifically for iOS and Android devices
    • Includes techniques unique to mobile environments
    • Covers both network and device-based attacks
  3. ICS ATT&CK
    • Industrial Control Systems and operational technology
    • Focuses on industrial environments like manufacturing and utilities
    • Includes techniques targeting SCADA systems and PLCs

While these domains share some common concepts, each has its own unique tactics and techniques that reflect the specific challenges and vulnerabilities of their environments. For this blog post, we'll focus on Enterprise ATT&CK, as it's the most widely used and forms the foundation for understanding the framework.

Breaking Down TTPs

The framework is built around three core concepts: Tactics, Techniques, and Procedures. Let's examine each:

Overview of an exemplary technique: Command and Scripting Interpreter: PowerShell
Overview of an exemplary technique: Command and Scripting Interpreter: PowerShell

Tactics

MITRE ATT&CK: Enterprise tactics
MITRE ATT&CK: Enterprise tactics

These represent the adversary's technical goals - what they're trying to achieve at each stage of an attack. While the circular diagram shows all the major tactics in MITRE ATT&CK, the actual attack sequence typically follows a more linear progression. A common attack chain might look like this:

  1. Reconnaissance → Initial Access → Execution
  2. Then depending on the attacker's goals:
    • Establish Persistence to maintain access
    • Attempt Privilege Escalation to gain more rights
    • Use Defense Evasion to avoid detection
    • Perform Discovery to understand the environment
    • Move Laterally to reach other systems
    • Collect and Exfiltrate data
    • Finally, create Impact

While these tactics often flow in this kind of progression during an attack, each tactic represents its own distinct set of techniques and procedures. This modular structure allows security teams to study, detect, and defend against specific tactics whether they appear as part of a larger attack chain or as isolated incidents.

Techniques

Techniques are the specific methods attackers use to achieve their tactical goals. Each tactic has multiple associated techniques, providing a comprehensive view of how attackers operate. For example, under the "Initial Access" tactic, you might find techniques like:

Each technique is assigned a unique identifier (like T1566) and comes with detailed documentation including detection methods, mitigation strategies, and real-world examples of its use. This standardized structure helps security teams map their defenses against specific attack methods.

Subtechniques

Subtechniques provide more specific descriptions under their parent techniques. Think of them as specialized variations. For example, under the technique "Phishing" (T1566), we find subtechniques like:

This hierarchical structure helps us understand both the general approach (phishing) and the specific method used (attachment-based phishing).

Procedures

Procedures are the detailed implementations of techniques - the specific tools, malware, or steps used in an actual attack. These provide the concrete details that distinguish one threat actor from another.

Procedure Examples

MITRE ATT&CK documents real-world examples of how threat actors have used specific techniques. These procedure examples are invaluable because they show us exactly how attacks happen in the wild. Let's break this down with an example:

  • Tactic: Initial Access
  • Technique: T1566 (Phishing)
  • Procedure Examples:
    • APT28 using specially crafted PDF files containing malicious JavaScript
    • FIN7 deploying malware through phishing emails with macro-enabled Word documents
    • Another group using LinkedIn messages with malicious links

The same technique (phishing) is implemented differently by each group, with unique tools, malware, and methodologies. Understanding these procedures helps identify specific threat actors and predict their likely next moves.

Groups (Threat Actors)

Overview of an exemplary group: APT28
Overview of an exemplary group: APT28

MITRE ATT&CK maintains detailed profiles of known threat groups, often referred to as APTs (Advanced Persistent Threats) or threat actors. Each group profile includes:

  • Known aliases and alternative names
  • Observed techniques and procedures
  • Targeted industries or regions
  • Attribution information (when available)

For example:

  • APT28 (also known as Fancy Bear):
    • Associated with Russian state-sponsored operations
    • Known for targeting government and military organizations
    • Frequently uses techniques like T1566.001 (Spearphishing Attachments) and T1059.003 (Windows Command Shell)

Understanding these groups helps us:

  • Predict potential attack patterns based on historical behavior
  • Prioritize defenses based on relevant threat actors
  • Identify patterns that might indicate which group is behind an attack

Group-to-Technique Mapping

One of MITRE ATT&CK's strengths is its mapping between groups and techniques. This tells us:

  • Which techniques are most commonly used by specific threat actors
  • How different groups might target similar objectives using different techniques
  • Trends in attack patterns across different threat actors

If you're curious about working with this group data programmatically, check out Part 2 of our Python series where we map relationships between techniques and groups.

Why MITRE ATT&CK Matters

  1. Standardized Documentation The framework provides a common language for describing threat behavior, making it easier to communicate across teams and organizations.
  2. Actionable Intelligence Instead of abstract threat descriptions, MITRE ATT&CK offers specific, documented techniques that can be monitored and defended against.
  3. Strategic Defense Planning Understanding common attack patterns helps organizations prioritize their security controls and investments.

Implementation Guidelines

  1. Focus on Relevance Start by identifying the tactics and techniques most relevant to your environment and industry.
  2. Maintain Currency The framework is regularly updated. Keep your knowledge and defenses aligned with new additions.
  3. Use Proactively Incorporate the framework into your security planning and assessment processes.

Academic and Research Value

One of MITRE ATT&CK's strongest features is its commitment to thorough documentation and references. Every technique, group, and procedure example includes:

  • Citations to original research
  • Links to academic papers and technical reports
  • References to real-world incidents
  • Cross-references to other security frameworks

This detailed referencing makes MITRE ATT&CK particularly valuable for:

  • Academic research into cyber threats
  • Threat intelligence analysis
  • Writing security whitepapers
  • Documenting incident response findings

For example, if you look up technique T1566.001 (Spearphishing Attachment), you'll find links to academic papers studying phishing campaigns, reports from security vendors who discovered specific attacks, and detailed write-ups of incident responses where this technique was used.

This approach means you can:

  • Trace information back to its original sources
  • Verify claims with referenced research
  • Build upon existing knowledge for new research
  • Support your own findings with established documentation

Conclusion

MITRE ATT&CK provides a systematic approach to understanding and defending against cyber threats. While it may seem complex initially, its practical value in improving security operations makes it worth the investment in learning and implementation.

Want to Get Practical?

If you're interested in working hands-on with MITRE ATT&CK data, check out our Python tutorial series:

  1. Part 1: Getting Started Learn how to fetch and process MITRE ATT&CK data using Python and the attackcti library.
  2. Part 2: Mapping Relationships Discover how to connect techniques with groups and mitigations, building a comprehensive threat intelligence picture.
  3. Part 3: Visualization and Analysis See how to create meaningful visualizations of your MITRE ATT&CK data using the Navigator.

These tutorials will take you from understanding the framework to actually working with it programmatically - because reading about MITRE ATT&CK is good, but building tools with it is better.

Stay safe, and happy hunting! 🕵️‍♂️

References