ATT&CK

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.^[1]

Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The framework consists of 14 tactics categories consisting of "technical objectives" of an adversary.^[2] Examples include privilege escalation and command and control.^[3] These categories are then broken down further into specific techniques and sub-techniques.^[3]

The framework is an alternative to the cyber kill chain developed by Lockheed Martin.^[3]

ATT&CK Matrix for Enterprise

The ATT&CK Matrix for Enterprise is a comprehensive framework that is presented as a kanban board-style diagram.^[4] It defines 14 categories of tactics, techniques and procedures (TTPs) used by cybercriminals with the associated techniques and sub-techniques.

Category	Description	Techniques
Reconnaissance	Gathering information about a target.	10
Resource Development	Identifying and acquiring resources for the attack.	8
Initial Access	Gaining initial access to a system or network.	10
Execution	Running malicious code on a system.	14
Persistence	Maintaining access to a system or network.	20
Privilege Escalation	Obtaining elevated privileges within a system or network.	14
Defense Evasion	Disabling or evading security measures.	43
Credential Access	Obtaining credentials to access systems or data.	17
Discovery	Identifying additional systems or information within a network.	32
Lateral Movement	Moving laterally within a compromised network.	9
Collection	Collecting data from compromised systems.	10
Command and Control	Establishing communication with compromised systems.	17
Exfiltration	Transferring stolen data from a compromised system.	9
Impact	Taking actions to achieve the attacker's objectives.	14

Reconnaissance

Reconnaissance is the initial stage of information gathering for an eventual cyberattack.^[5]

There are 10 techniques – including the use of network scanning, social engineering and Open-source intelligence (OSINT).

MITRE ID	Techniques	Summary
T1595	Active Scanning	Active reconnaissance by scanning the target network using a port scanning tool such as Nmap, vulnerability scanning tools and wordlist scanning for common file extensions and software used by the victim.
T1598	Phishing for Information	Using social engineering techniques to elicit useful information from the target. Using a communication channel such as e-mail, including generic phishing and targeted spearphishing which has been specifically created to target an individual victim
T1592	Gather Victim Host Information	Discover the configuration of specific endpoints such as their hardware, software and administrative configuration (such as Active Directory domain membership). Especially security protections such as antivirus and locks (biometric, smart card or even a Kensington K-Slot).
T1590	Gather Victim Network Information	Discover the target network's configuration such as the network topology, security appliances (network firewall, VPN), IP address ranges (either IPv4, IPv6 or both), fully qualified domain names (FQDN) and the Domain Name System (DNS) configuration.