Section 3: The ATTACK Model

Section 3: The ATT&CK Model
Section 3.1: The ATT&CK Matrix
Section 3.2: Technology Domains
Section 3.3: Tactics
Section 3.4: Techniques and Sub-Techniques
Section 3.5: Groups

Section 3: The ATT&CK Model

ATT&CK is a knowledge base of adversarial techniques. However, unlike prior work in this area, the focus isn't on the tools and malware that adversaries use but on how they interact with systems during an operation.

Helpful Link: What is ATT&CK

Section 3.1: The ATT&CK Matrix

The ATT&CK Matrix is a visual representation of the relationship between tactics and techniques.

ATT&CK Matrix MITRE ATT&CK Matrix Website

Persistence - an adversary is trying to keep their foothold.

The Persistence column, shows that there are 20 techniques that an attacker may use to attempt to gain persistence in an environment.

ATT&CK Matrix persistence column See All Techniques

Some techniques break down into sub-techniques; when reviewing the first technique, Account Manipulation, you'll find six listed sub-techniques.

Account Maipulation from ATT&CK Matrix

To learn more about each sub-techniques click here here

Section 3.2: Technology Domains

Technology Domain - a specific area or aspect of technology that adversaries interact with or exploit during their operations.

Platform - the system an adversary is operating within.

MITRE has defined three technology domains and these domains have platforms attached to them:

  1. Enterprise (traditional enterprise networks and cloud technologies) - Linux, macOS, Windows, AWS, Azure, GCP, SaaS, Office 365, Azure AD
  2. Mobile - Android, iOS
  3. Industrial Control Systems (ICS)

Section 3.3: Tactics

Tactics answers the "why" question of an attack technique, explaining the adversary's objective for performing an action.

Each technique (for example, the persistence column above) or sub-technique, (for example, account manipulation) is associated or tagged with one or more tactic categories depending on the intended outcomes achievable using a particular method. A definition is provided for each Tactic, describing the category it falls under; this definition works as a guide for what techniques should be under the Tactic.

Account Maipulation definition from ATT&CK Matrix

Section 3.4: Techniques and Sub-Techniques

Using the Additional Cloud Credentials example, an adversary can create new cloud service accounts or add new credentials to existing accounts to keep access to cloud resources even if the original access credentials are revoked.

Section 3.4.1: Procedures

Procedures refer to adversaries' step-by-step actions using specific techniques or sub-techniques to achieve their goals.

For example, APT 13 creates accounts for local administrator groups to maintain elevated access. (Procedures can fall under multiple techniques and sub-techniques.)

Account Maipulation definition from ATT&CK Matrix

Section 3.4.2: Techniques and Sub-Technique Object Structure

  • A field explains how a technique or sub-technique works. The field includes any details that can help understand its uses and implications. This information can include descriptions of how adversaries might use the technique, potential indicators of its use, or any other relevant details that do not fit into more structured data types.
  • Data Source- where the data is obtained or collected for processing, analysis, or reporting.

The terms below are sections and essential information for each technique and sub-technique.

Always Required:
  1. Name
  2. ID
  3. Sub-Techniques
  4. Tactic
  5. Description
  6. Platform
  7. Version
  8. Detection
  9. Data Source
Account Maipulation always required breakdown
Account Maipulation detection Account Manipulation
Required If Available:
  1. Mitigation
Account Maipulation always required breakdown View Larger Image
Required for Sub-techniques under Privilege Escalation:
  1. Permissions Required
  2. Effective Permissions
Account Maipulation always required breakdown View Larger Image
Defensive Evasion Requirement

"If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process then the defense bypassed is required to be listed."

Account Maipulation always required breakdown View Larger Image
  1. Link to the Common Attack Pattern Enumeration and Classification ID(CAPEC ID)
  2. List of non-MITRE individuals and organizations that contributed information from the first to the most recent.

  3. contributor list for account manipulation

    List of contributors for Account Manipulation

  4. The procedure example field provides concrete examples of how specific adversary groups or types of software, such as malware and tools that, have been used in real-world scenarios.

  5. contributor list for account manipulation

    Procedure Examples for Account Manipulation

Optional Execution Sub-Techniques Information
  1. System Requirments: Additional information on requirements the adversary needs to meet for an effective attack or about the state of the system, such as software and patch level that may be required for the sub-technique to work, can be listed under system requirements.
  2. Supports Remote:Whether the sub-technique enables the execution of actions on a system from a remote location.

Section 3.4.3: Sub-Technique Details

Before the addition of sub-techniques in 2020, techniques varied significantly in coverage, with some techniques containing a wide range of behaviors and others scarcely focused on. This inconsistency made the framework challenging to navigate and apply uniformly.

MITRE list the goals they wished to achieve as

  • "Make the abstraction level of techniques similar across the knowledge base."
  • "Reduce the number of techniques to a manageable level"
  • "Provide a structure to allow sub-techniques to be added easily that would decrease theneed to make changes to techniques over time"
  • "Demonstrate that techniques are not shallow and can have many ways they can be performed that should be considered"
  • "Simplify the process for adding new technology domains to ATT&CK that use overlapping techniques"
  • "Enable more detailed data sources and descriptions for how a behavior can be observed on specific platforms"
  1. While a technique may align with multiple tactics, the sub-techniques do not have to apply to all those tactics. For example, a sub-technique under "Process Injection" could also apply to "Defense Evasion" but does not have to apply to any other tactics.
  2. ATT&CK does not require that every technique have sub-techniques.
  3. Example: Multi-Factor Authentication Interception

    Please note that this example is listed as Two-Factor Authentication Interception in the official MITRE ATT&CK®: Design and Philosophy document.Transition to using Multi-Factor Authentication Interception addresses that more than two of the authentication five authentication factors.
    1. Something you are
    2. Something you know
    3. Something you have
    4. Somewhere you are
    5. Something you do
  4. Sub-techniques can be platform-specific, but not all sub-techniques are. For example, network communications may not be because of the platform-agnostic nature of these techniques.
  5. If specific information associated with sub-techniques is considered relevant to the parent technique the information will up to the parent technique.
  6. When information relevant to sub-techniques also applies to the overarching technique, it will be incorporated into the guidance of the parent technique. For instance, the recommendation to use multi-factor authentication to mitigate against the Additional Cloud Credentials sub-technique is equally effective in preventing Account Manipulation efforts.

Section 3.5: Groups

"Groups are activity clusters that are tracked by a common name in the security community."- MITRE

ATT&CK focuses primarily on Advance Persistent Threat (APT) groups, example: APT 19but can also include other advanced groups, example: FIN10.

Section 3.5.1: Groups Object Structure

ATT&CK Group Model

  1. Name
  2. ID
  3. Version
  4. Description
  5. Techniques / SubTechniques Used*
  6. Required groups example View Larger Image

  7. Associated Groups
  8. Contributor
  9. Associated Group Descriptions
  10. Software
Required groups example View Larger Image
Required groups example software View Larger Image

Coming Soon:

Section 3.6:Software

Section 3.6.1:Software Object Structure

Section 3.7:Mitigations

Section 3.7.1: Mitigation Object Structure

Section 3.8: ATT&CK Object Model Relationships

Section 3.9: Versioning

Section 3.9.1: Objects

Section Techniques and Sub-Techniques
Section Groups
Section Software
Section Matrix
Section Releases

"Additional Information: "The scope of ATT&CK also expands beyond technology domains with PRE-ATT&CK. PREATT&CK covers documentation of adversarial behavior during requirements gathering, reconnaissance, and weaponization before access to a network is obtained." - MITRE