What is ATTACK
What is ATT&CK?
ATT&CK is a knowledge base of adversarial techniques. However, unlike prior work in this area, the focus isn't on the tools and malware that adversaries use but on how they interact with systems during an operation.
Addresses Four Main Issues:
- Adversary Behavior
- Lifecycle Models
- Lifecycle Models
- Applicability to real environments.
- Common taxonomy - TTPs must be able to be compared across different types of adversary groups using the same terms.
ATT&CK categorizes various techniques under different tactics to help explain and add context for the technique.
Vocabulary Terms
Tactics - answers the "why" question of an attack technique, explaining the adversary's objective for performing an action.
- Reconnaissance - gathering information
- Resource Development - working to establish resources that can be used to support operations.
- Initial Access - The adversary tries to get into your network.
- Execution - attempting to run malicious code.
- Persistence - an adversary is trying to keep their foothold.
- Privilege Escalation - attempt to gain higher-level permissions.
- Defense Evasion - attempt to keep from being detected.
- Credential Access -trying to steal account names and passwords.
- Discovery - exploring and gaining knowledge of the environment.
- Collection - gathering data of interest to their goal
- Command and Control -trying to communicate with compromised systems to control them.
- Lateral Movement - attempting to move through your environment.
- Collection - gathering data of interest to their goal.
- Command and Control - trying to communicate with compromised systems to control them.
- Exfiltration - attempting to steal data.
Techniques Techniques outline how an adversary accomplishes a tactical goal by executing specific actions. Techniques can also answer "What" by explaining what an adversary gains by performing an action.
ATT&CK Matrix
The ATT&CK Matrix is a visual representation of the relationship between tactics and techniques.
* Title uses Mitre ATTACK instead of MITRE ATT&CK due to template url limitations.