What is the MITRE Matrix?

What is MITRE ATT&CK?

The MITRE ATT&CK^® Framework is a security framework that provides comprehensive, up-to-date cyberthreat intelligence that can help organizations protect themselves against cyber risks.

The MITRE organization has developed a matrix that maps out tactics, techniques, and procedures, which can help monitor and analyze security events detected by security teams. 

There are three main MITRE Matrixes: Enterprise ATT&CK, which includes 14 tactics attackers can use to infiltrate organizations, Mobile ATT&CK, with 14 tactics attackers can use to compromise mobile applications, and ICS ATT&CK, with 12 tactics used to attack Industrial Control Systems. 

Recommended Reading: UEBA (User and Entity Behavior Analytics): Complete Guide.

MITRE Matrix Types 

Enterprise ATT&CK Matrix

ATT&CK for Enterprise provides a model that details what cyber attackers can do to infiltrate corporate networks and achieve their goals once inside. It helps organizations prioritize their cyber defenses and focus on the defenses that pose the greatest risk to specific businesses.

The matrix has specific tactics and techniques attackers use to infiltrate different environments, including networks, operating systems like Windows, macOS, and Linux, SaaS applications like Office 365 or Google Workspace, public cloud systems, or identity services like Azure AD.

There are currently 14 tactics in this matrix, shown below.

Mobile ATT&CK Matrix

The Mobile ATT&CK Matrix describes tactics and techniques used to compromise iOS and Android mobile devices. To this end, ATT&CK for Mobile is based on NIST’s Mobile Threat Catalog, designed around the characteristics of current mobile devices and their vulnerabilities. 

Mobile ATT&CK includes 12 tactics and 100+ skills attackers use against mobile devices. The matrix also lists network-based effects, tactics, and techniques that can be used without access to a physical device. 

There are currently 14 tactics in this matrix, shown below.

ICS ATT&CK Matrix

This matrix is similar to Enterprise ATT&CK, except that it targets industrial control systems (ICS) such as power grids, factories, manufacturing plants, and other organizations. These systems rely on interconnected machines, devices, sensors, and networks.

The matrix describes the lifecycle of an attack against ICS systems, a detailed technical description of each technique and tactic used in a potential attack, its goals, detection methods, and how to mitigate and respond to it.

There are currently 12 tactics in this matrix, as shown below.

The MITRE ATT&CK Matrix: Tactics and Techniques 

The MITRE ATT&CK knowledge base is rapidly growing as one of the most established and frequently cited security resources for cybersecurity professionals. It is commonly used for SOC, CERT, CTI, and penetration testing, and is cited in many cyberthreat publications.

One of the key benefits of this framework is that networking professionals from different backgrounds can communicate using a common language built around a regularly updated and evolving repository of techniques, tactics, and procedures (TTPs).

Tactics are the most important component of the ATT&CK framework. They provide the reasoning or technical objectives behind a threat technique. These are the tactical objectives of the threat actor — they explain why the attacker initiates a specific offensive action. Tactics used by attackers can include actions like “discover,” “move laterally,” “execute files,” or “persist in the network.”

MITRE ATT&CK techniques, categorized by tactics, are a specific set of technical operations attackers can use to achieve their goals and achieve the goal described in the tactic.

MITRE Matrix Use Cases 

MITRE Matrixes are a knowledge base for attacker behavior, and all uses of the Matrix revolve around the exploitation of that knowledge. Matrixes can be used for the following purposes:

• Penetration testing – cybersecurity researchers can use information in the Matrix to replicate and interpret attack techniques. Penetration testers can then use available tools to carry out specific techniques and identify if an organization is vulnerable to them.
• Red team – security teams can use the Matrix to find ways to attack the organization in a training exercise. This can be used to simulate attacks by criminal groups, test the defenses implemented by organizations, or train other teams in defensive techniques. The Matrix also provides a common language that ensures understanding between the organization and the red team when planning actions that may affect production systems.
• Anomaly detection and threat hunting – by understanding and codifying the behavior of other previous attacks, actors, or groups of cybercriminals, security tools and the experts who use them can associate specific indicators of compromise (IoCs) with known exploits or typical behavior of a particular attacker.
• Build defensive countermeasures – knowledge gained from attacks allows security teams to deploy more sophisticated defensive solutions to deter possible attack behavior. Security tools such as firewalls or intrusion detection systems (IDS) can directly consume data from the MITRE Matrix and use it to block specific malicious activities.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you better leverage the MITRE ATT&CK framework for improving your security posture:

Apply ATT&CK to adversary emulation exercises
Use ATT&CK to structure adversary emulation or red team exercises. By modeling adversary behavior, you can test your defenses against real-world attack techniques, ensuring a proactive security posture.

Map MITRE ATT&CK techniques to existing security tools
Ensure your security tools, such as firewalls, IDS, and SIEMs, are mapped to specific MITRE ATT&CK techniques. This allows you to detect, log, and respond to adversary behaviors across the attack lifecycle.

Use ATT&CK for cross-functional communication
The ATT&CK framework provides a common language for security teams. Leverage it to align efforts between red teams, blue teams, and executives, ensuring clarity when communicating threats, risks, or testing outcomes.

Develop use case-specific threat detection
Tailor your threat detection strategies by focusing on the most relevant techniques and tactics based on your organization’s threat landscape. For example, if your organization is frequently targeted by phishing, prioritize techniques around credential access and initial access.

Automate detection rules based on ATT&CK techniques
Use the ATT&CK framework to build automated rules in your SIEM or XDR to detect specific attack techniques. For example, set up alerts for lateral movement techniques like “Remote Services (T1021)” to detect unauthorized internal access.

Exabeam’s Relationship with MITRE ATT&CK

Exabeam security researchers participate in MITRE ATT&CK discussions and events. They have also contributed several new techniques that are pending publishing and researchers have performed extensive research on how to perform machine learning-based anomaly detection to effectively apply MITRE ATT&CK into the security analyst’s detection arsenal. Exabeam will be adopting MITRE ATT&CK in the Exabeam Security Management Platform and Exabeam Cloud Security Services starting in 2019.