MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. ATT&CK is open and available to any person or organization for use at no charge.
Cybersecurity professionals must understand the breach process & explore various techniques under each tactic as documented by MITRE. It will help cyber security professionals to plan & implement necessary mitigations. We hope you will benefit from the information given here regarding the common attack techniques. Professionals should continue to plan & enhance security of the organization by drilling into the ATT&CK matrix to develop as many attack mitigations as possible.
Adversaries first plan for the target and their ultimate goal with an objective. After which they decide for pre-ATT&CK tactics & initiate the following process to complete the job.
Initial Access – The malicious actor or attacker first attempt to get into your network.
Adversary will make use of different techniques to obtain initial access. They can use various entry vectors to make initial foothold into your network. Some of these techniques to gain access include targeted spear phishing and exploiting vulnerability on public-facing web servers. This initial foothold may allow for continued access or may be limited-use due to changing passwords.
Execution – Once inside of your network attacker will attempt to run malicious code.
Adversaries can deploy controlled code running on a local or remote system. This kind of malicious execution is often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an attacker might use a remote access tool (RAT) to run a PowerShell script that does Remote System Discovery.
Persistence – AIM to maintain their foothold.
It consists of techniques that allow it to keep access to the systems even when it restarts, changed credentials, and other interruptions. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
Privilege Escalation – The adversary will try to gain a higher-level of permissions.
Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to gain further access across the network to complete their objectives. To do that they take exploit misconfigurations and vulnerabilities. Examples of elevated access include: • SYSTEM/root level • local administrator • user account with admin-like access.
Defense Evasion – Malicious actors ensure to avoid being detected.
It includes techniques like removing/disabling security software like antivirus or obfuscating/encrypting data and scripts. Adversaries also abuse trusted system processes (inject) to hide and masquerade their malicious code.
Credential Access – Attacker attempts to steal account names and passwords.
This process consists of techniques for stealing login credentials such as user account names and passwords. Techniques used to get credentials include keylogging, bruteforce or credential dumping. These credentials can give attackers access to the systems, and allow to setup more accounts to help achieve their goals.
Discovery – Perform network scan to figure out & map your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe and map the environment layout which they want to compromise. It helps them to plan further course of action to achieve their goal. Native operating system tools are helpful towards this post-compromise information-gathering objective
Lateral Movement Techniques – The adversary is trying to move through your environment.
Lateral Movement consists of techniques that allow attackers to move within the environment so that they can gain maximum access to the network. Adversaries might install remote access tools or gain access by exploiting native system functions.
Collection – The adversary is trying to gather data of interest to their goal.
Attackers deploy techniques to gather information from the network or compromised system. Common targets for information sources include various drive types, browsers, audio, video, and email. Some of the common collection methods include capturing screenshots and keyboard input.
Command and Control – Attacker will establish remote communication with compromised systems to control them.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. They can deploy BOT on the compromised system .
Exfiltration – The adversary attempts to steal data.
Attackers use techniques to often package data collected in the process to avoid detection. This can include mechanisms such as compression and encryption. They may use multiple techniques for taking data out of the target network; it includes transferring it over their command and control channel or other alternate channel.
Impact – The adversary is trying to manipulate, interrupt, or destroy your systems and data.
It involves techniques to disrupt availability of system or data. They may also manipulate business and operational processes. It can include tampering or deleting data from the compromised system. The business process which was altered may look fine. It is done to provide cover for a confidentiality breach.