MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a cybersecurity framework that helps enterprises fortify themselves against cyber threats.
Also known as MITRE ATT&CK®, it is a free, government-advocated knowledge base comprising attack tactics and techniques of threat actors, common knowledge about them, and how they conduct cyberattacks. The framework was the product of MITRE's Fort Meade Experiment (FMX), which involved researchers simulating the behaviors of threat actors and victims to analyze and optimize data breach responses.
The nonprofit organization MITRE released MITRE ATT&CK in 2013, and the framework now covers PRE, Windows, MacOS, Linux, networks, containers, mobile, ICS, and the cloud. Among other matrices that MITRE offers, the MITRE ATT&CK cloud matrix is unique because, as its name implies, it specifically focuses on cloud-centric security threats. This includes threats across IaaS, SaaS, and PaaS services from cloud providers like GCP, Azure, and AWS. MITRE’s dedicated cloud matrices for Office 365, Azure AD, Google Workspace, SaaS, and IaaS can be particularly effective for businesses that use these cloud platforms.
With more than 290 million data leaks caused by hackers in 2023, threat modeling using MITRE ATTACK is an invaluable resource for any public or private organization in the crosshairs of cyber adversaries. Its data comes from diverse sources including public threat intelligence, cyber incident reports, and other research initiatives by leading cybersecurity professionals.
According to ESG, almost half of organizations surveyed in 2022 were using MITRE ATT&CK to strengthen their defenses, while 41% claimed to use the framework occasionally. Furthermore, 19% said that MITRE ATT&CK was critical to future security strategies, and 62% reported that it was very important. In an era where businesses have to reckon with advanced cyber threats, frameworks like MITRE ATT&CK are essential to augment a cloud security stack.
What are the benefits of implementing MITRE ATTACK?
By leveraging the MITRE ATTACK framework, companies can:
Benefit from cyber threat intelligence
Communicate about cyber threats using a common language
Understand weaknesses in their IT environments from a threat actor’s perspective
Assign certain tactics and techniques to specific threat actors
Identify ways to optimize and strengthen their cloud security controls and posture based on the volume, nature, and potency of cyberattacks
MITRE ATTACK features three primary matrices, each of which has specific tactics, techniques, and procedures (TTPs) as well as multiple subtechniques:
Enterprise: Focuses on enterprise network security
Mobile: Emphasizes mobile-related cyber threats
ICS: Focuses on protecting industrial control systems and networks
Note: The Enterprise Matrix has seven platform- and operating system-specific submatrices that focus on SaaS, IaaS, networks, containers, Windows, macOS, Linux, PRE, Azure AD, Office 365, and Google Workspace.
When speaking about TTPs, tactics describe overall objectives, techniques include the methods adversaries use to meet those objectives, and procedures are the apparatus and tools they use to conduct cyberattacks.
The following is a breakdown of the 18 attack tactics in the MITRE ATTACK framework, followed by a table showing each matrix and its respective tactics. (Many of the tactics are used by more than one matrix.)
Tactic
Description
Reconnaissance
Collecting data about a potential victim
Resource development
Gathering resources for a potential attack
Initial access
Breaching a network for the first time
Execution
Injecting malicious code into the victim’s network
Persistence
Gaining a foothold in the victim’s IT environment
Privilege escalation
Securing higher access privileges
Defense evasion
Sidestepping security mechanisms
Credential access
Stealing credentials of legitimate accounts
Discovery
Exploring various components of a victim’s network
Lateral movement
Moving across a victim’s IT environment
Collection
Collecting sensitive enterprise data
Command and control
Communicating with hijacked enterprise systems
Exfiltration
Stealing sensitive data from enterprises
Impact
Damaging enterprise IT environments
Inhibit Response Function
Preventing remediation mechanisms from responding to incidents
Impair Process Control
Interfering or deactivating physical control processes
There are too many MITRE ATTACK techniques and subtechniques to explore in a single post. To understand just how many there are in this comprehensive knowledge base, remember that the Enterprise Matrix itself features 185 techniques and 367 subtechniques.
Below are a few examples of the techniques associated with 16 of the above MITRE ATTACK tactics (MITRE does not list any for Network Effects or Remote Service Effects):
Tactic
Related Techniques
Reconnaissance
Active scanning, gathering victim host information, collecting victim network information, and phishing for information
Resource Development
Acquiring access, acquiring infrastructure, compromising accounts, and developing capabilities
Initial Access
Content injection, phishing, supply chain compromise, and abuse of valid accounts
Execution
Command and script interpreter, interprocess communication, scheduled tasks/jobs, system services, and user execution
How is MITRE ATTACK different from Cyber Attack Chain?
Similar to MITRE ATTACK, Cyber Attack Chain (officially known as the Cyber Kill Chain®) is a cybersecurity framework that can help businesses and their security teams protect themselves from cyberattacks. Lockheed Martin published the Cyber Attack Chain in 2011.
The following table presents seven key differences between MITRE ATTACK and Cyber Attack Chain:
Mitre Attack
Cyber Kill Chain
Features 18 tactics across three matrices
Features 7 tactics: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives
Does not establish nor presuppose that cyberattacks follow a particular sequence
States that all attacks feature the exact sequence of tactics listed above
Does not focus on linear sequences; emphasizes hierarchies of tactics, techniques, and procedures
Linearly anatomizes cyberattacks but doesn’t offer hierarchical breakdowns
Focuses on how cyber adversaries facilitate attacks, why they do so, and with what tools
Lacks techniques, subtechniques, and procedures; focuses on a step-by-step breakdown of adversarial behavior
Used by enterprises for protection across a cyberattack lifecycle
Typically used in the initial stages of a threat detection process
Regularly updated and improved by the MITRE Corporation and numerous cybersecurity experts (In 2023, MITRE released 25 new software bugs from which businesses must protect themselves.)
Does not feature many iterative improvements or community-led contributions
Provides a toolkit for users to design remediation and mitigation playbooks
Does not have any in-depth mitigation strategies businesses can apply to ward off cyberattacks
How Wiz and MITRE ATT&CK can help defend your cloud environments
Choosing the right cloud security platform is a vital decision for businesses. While there are many options in the cloud security market, a crucial factor is whether a cloud security platform weaves in frameworks like MITRE ATT&CK. With Wiz, you get the best of both worlds: a robust platform and game-changing cloud security frameworks.
Wiz's CNAPP is an industry leader that covers detection and response, and Wiz CDR provides correlation across cloud and runtime layers that’s enriched with unmatched context, facilitating rapid triage and response. Another huge benefit? Wiz weaves MITRE ATT&CK into its capabilities by mapping every rule in its rule set to MITRE tactics and techniques, and the Wiz Cloud Threat Landscape maps security incidents to the MITRE ATT&CK framework. Ready to learn more?
Get a demo today to see how Wiz and MITRE ATT&CK can comprehensively protect your cloud platforms.
See Your Cloud Activities Come to Life
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.