Also known as MITRE ATT&CK®, it is a free, government-advocated knowledge base comprising attack tactics and techniques of threat actors, common knowledge about them, and how they conduct cyberattacks. The framework was the product of MITRE's Fort Meade Experiment (FMX), which involved researchers simulating the behaviors of threat actors and victims to analyze and optimize data breach responses.
The nonprofit organization MITRE released MITRE ATT&CK in 2013, and the framework now covers PRE, Windows, MacOS, Linux, networks, containers, mobile, ICS, and the cloud. Among other matrices that MITRE offers, the MITRE ATT&CK cloud matrix is unique because, as its name implies, it specifically focuses on cloud-centric security threats. This includes threats across IaaS, SaaS, and PaaS services from cloud providers like GCP, Azure, and AWS. MITRE’s dedicated cloud matrices for Office 365, Azure AD, Google Workspace, SaaS, and IaaS can be particularly effective for businesses that use these cloud platforms.
With more than 290 million data leaks caused by hackers in 2023, threat modeling using MITRE ATTACK is an invaluable resource for any public or private organization in the crosshairs of cyber adversaries. Its data comes from diverse sources including public threat intelligence, cyber incident reports, and other research initiatives by leading cybersecurity professionals.
Free Cloud Security Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Request Free Review
According to ESG, almost half of organizations surveyed in 2022 were using MITRE ATT&CK to strengthen their defenses, while 41% claimed to use the framework occasionally. Furthermore, 19% said that MITRE ATT&CK was critical to future security strategies, and 62% reported that it was very important. In an era where businesses have to reckon with advanced cyber threats, frameworks like MITRE ATT&CK are essential to augment a cloud security stack.
What are the benefits of implementing MITRE ATTACK?
By leveraging the MITRE ATTACK framework, companies can:
Benefit from cyber threat intelligence
Communicate about cyber threats using a common language
Understand weaknesses in their IT environments from a threat actor’s perspective
Assign certain tactics and techniques to specific threat actors
Identify ways to optimize and strengthen their cloud security controls and posture based on the volume, nature, and potency of cyberattacks
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques.
Explore
Understanding MITRE ATTACK TTPs
MITRE ATTACK features three primary matrices, each of which has specific tactics, techniques, and procedures (TTPs) as well as multiple subtechniques:
Enterprise: Focuses on enterprise network security
Mobile: Emphasizes mobile-related cyber threats
ICS: Focuses on protecting industrial control systems and networks
Note: The Enterprise Matrix has seven platform- and operating system-specific submatrices that focus on SaaS, IaaS, networks, containers, Windows, macOS, Linux, PRE, Azure AD, Office 365, and Google Workspace.
When speaking about TTPs, tactics describe overall objectives, techniques include the methods adversaries use to meet those objectives, and procedures are the apparatus and tools they use to conduct cyberattacks.
Quickstart Cloud Incident Response Template
The only IR plan template on the web built with the cloud in mind.
Download
What are the tactics listed in MITRE ATTACK?
The following is a breakdown of the 18 attack tactics in the MITRE ATTACK framework, followed by a table showing each matrix and its respective tactics. (Many of the tactics are used by more than one matrix.)
| Tactic | Description |
|---|---|
| Reconnaissance | Collecting data about a potential victim |
| Resource development | Gathering resources for a potential attack |
| Initial access | Breaching a network for the first time |
| Execution | Injecting malicious code into the victim’s network |
| Persistence | Gaining a foothold in the victim’s IT environment |
| Privilege escalation | Securing higher access privileges |
| Defense evasion | Sidestepping security mechanisms |
| Credential access | Stealing credentials of legitimate accounts |
| Discovery | Exploring various components of a victim’s network |
| Lateral movement | Moving across a victim’s IT environment |
| Collection | Collecting sensitive enterprise data |
| Command and control | Communicating with hijacked enterprise systems |
| Exfiltration | Stealing sensitive data from enterprises |
| Impact | Damaging enterprise IT environments |
| Inhibit Response Function | Preventing remediation mechanisms from responding to incidents |
| Impair Process Control | Interfering or deactivating physical control processes |
What are the techniques listed in MITRE ATTACK?
There are too many MITRE ATTACK techniques and subtechniques to explore in a single post. To understand just how many there are in this comprehensive knowledge base, remember that the Enterprise Matrix itself features 185 techniques and 367 subtechniques.
Below are a few examples of the techniques associated with 16 of the above MITRE ATTACK tactics (MITRE does not list any for Network Effects or Remote Service Effects):
| Tactic | Related Techniques |
|---|---|
| Reconnaissance | Active scanning, gathering victim host information, collecting victim network information, and phishing for information |
| Resource Development | Acquiring access, acquiring infrastructure, compromising accounts, and developing capabilities |
| Initial Access | Content injection, phishing, supply chain compromise, and abuse of valid accounts |
| Execution | Command and script interpreter, interprocess communication, scheduled tasks/jobs, system services, and user execution |
| Persistence | Account manipulation, browser extensions, creating accounts, event-triggered execution, and hijacking execution flow |
| Privilege Escalation | Abusing elevation control mechanisms, accessing token manipulation, account manipulation, and escaping to host |
| Defense Evasion | Building image on host, debugger evasion, hiding artifacts, impersonating, masquerading, and obfuscating files or information |
| Credential Access | Utilizing adversary-in-the-middle, brute force, credentials from password stores, input capture, and network sniffing |
| Discovery | Account discovery, container, and resource discovery, permission groups discovery, software discovery, and virtualization/sandbox evasion |
| Lateral Movement | Exploitation of remote services, internal spearphishing, lateral tool transfer, remote services, and tainting shared content |
| Collection | Audio capture, automated collection, clipboard data, data from local systems, and data from removable media |
| Command and Control (C2) | Application layer protocol, content injection, fallback channels, protocol tunneling, and traffic signaling |
| Exfiltration | Automated exfiltration, data transfer size limits, exfiltration over C2 channel, and exfiltration over another network medium |
| Impact | Data destruction, defacement, disk wipe, financial theft, and firmware corruption |
| Inhibit Response Function | Alarm suppression, blocking command messages, blocking reporting messages, and denial of service |
| Impair Process Control | Brute force I/O, modifying parameters, spoof reporting messages, and unauthorized command messages |
How is MITRE ATTACK different from Cyber Attack Chain?
Similar to MITRE ATTACK, Cyber Attack Chain (officially known as the Cyber Kill Chain®) is a cybersecurity framework that can help businesses and their security teams protect themselves from cyberattacks. Lockheed Martin published the Cyber Attack Chain in 2011.
The following table presents seven key differences between MITRE ATTACK and Cyber Attack Chain:
| Mitre Attack | Cyber Kill Chain |
|---|---|
| Features 18 tactics across three matrices | Features 7 tactics: reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives |
| Does not establish nor presuppose that cyberattacks follow a particular sequence | States that all attacks feature the exact sequence of tactics listed above |
| Does not focus on linear sequences; emphasizes hierarchies of tactics, techniques, and procedures | Linearly anatomizes cyberattacks but doesn’t offer hierarchical breakdowns |
| Focuses on how cyber adversaries facilitate attacks, why they do so, and with what tools | Lacks techniques, subtechniques, and procedures; focuses on a step-by-step breakdown of adversarial behavior |
| Used by enterprises for protection across a cyberattack lifecycle | Typically used in the initial stages of a threat detection process |
| Regularly updated and improved by the MITRE Corporation and numerous cybersecurity experts (In 2023, MITRE released 25 new software bugs from which businesses must protect themselves.) | Does not feature many iterative improvements or community-led contributions |
| Provides a toolkit for users to design remediation and mitigation playbooks | Does not have any in-depth mitigation strategies businesses can apply to ward off cyberattacks |
How Wiz and MITRE ATT&CK can help defend your cloud environments
Choosing the right cloud security platform is a vital decision for businesses. While there are many options in the cloud security market, a crucial factor is whether a cloud security platform weaves in frameworks like MITRE ATT&CK. With Wiz, you get the best of both worlds: a robust platform and game-changing cloud security frameworks.
Wiz's CNAPP is an industry leader that covers detection and response, and Wiz CDR provides correlation across cloud and runtime layers that’s enriched with unmatched context, facilitating rapid triage and response. Another huge benefit? Wiz weaves MITRE ATT&CK into its capabilities by mapping every rule in its rule set to MITRE tactics and techniques, and the Wiz Cloud Threat Landscape maps security incidents to the MITRE ATT&CK framework. Ready to learn more?
Get a demo today to see how Wiz and MITRE ATT&CK can comprehensively protect your cloud platforms.
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
