What is the MITRE ATT&CK Matrix?

5 min. read

The MITRE ATT&CK Matrix is a visualization of the tactics and techniques in the MITRE ATT&CK framework. It presents the same information in a condensed format, using a matrix that lists the tactics along the top and the techniques along the side. Each cell of the ATT&CK Matrix represents a specific technique within a specific tactic. The ATT&CK Matrix is color-coded to indicate the frequency and severity of each technique’s use in real-world cyberattacks as well as the corresponding defensive controls that can be used to mitigate the risk.

What Is the MITRE ATT&CK Matrix?

The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Matrix is a framework for understanding and categorizing the various tactics, techniques and procedures (TTPs) used by attackers during a cyberattack. MITRE, a non-profit organization that works with government and industry to improve cybersecurity, developed the ATT&CK Matrix.

The MITRE ATT&CK Matrix is widely used in the cybersecurity community as a reference for identifying and responding to cyberthreats. It is used by security analysts, incident responders and other cybersecurity professionals to better understand the tactics and techniques used by attackers to develop more effective defense strategies and to improve overall security posture.

The ATT&CK Matrix consists of two main components: tactics and techniques. Tactics represent the goals of an attacker, while techniques represent the specific methods used to achieve those goals. The ATT&CK Matrix is organized into several categories, each of which represents a different stage of a cyberattack.

How Are the ATT&CK Matrix and the ATT&CK Framework Different?

The MITRE ATT&CK framework and the MITRE ATT&CK Matrix are two related but distinct tools developed by MITRE Corporation to help organizations improve their cybersecurity posture.

The MITRE ATT&CK framework is a comprehensive knowledge base of tactics and techniques used by attackers during different stages of a cyberattack. It categorizes the tactics and techniques based on the stage of the cyberattack (e.g., initial access, execution, persistence) and the objectives of the attacker (e.g., data theft, espionage). The framework serves as a common language that enables organizations to understand and describe the different steps that attackers take during a cyberattack and to assess their own defenses against those steps.

The MITRE ATT&CK Matrix, on the other hand, is a visualization of the tactics and techniques in the ATT&CK framework. It presents the same information in a condensed format, using a matrix that lists the tactics along the top and the techniques along the side. Each cell of the ATT&CK Matrix represents a specific technique within a specific tactic. The ATT&CK Matrix is color-coded to indicate the frequency and severity of each technique’s use in real-world cyberattacks as well as the corresponding defensive controls that can be used to mitigate the risk.

Cortex Mitre Attck Matrix wizard spider and sandworm scope
Example of color-coding: The MITRE ATT&CK framework: Wizard Spider & Sandworm

 

In summary, the MITRE ATT&CK framework provides a detailed description of tactics and techniques used by attackers, while the MITRE ATT&CK Matrix offers a more condensed and visual representation of the same information.

What Matrices Make Up the MITRE ATT&CK Matrix?

MITRE has extended the original ATT&CK Matrix into three major matrices:

  • Enterprise
  • Mobile
  • ICS

The Enterprise Matrix is further broken down by stage and platform into:

  • PRE-ATT&CK
  • Windows
  • macOS
  • Linux
  • Cloud (including Microsoft 365, Google Workspace, Azure AD, SaaS and IaaS)
  • Network
  • Containers
Mitre Attack Matrices

PRE-ATT&CK Matrix

The MITRE PRE-ATT&CK Matrix focuses on the early stages of a cyberattack, before the attacker has gained access to the target system or network. It is designed to help organizations identify and prevent early-stage activities, which can help to reduce the risk of a successful attack.

It is organized into several categories, each of which represents a different stage of the attack cycle. The categories in the PRE-ATT&CK Matrix include:

  • Reconnaissance — techniques used to gather information about the target organization.
  • Resource Development — techniques used to develop the infrastructure and resources needed to carry out an attack.
  • Initial Access — techniques used to gain access to a target system or network.
  • Execution — techniques used to run malicious code on a target system or network.
  • Persistence — techniques used to maintain a foothold on a target system or network.
  • Privilege Escalation — techniques used to gain higher levels of access on a target system or network.

Originally, the PRE-ATT&CK Matrix was its own separate major matrix, but MITRE decided in 2020 to bring the PRE-ATT&CK Matrix under the Enterprise Matrix, which has led to the confusing result of it being listed as a “platform” called “PRE.”

Enterprise ATT&CK Matrix

The MITRE Enterprise ATT&CK Matrix is a more comprehensive framework that covers a wider range of cyberattack scenarios and provides more detailed information on attacker behavior. It includes information on specific threat actors, their tactics, tools and techniques, how they operate, and how they can be detected and mitigated.

It is organized into the same categories as the original ATT&CK Matrix, but it includes additional subcategories, techniques and tactics that are specific to enterprise-level attacks, including advanced persistent threats (APTs), targeted attacks and other sophisticated attacks that are designed to bypass traditional security measures.

The goal of the Enterprise ATT&CK Matrix is to provide organizations with a more comprehensive understanding of the threats they face and to help them develop more effective defense strategies. By understanding the tactics and techniques used by attackers, organizations can better prepare for and defend against cyberattacks throughout the various stages of an attack, from initial access to data exfiltration.

Mobile ATT&CK Matrix

The Mobile ATT&CK Matrix is a framework for understanding and categorizing the various TTPs used by attackers in mobile device attacks. This includes tactics such as network reconnaissance, privilege escalation, data exfiltration and other techniques commonly used by attackers to compromise mobile devices.

ICS ATT&CK Matrix

The ICS MITRE ATT&CK Matrix is a specific version of the framework that focuses on threats to industrial control systems. It covers the specific TTPs that attackers might use to target ICS networks, including critical infrastructure such as power grids, water treatment facilities and transportation systems.

The ICS MITRE ATT&CK Matrix helps organizations that use ICS to understand the specific threats they face and develop strategies to mitigate those threats. It provides a valuable resource for security professionals, researchers and analysts to share information about attacks on ICS networks and collaborate on defense strategies.

Tactics, Techniques and Procedures (TTPs)

Cortex Mitre Attck Matrix TTP

The MITRE ATT&CK framework is organized into two main components: tactics and techniques.

Tactics

Tactics are high-level goals that an attacker might have when attempting to compromise a system or network. There are 11 tactics in the framework:

  1.   Initial Access
  2.   Execution
  3.   Persistence
  4.   Privilege Escalation
  5.   Defense Evasion
  6.   Credential Access
  7.   Discovery
  8.   Lateral Movement
  9.   Collection
  10.   Exfiltration
  11.   Command and Control

Each category includes multiple techniques, which are further broken down into subtechniques. These techniques and subtechniques are assigned unique identifiers and are described in detail, including how they work, what tools and tactics they use, and how they can be detected and mitigated.

Techniques

Each tactic is further broken down into a number of specific techniques, which are the specific methods used to achieve the goals of the tactic. There are currently over 250 techniques documented in the framework.

For each tactic, the framework also includes information on the procedures or subtechniques used by attackers to carry out the technique. At a high level, this means the 11 tactics above are broken down like this:

  1.   Initial Access — techniques used to gain access to a target system or network.
  2.   Execution — techniques used to run malicious code on a target system or network.
  3.   Persistence — techniques used to maintain a foothold on a target system or network.
  4.   Privilege Escalation — techniques used to gain higher levels of access on a target system or network.
  5.   Defense Evasion — techniques used to avoid detection by security tools and systems.
  6.   Credential Access — techniques used to steal user credentials or other sensitive information.
  7.   Discovery — techniques used to gather information about a target system or network.
  8.   Lateral Movement — techniques used to move from one system or network to another within a target environment.
  9.   Collection — techniques used to gather data or other valuable information from a target system or network.
  10.   Exfiltration — techniques used to remove stolen data or other valuable information from a target system or network.
  11.   Command and Control — techniques used to establish and maintain communication with an attacker's command and control infrastructure.

By organizing attacks into TTPs, the MITRE ATT&CK framework provides a comprehensive view of the cyberthreat landscape and allows organizations to better understand how attackers operate. This, in turn, can help organizations develop more effective defense strategies and improve their overall security posture.

Procedures

Procedures are the specific implementations the adversaries use for techniques or subtechniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.

Mapping Defenses and Understanding Gaps

Mapping defenses and identifying gaps using the MITRE ATT&CK matrices can be a useful way to improve your organization's overall security posture. Here are some steps you can follow:

  1.   Identify the relevant matrix. Choose the matrix — Enterprise, Mobile, ICS — most relevant to your organization and the systems you’re trying to protect.
  2.   Map your current defenses. Review your current security controls and map them to the relevant tactics and techniques in the ATT&CK Matrix. This will help identify areas where you’re well protected and those where you may have gaps.
  3.   Identify gaps and prioritize. Once you have mapped your current defenses, identify areas where you have gaps in coverage. Prioritize these gaps based on the likelihood and potential impact of an attack.
  4.   Develop a plan to address gaps. Develop a plan to address the identified gaps in your defenses. This may involve implementing new security controls, improving existing controls, or modifying your security policies and procedures.
  5.   Test and validate. Once you have implemented your new or improved security controls, test and validate them to ensure they are effective. This may involve conducting penetration testing, red teaming or other forms of security testing.
  6.   Continuously monitor and update. The cyberthreat landscape is constantly evolving, so it's important to continuously monitor and update your defenses to address new threats and vulnerabilities.

Use Cases for MITRE ATT&CK

The MITRE ATT&CK matrices have several use cases across various industries and sectors.

Cybersecurity Operations

The matrices are used by security operations centers (SOCs) and cybersecurity teams to monitor and detect attacks and to develop incident response plans. By mapping attacks to specific tactics and techniques in the ATT&CK Matrix, teams can better understand the behavior of attackers and identify potential gaps in their defenses.

Threat Intelligence

The matrices are used by threat intelligence analysts to gather and analyze information on attackers, their TTPs, and to identify patterns and trends in cyberthreats. This information can be used to develop proactive defense strategies and to prioritize remediation efforts.

Red Teaming and Penetration Testing

The matrices are used by red teams and penetration testers to simulate real-world attacks and identify vulnerabilities and weaknesses in an organization's defenses. By following the tactics and techniques in the ATT&CK Matrix, testers can better replicate attacker behavior and provide more realistic testing scenarios.

Vulnerability Management

The matrices are used by vulnerability management teams to prioritize vulnerabilities based on their potential impact on an organization and the likelihood of exploitation by attackers. By mapping vulnerabilities to specific techniques and tactics in the ATT&CK Matrix, teams can better understand the risk posed by each vulnerability and develop more effective remediation strategies.

Compliance and Audit

The matrices are used by compliance and audit teams to assess an organization's security posture and to demonstrate compliance with industry and regulatory standards. By mapping security controls to specific tactics and techniques in the ATT&CK Matrix, teams can better demonstrate their ability to detect and prevent attacks.

Cybersecurity Training

The matrices are used by cybersecurity trainers to educate employees and security professionals on the TTPs used by attackers. This training can help employees better recognize and respond to potential threats and help security professionals develop more effective defense strategies.

MITRE ATT&CK Matrix FAQs

The purpose of the MITRE ATT&CK Matrix is to provide a common language and structure for understanding and communicating about cyberthreats. It helps organizations to develop more effective defense strategies, prioritize their security investments, and respond more quickly and effectively to cyberattacks.
There are several matrices within the MITRE ATT&CK framework, including the Enterprise Matrix, the Mobile Matrix, and the ICS Matrix. Each matrix focuses on a specific area of cyberthreat, providing a comprehensive list of techniques and tactics that attackers may use in that area.
The MITRE ATT&CK Matrix is updated on a regular basis as new threat intelligence is gathered and analyzed. Updates are made based on real-world attack data, and the ATT&CK Matrix is continually refined and updated to reflect the latest TTPs used by threat actors.
Organizations can use the MITRE ATT&CK Matrix to map their defenses and identify potential gaps in their security posture. By aligning their security controls to specific tactics and techniques in the matrix, organizations can develop more effective defense strategies and prioritize their security investments based on the potential impact of specific threats.