MITRE ATT&CK: Difference between revisions
Line 11: | Line 11: | ||
==Procedures== | ==Procedures== | ||
Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages. | |||
==References== | ==References== |
Revision as of 14:49, 28 July 2021
MITRE ATT&CK is a free framework about cyber threat actors' tactics and techniques. The knowledge base, which is based entirely on real-world observations, offers a foundation for the development of specific threat models and methodologies for private, government, and Cybersecurity sectors.[1] The framework has one component for enterprise IT networks and clouds, and another for mobile devices.
History
The Mitre Corporation, an American nonprofit managing federally funded research and development centers, started ATT&CK in 2013 to document common tactics, techniques, and procedures that Advanced Persistent Threats (APT)s use against Windows enterprise networks. It began as a documentation research project called "FMX," which investigated endpoint telemetry data and analytics usage with the aim of improving post-compromise detection. ATT&CK became the basis for testing the efficacy of sensors and analytics and is now the common language of cybersecurity offense and defense teams.[2]
Tactics
Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. For example, an adversary may want to achieve credential access.
Techniques
Techniques represent “how” an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
Procedures
Procedures are the specific implementation the adversary uses for techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.