History

The MITRE Corporation was chartered in July 17, 1958 as a private, not-for-profit company to
provide engineering and technical guidance for the federal government. Since then, MITRE has
operated at the intersection of advanced technology and vital national concerns.

MITRE's roots began in the computer laboratories of the Massachusetts Institute of Technology
(MIT) during World War II.

In 1959, the newly formed Federal Aviation Agency (now Administration) established a collaboration
with the Air Force to engage MITRE on a project called SATIN (SAGE Air Traffic Integration).

In 1974, Secretary of Defense James Schlesinger expanded its use to all branches of the military to
form JTIDS.

The rapid pace of change in information technology that characterized the late 1980s and early
1990s greatly influenced the evolution of MITRE's work.

In 1999, MITRE, working with the FAA industry, evaluated the prototype Automatic Dependent
Surveillance-Broadcast (ADS-B) technology.

The attacks of September 11, 2001, deeply affected MITRE.

after that they take a big decision to fight our nation enemy so that he started

Introduction

• MITRE ATT&CK was created in 2013 as a result of MITRE's Fort Meade Experiment (FMX).
researchers of the FMX Project is emulated both adversary and defender behavior in an effort to
improve post-compromise detection of threats through telemetry sensing and behavioral
analysis.

• The key question of FMX’s for the researchers was "How well are we doing at detecting
documented adversary behavior?" To answer that question, the researchers developed
ATT&CK, which was used as a tool to categorize adversary behavior.

• The MITRE ATT&CK is a framework, stands for MITRE Adversarial Tactics, Techniques, and
Common Knowledge (ATT&CK).

• The tactics and techniques abstraction in the model provide a common taxonomy of individual
adversary actions understood by both offensive and defensive sides of cybersecurity.

Motive

• ATT&CK has become one of the most respected and most referenced resources in
cybersecurity.

• ATT&CK is a knowledge base of hacking techniques you can use to defend your network
from cybersecurity threats.
 • ATT&CK on different stages of a cyberattack to infiltrate your network and exfiltrate data.

MITRE ATT&CK Matrix?

Benefits to adopting MITRE ATT&CK:

1. Adversary Emulation: Assesses security by applying intelligence about an adversary and how

they operate to emulate a threat. ATT&CK can be used to create adversary emulation
scenarios to test and verify defenses.

2. Red Teaming: Acts as an adversary to demonstrate the impact of a breach. ATT&CK can be

used to create red team plans and organize operations.

3. Behavioral Analytics Development: Links together suspicious activity to monitor adversary

activity. ATT&CK can be used to simplify and organize patterns of suspicious activity deemed
malicious.

4. Defensive Gap Assessment: Determines what parts of the enterprise lack defenses and/or
visibility. ATT&CK can be used to assess existing tools, or test new tools prior to purchasing,
to determine security coverage and prioritize investment.

5. SOC Maturity Assessment: Similar to Defensive Gap Assessment, ATT&CK can be used to

determine how effective a security operations center (SOC) is at detecting, analyzing, and
responding to breaches.

6. Cyber Threat Intelligence Enrichment: Enhances information about threats and threat

actors. ATT&CK allows defenders to assess whether they are able to defend against specific
Advanced Persistent Threats (ATP) and common behaviors across multiple threat actors.

The Cyber Kill Chain, is a well-defined sequence of events: The Red Team (the pentesting term for
attackers) move from reconnaissance to intrusion and so on in that order. Conversely, the Red Team
uses ATT&CK techniques from different tactics at different times of the scenario depending on the
situation. An ATT&CK scenario could start with a Hardware Addition from the Initial Access tactic,
then jump to Bypass User Account Control from the Privilege Escalation tactic and go back to the
Execution tactic to run PowerShell.

Cyber Kill Chain

1. Reconnaissance

2. Intrusion

3. Exploitation

4. Privilege Escalation

5. Lateral Movement

6. Obfuscation/ Anti-forensics
 7. Denial of Service

8. Exfiltration

ATT&CK Projects and Resources

Similar tools of ATT&CK

Varonis detects several ATT&CK techniques and cyberattacks in your network – including Pass the
Hash, Pass the Ticket, and Brute Force.  Varonis threat models use the same language as ATT&CK so
you can easily reference both resources when you need to research cyberattacks.