MITRE ATT&CK Framework | What is MITRE ATT&CK?
“MITRE ATT&CK™ is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” – MITRE Corp.
What is MITRE ATT&CK?
MITRE created ATT&CK as a solution to help teams achieve more effective cybersecurity. The framework enables sharing of adversarial behaviors across the attack lifecycle and provides a common taxonomy for threat analysis and research.
This framework can help cybersecurity teams assess the effectiveness of their security operations center (SOC) processes and defensive measures to identify areas for improvement.
With this knowledge base, teams take on an adversary’s perspective to better understand the motivation behind an adversary’s actions and the relationship between them for holistic threat detection and response. This approach provides context to the individual parts of an attack to help teams predict an adversary’s behavior and next move, and quickly and effectively respond to an attack.
MITRE ATT&CK for Threat Hunting and Detection
Learn more about using ATT&CK to identify critical gaps in visibility, enhance your treat detection, and test the accuracy of your detection rules.
ATT&CK Tactics, Techniques, and Procedures
MITRE first developed this framework as a standard way to document common adversarial tactics, techniques, and procedures (TTPs). The relationship between tactics and techniques can be seen in the ATT&CK Matrix™.
ATT&CK Tactics: Tactics are the “why” of an adversary’s technique and represents their objective.
ATT&CK Techniques: Techniques are “how” an adversary achieves an objective — the action they take to get what they are seeking.
ATT&CK Procedures: Procedures are the specific steps an adversary takes to execute a technique.
Figure 1: Hierarchal model of ATT&CK tactics, techniques, and procedures.
Harden Your Security Operations to ATT&CK with LogRhythm
Detecting adversaries requires pervasive visibility across your security data and a proactive approach to efficiently identify suspicious behavior. Teams can use the LogRhythm NextGen SIEM for high fidelity visibility into the tactics, techniques, and procedures of the most skilled adversary’s for accurate threat detection.
Security programs must continue to update their methodologies as fast as adversaries iterate to detect new threats and prevent damaging breaches. The LogRhythm NextGen SIEM provides a diagnostic tool teams can use to assess their security program coverage and gaps, so they can prepare for future threats that leverage similar exploits.
Leverage MITRE’s model with LogRhythm network and user analytics, compliance modules, and threat feeds to generate higher-value alarms that more accurately detect adversaries.
The LogRhythm MITRE ATT&CK Module
The LogRhythm MITRE ATT&CK Module, provides prebuilt content mapped to ATT&CK for the LogRhythm NextGen SIEM Platform, including analytics, dashboard views, and threat hunting tools. This content enables security teams, and in particular Red Teams, to detect adversaries and improve their security program as prescribed by the MITRE ATT&CK framework.