Top 10 MITRE ATT&CK™ Techniques

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) Framework (https://attack.mitre.org/) is “a globally-accessible knowledge base of adversary tactics and techniques” that is “open and available to any person or organization for use at no charge.” One of the most beautiful parts of the MITRE ATT&CK™ Framework is that its information can be analyzed to answer a wide variety of different questions.

For instance, MITRE ATT&CK™ can be used to:

For context, MITRE defines tactics as the “why” of an attack—the objective they are looking to achieve, or the reasons for performing a particular action. For example, a tactic would be to evade detection or avoid defenses. It defines techniques as the “how” to accomplish those tactical objectives. An example here would be account manipulation, possibly by modifying permissions or credentials to subvert security policies in place.

When aligning a defensive program to ATT&CK™, it can be somewhat overwhelming as there are over 220 techniques currently addressed. One of the ways that TrustedSec has recently been helping organizations use the MITRE ATT&CK™ framework is to understand which techniques are most commonly used by the known threat groups that target their particular industry. Organizations are then able to leverage this information to ensure that their security programs are addressing the techniques most commonly used to target their peer organizations.

To give you an idea, here are the Top 10 Techniques & Associated Tactics across all industries. And while a security program that only addresses these techniques will be very weak, a strong security program will ensure that these techniques are addressed as part of a larger, comprehensive approach for securing organizational assets.

Technique Associated Tactic(s)
Command-Line Interface Execution
Standard Application Layer Protocol Command and Control
Registry Run Keys / Startup Folder Persistence
Process DiscoveryDiscovery
File and Directory DiscoveryDiscovery
System Information DiscoveryDiscovery
Input CaptureCredential Access, Collection
Remote File Copy Lateral Movement, Command and Control
Obfuscated Files or InformationDefense Evasion
Credential DumpingCredential Access

Although adversarial groups often favor specific targets and techniques, it is worth noting that these groups frequently adjust their goals and methods. Because of this, it is important for organizations to build programs that are designed to comprehensively protect themselves from the large and increasing number of threats. However, the top ten is a great place to start!

  • Want to better understand the MITRE ATT&CK™ Framework or our methodology?
  • Want to understand the techniques most commonly used to target organizations in your industry?
  • Want to ensure that your protective and detective controls are operating effectively?

We can help! Contact us to start the conversation!

Avatar

Author: Rick Yocum

Rick’s independence, curiosity, and sense of humor have always driven him to explore. As a baby, exploration meant breaking out of any crib that had the audacity to try to cage him. As an adolescent, exploration meant remotely accessing classmates’ computers in order to pass notes and perpetrate pranks. But the real value of exploration is not in discovery—it’s in the application of discovered knowledge. Therefore, as an adult, Rick is passionate about helping organizations explore how technology and behavioral economics can be leveraged to reduce risk and improve operations. Rick is eternally grateful to the teachers and mentors who have allowed him to explore (and have sometimes even paid him to do it).