MITRE ATT&CK

Framework description

• MITRE ATT&CK Enterprise Matrix. Official database.

• ATT&CK Navigator Web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more. Linked to the official database (but search results for Threat Groups, Software etc are not perfectly aligned with those on the official site). Video tutorial. See also my lab notes.

• Very nice (unofficial) dashboard for easier and better navigation.

• TOP ATT&CK TECHNIQUES for Ransomware and Calculator for your environment: a starting point for prioritizing defense when planning to defend against ransomware attacks. Methodology explained in Where to begin? Prioritizing ATT&CK Techniques.

Statistics

• European Repository of Cyber Incidents (EuRepoC) Daily updated database of cyber incidents worldwide.
• CISA Risk and Vulnerability Assessments CISA analyzes and maps, to the MITRE ATT&CK framework, the findings from the Risk and Vulnerability Assessments (RVA) we conduct each year. Infographics break out the most successful techniques for each tactic and includes the success rate percentage for each tactic and technique.
• 2022 Year in Review - DFIR Report Intrusion statistics aligned to the MITRE ATT&CK framework.

Alerts examples

Most alerts of important threats reference the MITRE ATT&CK tactics and techniques.

• Cuba Ransomware (see Table 6). The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors
• Understanding Ransomware Threat Actors: LockBit In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs).

Tools based on MITRE ATT&CK

Many tools and projects build on the MITRE ATT&CK framework. Just a few examples.

• DeTT&CT aims to assist blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours.
• An excel-centric approach for managing the MITRE ATT&CK tactics and techniques A simple and portable way to get a sort of awareness about which attackers' tactics/techniques a customer is able to detect and, more important, what is missing.
• Emulation libraries. Library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against the real-world threats they face.