PRE-ATT&CK: Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit

From pre-attack
Revision as of 11:17, 13 April 2018 by Bstrom (talk | contribs)
Jump to: navigation, search
Welcome to ATT&CK

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

What's New

This release deprecates the Launch and Compromise tactics and most of the techniques that belong to them. In the future, these TTPs will be covered by techniques in the Initial Access and Execution tactics on ATT&CK.

See Past Updates for previous changes.


PRE-ATT&CK Categories

Most companies secure their enterprise to ward off cyber adversaries by using perimeter defenses and blocking known adversary indicators of compromise (IOC). Heavy reliance on collecting and black listing using IOCs (e.g., IP addresses, domains, malware hashes) as a way to detect and block the adversary provides only limited protection. For example, the Verizon DBIR 2016 Report1 states that 99% of malware hashes are seen for just 58 seconds or less. A comprehensive security plan does not begin or end at the perimeter, but instead leverages an understanding of the full lifecycle of a cyber adversary.

Adversary pre-compromise activities are largely executed outside the enterprise’s field of view, making them more difficult to detect. Cyber adversaries case their victims using the wealth of information available on the internet and take advantage of an enterprise’s third-party relationships to gain access to a target’s infrastructure. Defenders must expand their ability to monitor and understand adversary actions outside the boundaries of their enterprise.


Building on ATT&CK™ —Adversarial Tactics, Techniques, and Common Knowledge— a MITRE-developed model to quickly identify and categorize behavior post-network infiltration, PRE-ATT&CK provides the ability to prevent an attack before the adversary has a chance to get in. The seventeen tactic categories for PRE-ATT&CK were derived from the first four stages (recon, weaponize, deliver, and execute) of a seven-stage Cyber Attack Lifecycle2 (first articulated by Lockheed Martin as the Cyber Kill Chain®3). This cyber threat framework captures the tactics, techniques, and procedures adversaries use to select a target, obtain information, and launch a campaign. The framework lists the ways that adversaries perform each tactic and provides the ability to track and organize adversary statistics and patterns. Ultimately, this arms defenders with a broader understanding of adversary actions that they can use to determine technical or policy-based mitigations and evaluate the quality and utility of cyber threat intelligence data sources.

PRE-ATT&CK provides defenders with the ability to answer questions such as:

  • Are there signs that the adversary might be targeting you?
  • What commonly used techniques does the adversary use against you?
  • How should you prioritize cyber threat intelligence data acquisitions and analytics to gain additional insights to “see” the adversary before the exploit occurs?

PRE-ATT&CK is a constantly growing common reference for pre-compromise techniques that brings greater awareness of what actions may be seen prior to a network intrusion. It enables a comprehensive evaluation of computer network defense (CND) technologies, data, processes, and policies against a common enterprise threat model.

We do not claim that PRE-ATT&CK is a comprehensive compilation of techniques, only an approximation of what is publicly known. We invite and encourage the broader community to contribute additional details and information to continue developing the body of knowledge. Contributions could include:

  • New techniques
  • Categories of actions
  • Clarifying information
  • Examples
  • Other platforms or environments
  • Methods of detection or mitigation
  • Data sources

See the Contribute page to learn how to get involved.

The result will help focus community efforts on areas that are not well understood or covered by current defensive technologies and best practices. Developers of current defensive tools and policies can identify where their value and strengths are in relation to the PRE-ATT&CK framework. Likewise, cyber security researchers can use PRE-ATT&CK as a grounded reference point to drive future investigation.


The MITRE PRE-ATT&CK Matrix™ is an overview of the tactics and techniques described in the PRE-ATT&CK model. It visually aligns individual techniques under the tactics in which they can be applied. Some techniques span more than one tactic because they can be used for different purposes.

Priority Definition Planning Assess KITs/KIQs benefitsAssess current holdings, needs, and wantsAssess leadership areas of interestAssign KITs/KIQs into categoriesConduct cost/benefit analysisCreate implementation planCreate strategic planDerive intelligence requirementsDevelop KITs/KIQsGenerate analyst intelligence requirementsIdentify analyst level gapsIdentify gap areasReceive operator KITs/KIQs tasking
Priority Definition Direction Assign KITs, KIQs, and/or intelligence requirementsReceive KITs/KIQs and determine requirementsSubmit KITs, KIQs, and intelligence requirementsTask requirements
Target Selection Determine approach/attack vectorDetermine highest level tactical elementDetermine operational elementDetermine secondary level tactical elementDetermine strategic target
Technical Information Gathering Acquire OSINT data sets and informationConduct active scanningConduct passive scanningConduct social engineeringDetermine 3rd party infrastructure servicesDetermine domain and IP address spaceDetermine external network trust dependenciesDetermine firmware versionDiscover target logon/email address formatEnumerate client configurationsEnumerate externally facing software applications technologies, languages, and dependenciesIdentify job postings and needs/gapsIdentify security defensive capabilitiesIdentify supply chainsIdentify technology usage patternsIdentify web defensive servicesMap network topologyMine technical blogs/forumsObtain domain/IP registration informationSpearphishing for Information
People Information Gathering Acquire OSINT data sets and informationAggregate individual's digital footprintConduct social engineeringIdentify business relationshipsIdentify groups/rolesIdentify job postings and needs/gapsIdentify people of interestIdentify personnel with an authority/privilegeIdentify sensitive personnel informationIdentify supply chainsMine social media
Organizational Information Gathering Acquire OSINT data sets and informationConduct social engineeringDetermine 3rd party infrastructure servicesDetermine centralization of IT managementDetermine physical locationsDumpster diveIdentify business processes/tempoIdentify business relationshipsIdentify job postings and needs/gapsIdentify supply chainsObtain templates/branding materials
Technical Weakness Identification Analyze application security postureAnalyze architecture and configuration postureAnalyze data collectedAnalyze hardware/software security defensive capabilitiesAnalyze organizational skillsets and deficienciesIdentify vulnerabilities in third-party software librariesResearch relevant vulnerabilities/CVEsResearch visibility gap of security vendorsTest signature detection
People Weakness Identification Analyze organizational skillsets and deficienciesAnalyze social and business relationships, interests, and affiliationsAssess targeting options
Organizational Weakness Identification Analyze business processesAnalyze organizational skillsets and deficienciesAnalyze presence of outsourced capabilitiesAssess opportunities created by business dealsAssess security posture of physical locationsAssess vulnerability of 3rd party vendors
Adversary OPSEC Acquire and/or use 3rd party infrastructure servicesAcquire and/or use 3rd party software servicesAcquire or compromise 3rd party signing certificatesAnonymity servicesCommon, high volume protocols and softwareCompromise 3rd party infrastructure to support deliveryDNSCalcData HidingDomain Generation Algorithms (DGA)Dynamic DNSFast Flux DNSHost-based hiding techniquesMisattributable credentialsNetwork-based hiding techniquesNon-traditional or less attributable payment optionsOS-vendor provided communication channelsObfuscate infrastructureObfuscate operational infrastructureObfuscate or encrypt codeObfuscation or cryptographyPrivate whois servicesProxy/protocol relaysSecure and protect infrastructure
Establish & Maintain Infrastructure Acquire and/or use 3rd party infrastructure servicesAcquire and/or use 3rd party software servicesAcquire or compromise 3rd party signing certificatesBuy domain nameCompromise 3rd party infrastructure to support deliveryCreate backup infrastructureDomain registration hijackingDynamic DNSInstall and configure hardware, network, and systemsObfuscate infrastructureObtain booter/stressor subscriptionProcure required equipment and softwareSSL certificate acquisition for domainSSL certificate acquisition for trust breakingShadow DNSUse multiple DNS infrastructures
Persona Development Build social network personaChoose pre-compromised mobile app developer account credentials or signing keysChoose pre-compromised persona and affiliated accountsDevelop social network persona digital footprintFriend/Follow/Connect to targets of interestObtain Apple iOS enterprise distribution key pair and certificate
Build Capabilities Build and configure delivery systemsBuild or acquire exploitsC2 protocol developmentCompromise 3rd party or closed-source vulnerability/exploit informationCreate custom payloadsCreate infected removable mediaDiscover new exploits and monitor exploit-provider forumsIdentify resources required to build capabilitiesObtain/re-use payloadsPost compromise tool developmentRemote access tool development
Test Capabilities Review logs and residual tracesTest ability to evade automated mobile application security analysis performed by app storesTest callback functionalityTest malware in various execution environmentsTest malware to evade detectionTest physical accessTest signature detection for file upload/email filters
Stage Capabilities Disseminate removable mediaDistribute malicious software development toolsFriend/Follow/Connect to targets of interestHardware or software supply chain implantPort redirectorUpload, install, and configure software/tools

PRE-ATT&CK Use Cases

PA Use Case.png

PRE-ATT&CK describes 15 categories of high-level tactics, derived from the first four stages of the cyber attack life cycle. With a more granular understanding of adversary activities, defenders can make more informed decisions about the potential technical and policy-based mitigations they can adopt to reduce adversary success in the pre-compromise phases of the cyber attack lifecycle, thus reducing targeted attacks. Defenders consume multiple cyber threat intelligence reporting sources with varying detail and lack a consolidated means to assess their value. PRE-ATT&CK provides the structure and breadth required for defenders to track adversary behaviors and assess data sets that will increase their insight into adversary activity.

ATT&CK and PRE-ATT&CK Comparison

PRE-ATT&CK is associated with ATT&CK since it adopts the same model structure and complements ATT&CK by focusing on the left of exploit stages of the Cyber Attack Lifecycle. PRE-ATT&CK and ATT&CK have several fundamental differences, namely:

  • ATT&CK is tightly coupled to a specific enterprise network (e.g., Microsoft Windows, Linux, or mobility environment) and therefore provides detailed technical information relative to the adversary actions and defender mitigations for each technique. PRE-ATT&CK is agnostic to these differences since the adversary can operate across any of these environments for their pre-compromise preparation activities.
  • The mitigations in ATT&CK can be very specific and effective. PRE-ATT&CK mitigations are under development and will encompass technical and policy-based mitigations. In many cases, these mitigations will not be as precise or comprehensive given the inability to fully capture all adversary activities, data, and tools.
  • While many of the ATT&CK mitigations required increased end point monitoring, PRE-ATT&CK largely requires additional data sources to obtain information about adversarial objectives and activities.