MITRE ATT&CK® Framework Matrices: An Overview
Introduction to MITRE ATT&CK framework matrices
The MITRE ATT&CK® framework is a tool designed to educate about cybersecurity threats and attack vectors and provide additional structure to cybersecurity knowledge. It was created and is maintained by the MITRE Corporation, a US government federally funded research and development center (FFRDC).
MITRE ATT&CK is most famous for its Enterprise Matrix, which outlines potential attack vectors against an enterprise network. However, this is only one of four matrices included under the MITRE ATT&CK framework. The framework also includes a PRE-ATT&CK matrix that covers the pre-exploit phases of the cyberattack life cycle and matrices detailing threats to mobile and ICS systems.
What's included in the MITRE ATT&CK PRE-ATT&CK matrix?
The focus of the MITRE ATT&CK PRE-ATT&CK matrix is on the first two stages of the cyberattack life cycle: Reconnaissance and Weaponization. At this point in the attack life cycle, an attacker is not actively engaged with the target, making it more difficult to detect the attacks. This matrix highlights the sources of information that an attacker may use to plan and attack and other potential indicators that could help an organization to learn that it might be actively targeted.
The PRE-ATT&CK matrix has the greatest number of tactics at fifteen. Under these fifteen tactics, it has 148 different techniques. At the time of writing, the PRE-ATT&CK matrix has not been reorganized to include sub-techniques like the enterprise matrix.
What's included in the MITRE ATT&CK enterprise matrix?
The MITRE ATT&CK enterprise matrix is designed to address the stages of the cyberattack life cycle after exploitation has begun. Its eleven tactics address the goals that an attacker may need to achieve while working toward the ultimate objective, such as achieving initial access to a system, moving laterally and performing data collection and exfiltration.
The MITRE ATT&CK enterprise matrix was reorganized in 2020 to include the concept of sub-techniques. As a result, the 11 tactics include a set of 184 techniques, each of which contains between zero and fifteen sub-techniques.
What platforms are covered by the MITRE ATT&CK enterprise matrix?
The MITRE PRE-ATT&CK matrix is infrastructure-agnostic, since it is focused on data collection and planning. The same is not true of the enterprise matrix because its goal is to cover the various ways in which an attacker could actively exploit and operate within an organization’s network and systems.
The platforms covered by the enterprise matrix are:
- Windows
- macOS
- Linux
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Microsoft Azure AD
- Microsoft Office 365
- Software-as-a-Service (SaaS)
The enterprise matrix covers all of the tactics, techniques and sub-techniques for all of these platforms. However, MITRE also offers platform-specific matrices as well that highlight the subset of tactics, techniques and sub-techniques that are applicable to a specific platform.
What's included in the MITRE ATT&CK matrices for mobile?
The MITRE ATT&CK mobile matrix is designed to cover the same stages of the cyberattack life cycle as the enterprise matrix and uses the same list of eleven tactics. Unlike the enterprise matrix, which focuses on enterprise networks, the mobile matrix focuses on threats and attack vectors specific to mobile devices.
This means that the mobile matrix has a very different collection of techniques and sub-techniques than the enterprise matrix. These techniques are focused on mobile-specific attack vectors, so more general attack vectors that also apply to mobile devices are not included. In total, there are 100 mobile techniques, but this matrix does not yet have the sub-techniques category introduced with the enterprise matrix.
Like the enterprise matrix, the mobile matrix includes coverage of several specific mobile platforms. Users of MITRE ATT&CK can look at attack vectors specific to Android or iOS in particular in their own matrices or view all mobile attack vectors in the general mobile matrix.
What's included in the MITRE ATT&CK for industrial control systems?
MITRE also offers an ATT&CK Matrix for industrial control systems (ICS). This matrix covers the later stages of the cyberattack life cycle (like the enterprise and mobile matrices) but is focused on threats specific to critical infrastructure and SCADA systems.
Because this matrix covers the same attack stages as the enterprise and mobile matrices, it includes many of the same tactics. However, due to the different platforms in question, a couple of the enterprise/mobile tactics are not included and two ICS-specific ones are added for a total of eleven tactics. Under these tactics are included a set of 96 techniques. Like the PRE-ATT&CK and mobile matrices, this matrix has not yet been updated to include the new sub-techniques format.
Sources
- PRE-ATT&CK Matrix, MITRE
- Enterprise Matrix, MITRE
- Mobile Matrices, MITRE
- ATT&CK® for Industrial Control Systems, collaborate.mitre.org