The MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques that can be used as a penetration testing guide:

• Background
• Steps
• Resources

Background

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework developed by MITRE, a non-profit organization that provides research and development services to the U.S. government. The framework provides a comprehensive understanding of the tactics, techniques, and procedures that are used by adversaries in real-world attacks in the form of a matrix, and is designed to be a common language for describing and understanding cyber threats. Penetration testers can use the MITRE CVE framework to identify known vulnerabilities in a target’s systems and applications, and to prioritize their testing efforts based on the severity of the vulnerabilities.

Steps

The framework’s enterprise matrix is divided into several steps, which are as follows:

1. Reconnaissance: This involves the collection of information about the target organization or individual, including network topology, security measures, and vulnerabilities.
2. Resource Development: This step involves the creation of tools, malware, and other resources that can be used during the attack.
3. Initial Access: This step involves gaining initial access to the target’s network, systems, or applications, or all of the above, plus more. This can be achieved through a variety of means, including vulnerability exploitation, using stolen credentials, or social engineering.
4. Execution: This step involves executing the primary payload of the attack, which can include malware installation, data theft, data leakage, or other malicious activities.
5. Persistence: This involves establishing a foothold within the target’s environment to maintain access over an undetermined extended period of time.
6. Privilege Escalation: This step involves gaining unauthorized elevated privileges within the target environment to gain access to sensitive data or systems.
7. Defense Evasion: This step involves using various techniques to avoid detection and evade security mechanism and control defenses, such as antivirus software, firewalls, and intrusion detection systems (IDS).
8. Credential Access: This step involves obtaining valid user or administrative credentials that can be leveraged to gain access to additional systems and resources within the target environment.
9. Discovery: This involves mapping out the target’s environment to identify potential targets for further exploitation.
10. Lateral Movement: This step involves moving laterally within the target environment to gain access to additional systems and resources.
11. Collection: This involves gathering data or information of interest, such as sensitive data, credentials, or system configurations.
12. Command and Control: This step involves establishing and maintaining communication with remote systems that are under the control of the attacker, which are used to issue commands and receive information.
13. Exfiltration: This involves the extraction of data or information from the target environment to a location under the control of the attacker.
14. Impact: This involves the final result or impact of the attack, which can include data theft, system compromise, or other malicious activities.

Resources

Official MITRE ATT&CK resources:

• ATT&CK Official Site
• ATT&CK Matrix
• ATT&CK Navigator Web App
• ATT&CK Caldera Emulator
• ATT&CK Decider Automation
• MITRE GitHub
• MITRE Cyber Analytics Repository (MITRE CAR)
• ATT&CK Getting Started Guide
• MITRE ATT&CK Resources