The MITRE ATT&CK framework is broken into several different matrices with unique focuses. These different focuses are reflected in the tactics included in each matrix and the techniques and sub-techniques that sit below them.
MITRE ATT&CK framework PRE-ATT&CK tactics
The MITRE PRE-ATT&CK matrix focuses on the first two stages of the cyberattack life cycle: reconnaissance and weaponization. Since these stages occur before an attacker takes any direct action against an organization’s systems, they can be difficult to detect. The PRE-ATT&CK matrix includes a set of fifteen tactics that attackers use in the process of identifying and exploiting an organization’s vulnerabilities:
Priority Definition Planning: Identifying the Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQ) that need to be investigated and answered Priority Definition Direction: Collecting and assigning requirements to meet KITs and KIQs Target Selection: Process of narrowing down from strategic goals to a specific target Technical Information Gathering: Collection of information about the details of the target’s IT infrastructure People Information Gathering: Collection of information to identify key players in the target organization, such as social engineering targets or those possessing critical access Organizational Information Gathering: Collection of information about how an organization operates Technical Weakness Identification: Identification of exploitable weaknesses and vulnerabilities within the target’s IT environment People Weakness Identification: Identification of methods to gain access to persons of interest within the target organization Organizational Weakness Identification: Identification of how the organization’s operations can be exploited within an attack Adversary OPSEC: Use of technology and/or third-party services to conceal the attacker’s identity and operations from the target Establish & Maintain Infrastructure: Acquiring and maintaining infrastructure needed for the attack (e.g., command and control infrastructure) Persona Development: Creation of background personas and legitimate backstory for organizations, individuals and so on used for social engineering attacks Build Capabilities: Creating or acquiring the tools required to carry out an attack (malware and so on) Test Capabilities: Testing malware and other tools to ensure their effectiveness before performing the attack Stage Capabilities: Performing final preparations for performing the attack (installing software, setting up infrastructure and so on)
MITRE ATT&CK framework enterprise tactics
The enterprise matrix of MITRE ATT&CK focuses later in the cyberattack life cycle than the PRE-ATT&CK matrix. This matrix describes the goals that an attacker may need to achieve while moving from gaining access to the target environment to achieving their ultimate objectives. The enterprise matrix describes how an attacker could operate within an enterprise network and includes twelve tactics:
Initial Access: Establish a foothold on the target system or within the target network Execution: Start malware or other malicious code running on the target system Persistence: Implement protections to make it more difficult for an attacker’s access to be removed from the target system Privilege Escalation: Elevate the current account’s access or gain access to additional privileged accounts to achieve the permissions necessary to achieve objectives Defense Evasion: Prevent detection and removal of the attacker’s access by automated defense systems (e.g., antivirus) Credential Access: Gain access to user accounts by guessing passwords or authentication information Discovery: Explore the target environment to identify targets of interest and so on Lateral Movement: Move throughout the target environment Collection: Collect data that moves the attacker toward their objective Command and Control: Communications between the attacker and their foothold on the target network (malware and so on) Exfiltration: Removal of stolen data from the target environment Impact: Attempt to manipulate, interrupt or destroy target systems or data
MITRE ATT&CK framework mobile tactics
At the tactic level, the mobile matrix of the MITRE ATT&CK framework is identical to the enterprise matrix. These two matrices are designed to cover the same stages of the cyberattack life cycle but focus on different platforms (enterprise networks vs. mobile devices). Below the tactic level, the two matrices diverge to focus on their particular platform-specific attack vectors.
Sources
PRE-ATT&CK Tactics, MITRE Enterprise Tactics, MITRE Mobile Tactics, MITRE