The Holy Bible of Threat Intelligence: Learn the art of Actionable Intelligence

Hey friend, welcome back!

Today we will be delving into the MITRE ATT&CK framework.

This framework is the holy bible of cyber threat intelligence. It provides a common language for describing and categorizing adversarial tactics, techniques, and procedures (TTPs) based on real-world observations. It was created by MITRE Corporation, a not-for-profit organization that operates federally funded research and development centers.

The ATT&CK framework is used to analyze and understand the tactics and techniques that threat actors use to compromise, infiltrate, and exfiltrate information from a system or network. The framework consists of a matrix that lists various tactics and techniques used by attackers, such as initial access, persistence, privilege escalation, and exfiltration. In recent years, the initial matrix has been separated into three matrices that cover Enterprises, Mobile, and ICS (Industrial Control Systems). These matrices list the specific TTPs threat actors will use in each respective domain. We will focus on the Enterprise version of the framework because it is the most widely used by security professionals. That said, I encourage you to check out the Mobile and ICS versions if you have an interest in these fields.

The MITRE ATT&CK framework is widely used by cybersecurity professionals to assess and evaluate their organization’s defenses and identify areas that need improvement. By understanding the specific tactics and techniques used by attackers, defenders can take proactive measures to improve their security posture and mitigate potential threats. As a threat intelligence analyst, the MITRE ATT&CK framework is an indispensable tool as it allows collaboration within the industry when reacting to common threats.

For example, if ABC Security provides managed security services to several organisations and they see a threat actor targeting several of these organizations using similar TTPs, they will often share the TTPs used by a said threat actor with the wider community. The security team at XYZ Corp. can…