3.1 Explain concepts related to attack methodology frameworks.
📘CompTIA CySA+ (CS0-003)
MITRE ATT&CK is a globally-accessible knowledge base of cyberattack techniques. It’s essentially a framework that describes how attackers operate in IT environments, which helps security teams understand threats, detect attacks, and respond effectively.
Think of it as a map of attacker behaviors, showing the steps they take to compromise systems, move inside a network, and achieve their goals.
1. Purpose of MITRE ATT&CK
- Understand attacker behavior: Shows what attackers do at each stage of an attack.
- Improve detection: Security teams can detect attacks faster because they know common attacker methods.
- Threat intelligence sharing: Organizations can share knowledge of threats in a standardized way.
- Test defenses: By comparing your defenses against known attacker techniques, you can find weak points.
2. Key Components of MITRE ATT&CK
MITRE ATT&CK is organized into several core parts:
a. Tactics
- Definition: The why of an attacker’s action—what they are trying to achieve at a given stage.
- Example IT-related tactics:
- Initial Access: How an attacker first enters a network (e.g., phishing email with malware).
- Execution: How attackers run malicious code once inside (e.g., running a script to steal credentials).
- Persistence: How attackers maintain access over time (e.g., installing a backdoor).
- Privilege Escalation: How attackers gain higher permissions (e.g., exploiting a server misconfiguration to become admin).
- Defense Evasion: How attackers hide their actions (e.g., using encryption to avoid antivirus detection).
- Exfiltration: How attackers steal sensitive data (e.g., copying database files to an external server).
b. Techniques
- Definition: The how of a tactic—specific methods attackers use to achieve their goals.
- Example IT-related techniques:
- For Initial Access, techniques could be:
- Phishing emails
- Exploiting unpatched web servers
- Using valid credentials obtained elsewhere
- For Privilege Escalation, techniques could be:
- Exploiting software vulnerabilities
- Accessing misconfigured services
- For Exfiltration, techniques could be:
- Uploading sensitive files via FTP
- Using cloud storage to move data out
- For Initial Access, techniques could be:
Each tactic can have multiple techniques, and each technique can have sub-techniques for even more detail.
c. Procedures
- Definition: The real-world step-by-step actions attackers take.
- Example IT-related procedure:
- Tactic: Privilege Escalation
- Technique: Exploiting a Windows service misconfiguration
- Procedure: Attacker uses a service misconfigured to run with SYSTEM privileges to execute malicious code
Procedures are practical examples that show exactly how a technique looks in action.
3. MITRE ATT&CK Matrices
MITRE ATT&CK provides matrices—visual grids that map tactics (columns) to techniques (rows). This helps teams see which techniques correspond to which tactics.
There are different matrices for:
- Enterprise: For traditional IT networks (Windows, Linux, macOS).
- Mobile: For attacks on smartphones and tablets.
- ICS (Industrial Control Systems): For SCADA and industrial networks.
How IT teams use matrices:
- Security analysts map alerts from logs and monitoring tools to the matrix to see which stage of an attack they are dealing with.
- Helps prioritize defense actions (e.g., patching, monitoring, or blocking techniques).
4. How Organizations Use MITRE ATT&CK in IT Environments
- Threat Detection
- Map logs and alerts from servers, endpoints, and firewalls to ATT&CK techniques.
- Example: Detect repeated failed logins → map to Credential Access tactic → investigate further.
- Incident Response
- When an attack is detected, teams trace which tactics and techniques were used.
- Helps answer: “Where did the attacker go? What did they touch? How do we stop them?”
- Red Team / Blue Team Exercises
- Red team: Simulates attacks using ATT&CK techniques.
- Blue team: Uses the matrix to detect and respond to attacks.
- Security Gap Analysis
- Compare your defenses against known techniques to find gaps.
- Example: If you have no monitoring for file exfiltration via cloud apps → gap identified → mitigation added.
5. Key Terms to Remember for the Exam
- Tactic: Why an attacker does something (goal)
- Technique: How an attacker does it (method)
- Procedure: Step-by-step example of the technique in action
- Matrix: Visual representation mapping tactics to techniques
6. Quick IT Examples of Tactics and Techniques
| Tactic | Technique | IT Example |
|---|---|---|
| Initial Access | Phishing | Attacker sends malware-laced email to a user |
| Execution | PowerShell execution | Malicious PowerShell script runs to steal credentials |
| Persistence | Backdoor installation | Attacker installs a service that restarts automatically |
| Privilege Escalation | Exploit vulnerability | Exploit unpatched Windows vulnerability to get admin access |
| Defense Evasion | Obfuscation | Encrypt malware to avoid antivirus detection |
| Credential Access | Keylogging | Record user passwords via malicious software |
| Lateral Movement | Remote Desktop | Use RDP to move from one server to another |
| Exfiltration | Data upload | Copy sensitive files to an external cloud storage |
7. Why MITRE ATT&CK Matters for the Exam
- It’s commonly referenced in Server+ exam objectives under attack methodology frameworks.
- Understanding ATT&CK helps you explain:
- How attacks happen in IT systems
- How to detect, respond, and mitigate attacks
- How security teams use structured frameworks for defense
✅ Exam Tip: Focus on tactics, techniques, and how they apply to IT environments. You don’t need to memorize every technique, but understand the purpose of each tactic and examples of common techniques.
