Operationalizing
the MITRE ATT&CK®
Framework

The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques
based on real-world observations. It has systemized the tactics and techniques of adversaries, providing a
common taxonomy and reference framework of the cyber-attack kill chain. The ATT&CK knowledge base is
used extensively by Cymulate to create meaningful and life-like attack scenarios for its customers to
challenge, assess and optimize their security controls, in the production environment.

14 Tactics of the ATT&CK Framework

The ATT&CK Matrix for Enterprise describes the cyber kill chain in 14 threat-actor tactics. The tactics are
realized with many techniques and sub-techniques, too many to list here. Furthermore, the implementation
of an individual technique can have thousands of variations. For example, to validate email security against
spear phishing emails, just one ATT&CK technique, thousands of emails with different attachments and
payloads must be created to find the ones that can get in undetected by the email security controls.
Tactic
Description
Reconnaissance
Techniques that involve adversaries actively or passively
gathering information that can be used to support targeting.
Resource
Development
Techniques that involve adversaries creating, purchasing, or
compromising/stealing resources that can be used to support targeting.
Initial Access
Techniques that use various entry vectors to gain their
initial foothold within a network.
Execution
Techniques that result in adversary-controlled code
running on a local or remote system.
Persistence
Techniques that adversaries use to keep access to systems across restarts,
changed credentials, and other interruptions that could cut off their access.
Privilege
Escalation
Techniques that adversaries use to gain higher-level
permissions on a system or network.
Defense
Evasion
Techniques that adversaries use to avoid detection
throughout their compromise.
Credential
Access
Techniques for stealing credentials like account
names and passwords.
Discovery
Techniques an adversary may use to gain knowledge
about the system and internal network.
Lateral
Movement
Techniques that adversaries use to enter and control remote
systems on a network.
Collection
Techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.
Command
and Control
Techniques that adversaries may use to communicate with
systems under their control within a victim network.
Exfiltration
Techniques that adversaries may use to steal data from your network.Techniques that adversaries may use to steal data from your network.
Impact
Techniques that adversaries use to disrupt availability or compromise
integrity by manipulating business and operational processes.

Mapping Vectors to MITRE ATT&CK Tactics

Cymulate implements the tactics by attack vector, the mapping is described in the matrix below. In order to assess the
security layers of an enterprise architecture against real world attack scenario, we operationalize ATT&CK tactics and
techniques to attack vectors. The result is that Cymulate attack vectors implement multiple tactics and the same tactics
are implemented in multiple vectors, just as they would appear in actual attack scenarios. For example, the Recon vector
operationalizes techniques found in both the Reconnaissance & Resource Development tactics, and techniques used in
Lateral Movement are implemented in both the Endpoint and Lateral Movement vectors. We decouple endpoint security
validation from infrastructure resilience to enable our customers to assess and optimize each layer independently to the
various techniques used by threat actors to move laterally in an organizations network.
ATTACK Tactics
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
Cymulate Attack Vectors and Modules
Attack Surface Management
Web Gateway
Email Gateway
Web Application Firewall
Phishing Awareness
Endpoint Security
Lateral Movement
Data Exfiltration
Full Kill Chain APT
Immediate Threats Intelligence
Purple Team
Cymulate Attack Vectors and Modules
Attack Surface Management
Attack Surface Management
Web Gateway
Email Gateway
Web Application Firewall
Phishing Awareness
Endpoint Security
Lateral Movement
Data Exfiltration
Full Kill Chain APT
Immediate Threats Intelligence
Purple Team
ATTACK Tactics
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact
reconnaissance
resource development
initial access
execution
persistence
privilege escalation
defense evasion
credential access
discovery
lateral movement
collection
command and control
exfiltration
impact

Operationalize threat intelligence
& the MITRE ATT&CK framework

To continuously challenge, assess and optimize security operations.

MITRE ATT&CK
Implementation

Threat Intelligence
Assessments

Custom
Scenarios

Attack simulations
IT, Cloud, and
Security
Infrastructure
Logs
SIEM
SOAR
Correlated
Findings

via API
SIEM/SOAR optimization
Cymulate
Portal
Output
Custom SIEM Queries
Sigma Rules,
IoCs and IoBs
Detection and
Mitigations Guidance
Custom SIEM Queries
Sigma Rules,
IoCs and IoBs
Detection and
Mitigations Guidance
SIEM/SOAR optimization
Output
SIEM
SOAR
Correlated
Findings

via API
Cymulate
Portal

Mapping the Results

The MITRE ATT&CK® framework has advanced the cyber security industry providing both a comprehensive knowledge base but with a common taxonomy and reference framework of the cyber-attack kill chain.
The framework enables security practitioners, ethical hackers, vendors and service providers to share a common language when describing attacks, security gaps and infrastructure weaknesses.
Cymulate shares this approach with the industry by mapping individual assessments and results to the framework.

Aggregated results provide a heat map that identifies the systematic strengths and weaknesses of a security architecture.

Learn More

Keyboard Type

Webinar

SANS – Contextualizing the MITRE ATT&CK® Framework

Think of ATT&CK as a dictionary and keep in mind that the context of how & when techniques are used is equally important to effective testing

WATCH NOW
Discussion

Video

Cymulate Purple Team Module

Purple Team Module leverages the MITRE ATT&CK® framework extensively, enabling security teams to create simple and complex scenarios

WATCH NOW
Meeting

Whitepaper

SANS – Contextualizing the MITRE ATT&CK® Framework

Think of ATT&CK as a dictionary and keep in mind that the context of how & when techniques are used is equally important to effective testing

READ MORE