MITRE ATT&CK Framework - WhoisNexus Academy

In the past, security was vague. "We blocked a virus." MITRE changed the game by creating a common language to describe EVERY possible step a hacker can take. The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) matrix is the gold standard for Red Teams and Blue Teams alike.

Structure of the Matrix

Tactics (Column Headers): The "Why". The goal (e.g., "Initial Access", "Privilege Escalation").
Techniques (Cells): The "How". The specific method (e.g., "Phishing", "Process Injection").
Procedures: The specific implementation (e.g., "Cobalt Strike using reflective injection").

1. The 14 Tactics (The Kill Chain)

A hacker must move from left to right across the matrix to win.

Reconnaissance: Gathering info (Active Scanning).
Resource Development: Buying servers, creating accounts.
Initial Access: Getting in (Phishing, Exploit Public App).
Execution: Running code (PowerShell, CMD).
Persistence: Staying in (Scheduled Task, Registry Run Keys).
Privilege Escalation: Becoming Admin (Token Manipulation).
Defense Evasion: Hiding (Obfuscation, Disabling AV).
Credential Access: Stealing passwords (LSASS dumping).
Discovery: Mapping the network (Net view).
Lateral Movement: Moving to other PCs (SMB/RDP).
Collection: Gathering data (Screen capture).
Command and Control: Phoning home to C2 server.
Exfiltration: Stealing data (FTP, Cloud upload).
Impact: Destroying data (Ransomware encryption).

2. Using ATT&CK for Defense (Gap Analysis)

How good is your EDR? Don't say "Good". Use the matrix.

Exercise:
1. Download the ATT&CK Navigator (a visual heatmap tool).
2. Select all techniques (cells) that your current tools can block. Color them Green.
3. Select techniques you can only detect (alert). Color them Yellow.
4. Identify the Red (White) cells. These are your blind spots.

If "Kerberoasting" (T1558.003) is White, you have a gap. You need to configure your SIEM to look for Event ID 4769 with specific encryption types.

3. Threat Intelligence Mapping

You can use the matrix to model specific actors.

Example: APT29 (Cozy Bear)
MITRE tracks known groups. You can interpret their behavior:
- They use T1093 (Process Hollowing) for evasion.
- They use T1086 (PowerShell) for execution.

If you are a bank and you know APT29 targets banks, you prioritize blocking T1093 and T1086 above all else.

4. Atomic Red Team

How do you verify you can detect T1086? You simulate it.
Atomic Red Team is a library of simple scripts mapped to MITRE.

# Atomic Test T1059.001 (PowerShell)
Invoke-AtomicTest T1059.001
        

This script runs a benign PowerShell command that mimics malware. If your EDR alerts, you pass. If silence, you fail.

Conclusion

Stop buying "Magic Boxes". Start mapping your coverage. MITRE ATT&CK turns security from a "feeling" into a measurable engineering discipline.