A bad guy uses a known computer trick to steal information. How does a security expert use a special map called 'MITRE ATT&CK' to guess what other bad tricks the bad guy might try next, not just what they did already?

MITRE ATT&CK is a comprehensive, globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It acts as a detailed map outlining the various behaviors attackers might use during a cyberattack. It organizes these behaviors into two main categories: Tactics and Techniques. Tactics represent the adversary's high-level goals or the 'why' they perform an action, such as 'Initial Access' or 'Execution'. Techniques represent the specific methods or the 'how' an adversary achieves those tactical goals, like 'Phishing' or 'OS Credential Dumping'.

When a bad guy uses a known computer trick to steal information, a security expert first identifies which specific Technique within the MITRE ATT&CK framework matches the observed action. For example, if the attacker used a tool to extract user credentials directly from a computer's memory, the expert would map this to the 'OS Credential Dumping' technique, which falls under the 'Credential Access' tactic.

To guess what other bad tricks the bad guy might try next, the security expert uses the structured nature of the MITRE ATT&CK map and the concept of an adversary lifecycle. The Tactics within ATT&CK are generally arranged to reflect the progressive stages an attacker typically moves through during an operation. By knowing the current observed Technique and its associated Tactic (e.g., 'Credential Access'), the expert understands the attacker's current objective in the overall attack chain.

The expert then extrapolates future actions by considering two main aspects:

First, they look at the Tactics that logically follow the current Tactic in the adversary lifecycle. If an attacker has successfully achieved 'Credential Access', it is highly probable they will next attempt 'Discovery' (to learn about the network), 'Lateral Movement' (to move to other systems), 'Privilege Escalation' (to gain higher access), or 'Collection' (to gather target data). The expert examines the Techniques associated with these subsequent Tactics to identify specific methods the attacker might employ next. For instance, after 'Credential Access', they might anticipate 'Network Share Discovery' or 'Remote Services' for lateral movement.

Second, MITRE ATT&CK includes information about specific Procedures, which are the particular ways known threat groups implement Techniques. If the initial trick aligns with the known behavior of a specific adversary group, the expert can consult the ATT&CK profiles for that group. These profiles often detail other Tactics and Techniques commonly used by that specific group, providing a more refined prediction of their likely next moves. For example, if the initial trick is characteristic of a group known for extensive data exfiltration, the expert would prioritize monitoring for 'Exfiltration' techniques.

By combining the current observed action with the logical flow of Tactics and the known behaviors of specific adversaries, the security expert can form hypotheses about the attacker's likely next steps. This enables them to proactively deploy specific detections and defensive measures against anticipated future actions, rather than just reacting to what has already occurred.