The MITRE ATR&CK framework is a well known and widely used knowledge base of cyber adversary tactics, techniques and procedures, and is based on observations on real-world attacks.

The framework applies to the following technologies:

  • Enterprise IT systems: Windows, macOS, and Linux
  • Cloud systems: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Software-as-a-Service (SaaS), Office 365, and Azure Active Directory (Azure AD)
  • Mobile devices: Android and iOS

MITRE ATT&CK can be used to develop threat models, emulate adversaries, help security operations, improves overall security posture, verify defenses, develop security arthitecture, and so on.

The list shows that the most used tactic is Defense Evasion, which means that companies should focus on hardening and patching their infrastructure.

T1086 PowerShell
Tactic: Execution

T1003 Credential Dumping
Tactic: Credential Access

T1036 Masquerading
Tactic: Defense Evasion

T1055 Process Injection
Tactic: Defense Evasion, Privilege Escalation

T1059 Command-line Interface
Tactic: Execution

T1064 Scripting
Tactics: Defense Evasion, Execution

T1053 Scheduled Task
Tactic: Execution, Persistence, Privilege Escalation

T1060 Registry Run Keys / Startup Folder
Tactic: Persistence

T1082 System Information Discovery
Tactic: Discovery

T1089 Disabling Security Tools
Tactic: Defense Evasion

The ATT&CK list also shows that Windows is the most attacked platform and that file system access controls and system access controls were the most bypassed defense controls, a finding that supports the need for system hardening.