Network Security

What MITRE ATT&CK says about the ideal NDR

The modern attacker is growing more sophisticated and adept at not only breaching enterprise defenses but doing so without being spotted. And while most attacks still begin in straightforward ways, such as with an email phishing attack, or trying to social engineer users on social media, it’s often what they do thereafter. If enterprise security teams can spot attacks early in their lifecycle, it will dramatically improve outcomes and will be the difference between whether the attack is a nuisance that can be dusted off, or one that’s debilitating and costly.

Sooner or later, the vast majority of attacks will involve the network, and savvy enterprises will know how to identify the telltale signs in time. Consider the typical ransomware attack, which involves the attackers typically breaching an endpoint and moving laterally throughout the organization to find systems of value and infecting endpoints, servers, and storage that they can encrypt for extortion.

The attack that crippled the shipping and logistics giant Maersk was one such famous attack. Following the breach of an endpoint device, the attackers kept active. They moved laterally and infected more and more endpoints until they captured most endpoint devices within Maersk. From there, they encrypted the endpoints they compromised and essentially shut the company down.

What organizations need to be able to do is identify such attacks as they unfold. And one of the most effective ways to do that is with what’s known as MITRE Adversarial Tactics, Techniques, and Common Knowledge (the MITRE ATT&CK framework). When studying the MITRE ATT&CK matrix, we learn much about what an ideal network detection and response (NDR) tool should provide.

MITRE ATT&CK explained

MITRE ATT&CK is a clearly defined knowledge base of the techniques and tactics digital attackers are known to use in real-world attacks. The framework is used by organizations around the world to better identify the distinct stages of a cyber-attack. Because most attacks will utilize some aspect of the ATT&CK matrix over time, an effective enterprise network detection and response (NDR) capability (and NDR toolset) will be able to actively recognize the various stages of a digital attack.

MITRE ATT&CK currently consists of 14 tactics within digital attacks, with each facet consisting of a number of techniques, currently ranging from a low of seven techniques to a high of 42. There are number of sub-techniques as well. Here are the current 14 tactics:

Reconnaissance: Learning about the target, such as scanning externally-facing applications.

Resource Development: A stage of preparation, such as creating social media accounts that will be used during the attack to cyber exploit development, etc.

Initial access: The act of getting into an endpoint or workload. This could be as simple as a phishing attack to something as complex as exploiting a weakness in a networked application.

Execution: The attacker has gained initial access and is now running malware or attack code within a system controlled by the targeted victim.

Persistence: Now that the attacker is in, they want to remain in the targeted organization. There are many ways they do this, from creating new accounts to hijacking operating system processes.

Privilege escalation: The attacker looks for ways to increase their level of permissions. For instance, they may look for ways to go from a standard user to an admin.

Defense evasion: The attacker uses techniques to remain hidden, such as deploying a container to hide within and attack systems from.

Credential access The attacker tries to get account access by stealing or even guessing usernames and access.

Discovery: The attacker is surveilling the environment from the inside to learn as much as possible.

Collection: The attacker uses techniques that typically involve using scripts to automatically gather information stored locally, in the cloud, or in volatile memory.

Command and control: The attacker can send commands and receive feedback from the systems compromised within the victim’s environment.

Exfiltration: Often, after data is gathered, the attacker will package the data for stealing, oftentimes compressing or encrypting it so systems don’t recognize it as it traverses a network.

Impact: This is the outcome of many attacks and will range from web site defacement to data manipulation to deny access to a service to encrypting the data for a ransomware attack.


The ideal NDR will identify adversarial behavior and techniques across many of these tactics, but no NDR will identify all of them. But in ongoing attacks, such as that which struck Maersk, there are many opportunities as the adversary moves laterally to spot and intercept the attack. It would be quite difficult to spot attackers customizing malware on their own systems or creating social media accounts that will later be used as part of social engineering attacks.

But the ideal NDR will certainly both detect and respond to attacker actions, such as when malware begins to establish internal beaconing and command and control, when the threat actor moves laterally via common ports and protocols like RDP, or when a threat actor propagates the malware laterally over SAMBA. Of course, any ideal NDR will be able to identify exfiltration techniques, such as when data is being packaged for theft, or communication protocols used to transfer data. The more of the 222 techniques an NDR platform can cover, the better.

The ideal NDR will also scrutinize north-south and east-west traffic to detect attack techniques and anomalies across networks, cloud systems, and applications and use network traffic analysis (NTA) in tandem with file analysis and intrusion detection and prevention systems (IDPS), all coupled with machine learning and threat intelligence to deliver high-fidelity insights into threats across the MITRE ATT&CK matrix.

It’s important to be sure to watch the MITRE ATT&CK framework as attack techniques within the various tactics are always evolving. As cloud computing evolves (and it will) and endpoints continue to expand with mobile and IoT technologies, expect the nature of attacks to continue to evolve. But a powerful NDR and a focus on the MITRE ATT&CK framework makes it not only possible but much more likely to spot attacks before they get too costly or damaging.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.