The MITER ATT&CK mapping, or better known as the MITER ATT&CK Framework (the ATT&CK stands for enemy tactics, techniques and general knowledge), comes from the eponymous MITER Corporation.
MITER Corporation is a non-profit organization that emerged from an MIT spin-off and is responsible, among other things, for administering the CVE list (Common Vulnerabilities and Exposures).
MITER ATT&CK Mapping is essentially a toolbox or knowledge base of multiple matrices of different types Cyberattack-Techniques. These are arranged according to different purposes (referred to as tactics) and can be grouped again according to specific platforms (e.g. Windows, preparation, IOs, SaaS, ICS, etc).
First things first: The introduction of MITER ATT&CK mapping has not made Lockheed Martin's Cyber Kill Chain obsolete.
The situation is very similar with the many frameworks of project management, which result from the fact that no framework alone can map all the necessary facets of every project. MITER ATT&CK mapping has developed as a logical consequence of the need to be able to classify the behavior of attackers, their techniques and procedures in general and to map them in detail to every real environment of our information-technological proliferation.
The Cyber Kill Chain provides a very procedural view of an attack with fixed sequential stages for a successful attack, similar to the waterfall model in project management. For a visualization of possible or suffered individual attacks, especially towards people who are not yet deeply involved threat modelling or Hunting, the Cyber Kill Chain is therefore a good choice.
The reality, or the procedure in real environments, in relation to Pentesting, Red Teaming, as well as threat hunting and modeling, this only does justice to a very limited extent. Rarely is the path to the goal obvious from the outset, but the possibilities are manifold and, as is well known, many roads sooner or later lead to Rome. The attacker or attackers (but maybe also the pentester) "puzzle" their way from one chance to the next to their target. The MITER ATT&CK mapping takes this fact into account.
On the defending side, the blue team, the whole thing looks very similar.
Since there is not only "one" way for attackers into the "castle" that needs to be prevented, but the attackers only have to be successful once, the first and most important step is to "get an idea of the situation". .
What events and gateways could attackers find, what could they muster to exploit them, how can you protect yourself against them and, more importantly, how can you detect them?
This is where the MITER ATT&CK mapping scores with its approach to techniques and the breakdown into further sub-techniques, which, ordered according to purpose, would pursue the attacker.
Not only does this offer a much deeper insight than the Cyber Kill Chain, MITER ATT&CK Mapping also combines this with references, explanations and insights into well-known examples (e.g. Emotet or Trickbot), possible countermeasures (depending on the platform), as well as possibilities for detection. In addition, MITER Corporation is constantly adapting the framework to be as current as possible and to keep up with real world conditions.
Due to its evolutionary history, there is a natural focus on threat modelling and hunting and, as a result, technically skilled staff or those who want to become one. However, these are not the only use cases. In addition, MITER TT&CK Mapping is useful for:
The simulation and analysis of attacker behavior and malware in threat modeling
