Mitre ATT&CK framework: What is it and does it work for K8s environment?

Ariel Shuper
Ariel Shuper

Wednesday, December 2nd, 2020

Faced with the proliferation of complex attacks, cyberdefense needs to switch to Tactics, Techniques, and Procedures (TTPs) focused strategies.
Workloads Defined as the toughest obstacle to overcome in Bianco’s pyramid of pain, TTPs based defenses force attackers to desist from simply using available attack vectors and tools, compelling them to continuously invent new behaviors. MITRE ATT&CK is the most advanced taxonomy of TTPs available today and provides cyber defenders with interactive matrices invaluable in to defining effective defensive strategies.

The MITRE ATT&CK framework:

  • Collects information about existing and emerging threats and adversarial attack
  • Collates and organizes those threats in
    • Tactics: the goal of the attacker
    • Techniques and sub-techniques: the methods used by attackers
    • Procedures: technical details or directions used by attackers
  • Correlates this data into the MITRE ATT&CK navigator in ATT&CK matrices designed to map attacks’ waterfall across entire architectures. It provides cyber defenders with an overarching view of the escalation path of each specific attack. The elegance, efficiency, and thoroughness of the ATT&CK matrix are best exemplified through understanding how it is applied. For example, in a K8s environment, a typical attack begins by exploiting a container vulnerability to perform actions on the breached container. More worryingly, it can obtain additional permissions to access the host and gain access to additional containers on the same host. The attacker attempts to progress to more nodes and gain control and abuse cluster resources or access the organization’s crown jewels. The typical defense is based on detecting the attack vector and disabling it. However, such a technique fails to address the potentially broader scope of the attack and may, for example, overlook stealth escalation techniques, leaving APT (Advanced Persistent Threat) undetected. This typical defensive tactic is aligned with CIS Benchmarks, a comprehensive set of recommendations to tighten security context. Though CIS Benchmarks provide robust configuration guidelines, they fail to deliver threat hunters with the security context needed to predict attack escalation patterns and proactively prevent or mitigate attacks’ lateral movements. The MITRE ATT&CK framework, on the contrary, equips cyber defenders with a tool to predictrognosticate the attack’s escalation pattern and either prevent it or rapidly mitigate it.


MITRE ATT&CK is an interactive knowledge base documenting TTPs for cyberdefense purposes. It is the brainchild of the MITRE Corporation, a Federally Funded Research and Development Center (FFRDC)., MITRE assists US government partners ranging from the Department of Defense to the IRS in research and development of advanced technologies. In cyberspace, MITRE is known for helping maintain the Common Vulnerabilities and Exposures (CVE) list, an invaluable input for managing vulnerabilities worldwide. In 2013, MITRE launched the Ford Meade eXperiment (FMX) experiment: a red team attack against a living lab of over 200 hosts on a corporate network, manned by live users behaving routinely. The red team head, Blake Storm, uncovered the attackers’ Achilles heel. Unlike the number of offensive tools available to hackers, the variations in attackers’ behavior once they breach an environment are limited and slow to evolve. This realization led to the creation of the ATT&CK framework. Since 2015, ATT&CK is open to the public and enriches its database through information from MITRE corporation research center and community-generated information. Regularly updated, it provides comprehensive information about new attack vectors and attackers’ behavior. Today, MITRE ATT&CK discloses adversarial Tactics, Techniques, and Procedures (TTPs), empowering cyber defenders to understand and integrate attackers’ behavioral patterns in their defense strategy.

The MITRE ATT&CK Matrice Interface

The MITRE ATT&CK framework is organized into three matrices: Enterprise – covers the attack tactics and techniques targeting any organization environment, on-premise, hybrid, and cloud-native

  • Mobile – expands on NIST’s Mobile Threat catalog and covers mobile-specific attack and escalation tactics and techniques, and the Network-based effects
  • ICS – covers adversarial actions against Industrial Control Systems (ICS) networks Together, they comprise an end-to-end attack chain, filled with a comprehensive overview of all the offensive techniques used by attackers. This overall view provides blue teams with a degree of visibility into confirmed techniques and tactics previously reserved for elite IR responders. Each ATT&CK matrice pillar corresponds to a tactic and contains the techniques and sub-techniques pertaining to that tactic.
! Enterprise !! Mobile !! ICS
Initial Access
Resource Development
Privilege Escalation
Credential Access
Impair Process Control
Service Effects

Each tactic pillar lists the techniques and sub-techniques used by attackers.

Threat hunters can map specific threat groups’ escalation paths and visualize the attack’s predictable targets at different stages by selecting a threat group or malicious software or identifying an optimal mitigation path to follow for specific actions.

Threat hunters can either select or view each element. Viewing redirects to an information page, and selecting maps the attack path.

Selecting APT28, for example, and applying a red color code, will display the threat access vectors and potential escalation path.

The threat hunter can dig further down each technique to pinpoint sub-techniques used.

The Limits of MITRE ATT&CK

MITRE ATT&CK is built on shared threat intelligence combined with a powerful matrice. Sharing threat intelligence collected globally in real-time is invaluable to hamper the progress of attackers, as it discloses new tactics and tools as they unfold and enables defenders to rapidly integrate preventive and defensive strategies. This forces malicious actors to constantly create new attack vectors.

When the shared intelligence includes attack strategies in addition to the tool, as the ATT&CK matrices do, the cost of creating new effective attack schemes rises considerably, and the rate of new effective attack vector creation shrinks accordingly. It also adds a layer to the now dominating zero-trust security dogma “Trust no-one, always verify,” by locking potentially vulnerable entry points even before an attempted intrusion is detected. By its very nature, though, ATT&CK’s framework is comprehensive and aims at providing actionable information to all cyber defenders working on all platforms. This encompassing overview’s downside is that cyber defenders need to sort through a number of techniques that are not relevant for their environment. Additionally, ATT&CK is a knowledge base and not a cyber defense tool. This means its effectiveness is dependent on the cyber defense team’s ability to utilize it. Ideally, the ATT&CK matrice is integrated into organization defense tools, either on a custom base or through a vendor solution that integrates the ATT&CK framework.


Developed primarily for Linux, Windows, and macOS platforms and cloud based attacks, the ATT&CK framework needs to be calibrated specifically for K8s to elaborate on the different security checks and exploit information in a K8s security context. Cisco Cloud Native Security Solution integrates the recently published Microsoft Threat Matrice for Kubernetes and ATT&CK’s threat-based model into a matrice tailored for Kubernetes. The Cisco Cloud Native Security Solution framework displays attack risks and their applicability to deployed clusters in an interface similar to the ATT&CK matrice. It shows at a glance how your environment is affected by known attack vectors and what actions to take to strengthen your defense in real-time. You can watch it in action on our MITRE ATT&CK Framework for Kubernetes and Container Runtime Security webinar.