MITRE ATT&CK Matrix

The MITRE ATT&CK® Matrix for Enterprise identifies an extraordinary breadth of cybercriminal tactics – more than 200 techniques across 14 attack categories. Developed by the nonprofit government research firm MITRE, the matrix has become a widely used means of classifying and assessing cyber-risks.

The good news is that effective email security can provide compensating controls against 10 of the 14 attack categories. The even better news is that robust email security solutions can go a long way to addressing a broad range of threats highlighted in the MITRE matrix. This interactive site is provided by GreatHorn to assist organizations in identifying if their email security solutions are providing the greatest risk mitigation.

Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Additional MITRE ATT&CK Content You Might Find Interesting

Defending Against More Than Phishing Attacks
Whitepaper

Defending Against More Than Phishing Attacks: Leveraging Email Security to Address the MITRE ATT&CK Matrix

Download Whitepaper >

Implementing an Email Security Strategy Using the MITRE ATT&CK Framework
On-Demand Webinar

Implementing an Email Security Strategy Using the MITRE ATT&CK Framework

Watch On-Demand >

What is the MITRE ATT&CK Matrix?
Blog

What is the MITRE ATT&CK Framework?

Read Blog >

How GreatHorn Leverages Email Security to Address the MITRE ATT&CK Matrix share
Blog

How Email Security Can Align to the MITRE ATT&CK Framework

Read Blog >

Matrix Category: Reconnaissance

Phishing for Information

Characteristics

  • Attackers send emails to users to elicit sensitive information.
  • Phishing typically leverages social engineering – such as masquerading as someone with a legitimate reason to collect data – to gain user trust.
  • The goal is to trick targets into divulging information such as user credentials.
  • Phishing that targets a specific individual is called “spearphishing.”

Common Mitigations

  • User training – Teaches users to recognize social engineering and phishing emails.

GreatHorn Protections

GreatHorn Mailbox Intelligence can inform users of the likelihood that the sender or the sender’s organization is authentic. We can also alert users of suspicious email content or automatically quarantine suspicious email. These controls can be customized to reflect each organization’s risk appetite.

Back to Top


Matrix Category: Resource Development

Compromise Accounts

Characteristics

  • Attackers compromise accounts that they can then use to target victims.
  • They can compromise accounts by phishing for credentials, purchasing credentials from third-party sources or reusing previously stolen credentials.
  • The goal is to create an online persona the victim trusts.

Common Mitigations

  • Social media monitoring – Preventive controls can’t easily mitigate this technique, because it falls outside the scope of enterprise defenses, but monitoring of social media activity related to your organization can help.

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss.

Back to Top


Matrix Category: Initial Access

Phishing

Characteristics

  • Attackers send emails to users to solicit sensitive information or gain access to systems.
  • Emails typically contain malicious links or attachments that execute malicious code or capture credentials such as passwords.
  • Spearphishing targets specific individuals.
  • Phishing can also be carried out through social media.

Common Mitigations

  • Antivirus (AV) software – Automatically quarantines suspicious files
  • Network intrusion prevention – Scans and removes malicious attachments and blocks suspicious links
  • Restriction of web content – Blocks access to websites and attachment types, such as .EXE and .SCR, determined not to be necessary for business operations
  • User training – Teaches users to recognize social engineering and phishing emails

GreatHorn Protections

GreatHorn delivers multiple layers of phishing detection, including message header analysis, relationship analysis, file scanning and link rewriting. Because phishing primarily uses links, we offer multiple layers of link-focused defenses. We analyze links against proprietary and third-party threat intelligence on delivery and again on user click. On user click, we inspect the destination website with machine vision to detect credential harvesting forms.

Back to Top


Trusted Relationship

Characteristics

  • Attackers breach an organization that has access to the ultimate intended victim.
  • Access through a trusted third party exploits a connection that might not be protected or might receive little scrutiny.
  • Examples include vendors that service IT, HVAC or other systems connected to the corporate network.

Common Mitigations

  • Network segmentation – Isolates infrastructure components
  • User account control – Manages permissions for trusted parties to minimize potential abuse

GreatHorn Protections

GreatHorn can analyze email flow over time to build a social graph of senders and recipients. We leverage this relationship baseline to warn users or administrators when they engage with a sender for the first time. This can protect against lookalike domains that attempt to exploit a trusted relationship with a supplier or financial institution.

Back to Top


Valid Accounts

Characteristics

  • Attackers obtain credentials of existing accounts to gain initial access, wage persistent attacks and escalate their privileges.
  • Because attackers have what appears to be legitimate access, they might not need to use malware or other detectable tools.
  • If attackers can achieve domain or enterprise administrator access, they can often bypass access controls across the organization.

Common Mitigations

  • Application developer guidance – Helps make sure applications don’t insecurely store sensitive data or credentials
  • Password policy – Requires default usernames and passwords to be changed before application deployment
  • Privileged account management – Audits domain and local accounts and permissions to uncover opportunities for attackers to obtain credentials of privileged accounts that could enable wide network access

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss.

Back to Top


Matrix Category: Execution

Exploitation for Client Execution

Characteristics

  • Attackers exploit application vulnerabilities – often the result of unsecure coding practices – to execute code.
  • This attack can be effective because users expect to see files related to the applications they routinely use for work.
  • Variants include:
    • Browser-based exploitation – Attackers send phishing emails with links to malicious websites.
    • Office application exploitation – Attackers send phishing emails with attachments of infected productivity software files.
    • Third-party application exploitation – Attackers leverage common business applications. The attack might require users to open a file or might be exploited in the browser.

Common Mitigations

  • Application isolation and sandboxing – Browser sandboxing can mitigate the impact of exploitation, though there might be sandbox escapes.
  • Exploit protection – Security applications can monitor for common exploitation behaviors

GreatHorn Protections

GreatHorn delivers multiple layers of phishing detection, including message header analysis, relationship analysis, file scanning and link rewriting. Because phishing primarily uses links, we offer multiple layers of link-focused defenses. We analyze links against proprietary and third-party threat intelligence on delivery and again on user click. On user click, we inspect the destination website with machine vision to detect credential harvesting forms. Finally, GreatHorn Link Protection can block users from visiting websites used for delivering malicious payloads.

Back to Top


User Execution

Characteristics

  • Attackers use phishing to drive users to take actions such as opening a malicious file or link.
  • User execution frequently occurs shortly after initial access, but it can also occur at other phases of an intrusion, such as when an attacker places a file in a shared directory.

Common Mitigations

  • Execution prevention – Prevents the running of executables masquerading as other files
  • Network intrusion prevention – Scans and removes malicious downloads
  • Restriction of web-based content – Blocks unknown or unused files in transit when users visit websites
  • User training – Teaches users to identify phishing techniques and report potentially malicious events

GreatHorn Protections

GreatHorn delivers multiple layers of phishing detection, including message header analysis, relationship analysis, file scanning and link rewriting. Because phishing primarily uses links, we offer multiple layers of link-focused defenses. We analyze links against proprietary and third-party threat intelligence on delivery and again on user click. On user click, we inspect the destination website with machine vision to detect credential harvesting forms. In addition, GreatHorn Link Protection can block users from visiting websites used for delivering malicious payloads. Finally, GreatHorn Mailbox Intelligence provides users with visual alerts to help them understand the likelihood that an email is suspicious.

Back to Top


Matrix Category: Persistence

Account Manipulation

Characteristics

  • Attackers that already have access to victim accounts modify credentials or permission groups to maintain access to victim systems.
  • Actions are typically designed to subvert security policies, such as iteratively updating passwords to bypass password duration rules.

Common Mitigations

  • Multifactor authentication – Requires multiple forms of verification for user and privileged accounts
  • Network segmentation – Configures access controls and firewalls to limit access to crucial systems and domain controllers
  • Operating-system (OS) configuration – Protects domain controllers by setting crucial servers to limit access by potentially unnecessary protocols and services
  • Privileged-account management – Prevents domain administrator accounts from being used for day-to-day operations

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Valid Accounts

Characteristics

  • Attackers obtain credentials of existing accounts to gain initial access, wage persistent attacks and escalate their privileges.
  • Because attackers have what appears to be legitimate access, they might not need to use malware or other detectable tools.
  • If attackers can achieve domain or enterprise administrator access, they can often bypass access controls across the organization.

Common Mitigations

  • Application developer guidance – Helps make sure applications don’t insecurely store sensitive data or credentials
  • Password policy – Requires default usernames and passwords to be changed before application deployment
  • Privileged account management – Audits domain and local accounts and permissions to uncover opportunities for attackers to obtain credentials of privileged accounts that could enable wide network access

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Matrix Category: Privilege Escalation

Valid Accounts

Characteristics

  • Attackers obtain credentials of existing accounts to gain initial access, wage persistent attacks and escalate their privileges.
  • Because attackers have what appears to be legitimate access, they might not need to use malware or other detectable tools.
  • If attackers can achieve domain or enterprise administrator access, they can often bypass access controls across the organization.

Common Mitigations

  • Application developer guidance – Helps make sure applications don’t insecurely store sensitive data or credentials
  • Password policy – Requires default usernames and passwords to be changed before application deployment
  • Privileged account management – Audits domain and local accounts and permissions to uncover opportunities for attackers to obtain credentials of privileged accounts that could enable wide network access

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Matrix Category: Defense Evasion

Masquerading

Characteristics

  • Involves manipulation of the name or location of either a legitimate or a malicious object to evade detection.
  • Attackers manipulate aspects of artifacts such as file metadata to appear legitimate or benign to users and security tools.

Common Mitigations

  • Code signing – Requires signed binaries
  • Execution prevention – Uses application control to restrict program execution by attributes other than filename for common OS utilities
  • Restriction of file and directory permissions – Uses file system access controls to protect crucial folders

GreatHorn Protections

In phishing attacks, perpetrators often create lookalike domains to exploit trusted relationships between organizations and their suppliers or financial institutions. The goal is to convince users to divulge information or credentials, download malicious payloads, pay illegitimate invoices or alter bank routing details. Because GreatHorn establishes an email relationship baseline, it can warn users and administrators when they’re engaging with a sender for the first time.

Back to Top


Obfuscated Files or Information

Characteristics

  • Attackers make executable files difficult to discover and analyze by encrypting or encoding their contents.
  • Payloads can be compressed, archived or encrypted to avoid detection during initial access or later on.
  • Users might be required to enter a password to open a malicious file.
  • Attackers might also use compressed or archived scripts such as JavaScript.
  • Payloads can be split into separate files that reveal malicious functionality only when reassembled.

Common Mitigations

  • AV software – Applies utilities such as the Antimalware Scan Interface (AMSI) in Microsoft® Windows® 10 to analyze commands after they’re processed or interpreted

GreatHorn Protections

In phishing attacks, perpetrators often manipulate file extensions or icons of malicious attachments to trick users into downloading or executing the malicious payload. GreatHorn leverages file hashes and file hash blocklists to prevent executables and macro embedded documents from being obfuscated as a file the user trusts./p>

Back to Top


Subvert Trust Controls

Characteristics

  • Attackers undermine security controls that prevent execution of untrusted programs or warn users of untrusted activity.
  • For example, they might apply a stolen code signing certificate to malware so that OSes and security solutions treat the malware as coming from a trusted source.

Common Mitigations

  • Execution prevention – Can prevent applications from running if they weren’t downloaded from legitimate repositories
  • OS configuration – Can manage root certificates and other settings to prevent nonadministrators from making root installations
  • Restriction of registry permissions – Prevents users from modifying registry keys related to session initiation protocol (SIP)
  • Software configuration – Mitigates potential man-in-the-middle events in which an attacker uses a misissued or fraudulent certificate to intercept encrypted communications

GreatHorn Protections

GreatHorn monitors and enforces established email trust controls and best practices, including Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). For example, while DKIM ensures that a message hasn’t been modified in transit, it doesn’t guarantee the authenticity of the sender. GreatHorn adds a layer of security to DKIM by alerting administrators if the DKIM signature on the message doesn’t match the sender’s return path.

Back to Top


Template Injections

Characteristics

  • Attackers create or modify references in Microsoft Office document templates to conceal malicious code or force authentication attempts.
  • Template references injected into a document can enable malicious payloads to be fetched and executed when the document is loaded.
  • These documents can be delivered through phishing and can evade static detection, because no typical indicators of malicious code are present till after the payload is fetched.

Common Mitigations

  • AV software – Prevents documents from fetching or executing malicious payloads
  • Network- or host-intrusion prevention – Prevents documents from fetching or executing malicious payloads
  • Disabling or removal of program or features – Prevents the execution of malicious payloads in documents
  • User training – Teaches users to recognize social engineering and phishing emails

GreatHorn Protections

In phishing attacks, perpetrators often manipulate file extensions or icons of malicious attachments to trick users into downloading or executing the malicious payload. GreatHorn leverages file hashes and file hash blocklists to prevent executables and macro embedded documents from being obfuscated as a file the user trusts. It also enables administrators to set policy to detect and block macro embedded attachments if an attacker attempts to spread the malicious files through email.

Back to Top


Valid Accounts

Characteristics

  • Attackers obtain credentials of existing accounts to gain initial access, wage persistent attacks and escalate their privileges.
  • Because attackers have what appears to be legitimate access, they might not need to use malware or other detectable tools.
  • If attackers can achieve domain or enterprise administrator access, they can often bypass access controls across the organization.

Common Mitigations

  • Application developer guidance – Helps make sure applications don’t insecurely store sensitive data or credentials
  • Password policy – Requires default usernames and passwords to be changed before application deployment
  • Privileged account management – Audits domain and local accounts and permissions to uncover opportunities for attackers to obtain credentials of privileged accounts that could enable wide network access

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Matrix Category: Credential Access

Credentials From Password Stores

Characteristics

  • Attackers scour common password storage locations in OSes and applications to obtain user credentials.
  • They can use these credentials to move laterally through the organization to access restricted data.

Common Mitigations

  • Password policy – Applies policy, technical control and user training to prevent storage of credentials in improper locations

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Exploitation for Credential Access

Characteristics

  • Attackers exploit software vulnerabilities to obtain user credentials or circumvent secure processes for gaining access to systems.
  • They can also escalate their privileges, depending on the credentials obtained.

Common Mitigations

  • Application isolation and sandboxing – Increases the difficulty for attackers to exploit unpatched or zero-day vulnerabilities
  • Exploit protection – Uses security software to monitor and mitigate against exploitation behavior
  • Threat intelligence – Establishes the types and levels of threat that could use software and zero-day exploits against your organization
  • Patch management – Regularly updates software on enterprise servers and endpoints

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Input Capture

Characteristics

  • Attackers obtain user credentials or capture other data from user input locations such as login pages or system dialog boxes.
  • They might leverage input-capture mechanisms such as hooking into a Windows API, or they might trick users into logging in to a fraudulent service.

Common Mitigations

  • Monitoring – Includes monitoring for certain Windows API calls, monitoring for malicious instances of command and scripting interpreters, and ensuring there are no unauthorized drivers or kernel modules that could indicate API hooking or keylogging

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Matrix Category: Lateral Movement

Internal Spearphishing

Characteristics

  • After attackers have gained access to a victim’s accounts or systems, they can leverage internal spearphishing to access additional data or exploit other users in the organization.
  • Internal spearphishing is a multi-phase attack that either compromises the user’s credentials or controls the user’s device with malware.
  • Attackers take advantage of the trusted internal account to increase the likelihood that other users will be tricked by additional spearphishing.

Common Mitigations

  • Journaling-based solutions – Can send a copy of emails to a security service for offline analysis
  • Service integrated solutions – Can use on-premises or API-based integration to help detect internal spearphishing

GreatHorn Protections

GreatHorn Account Takeover Protection leverages typing biometrics to uniquely identify users as they send email. It then alerts administrators of failed biometric challenges, enabling them to rapidly hone in on compromised accounts. As a result, attackers are unable to capitalize on trusted email relationships among employees to move laterally throughout the organization. This innovative approach stops attacks that traditional email security gateways would typically miss. GreatHorn can provide alerts of password resets, forgotten password emails, and one-time use tokens or sign-in links that many systems use to restore user access.

Back to Top


Matrix Category: Collection

Email Collection

Characteristics

  • Attackers target user email to collect sensitive information such as employee data and intellectual property.
  • They can capture emails from both mail servers and mail clients.

Common Mitigations

  • Audit – Discovers and removes malicious auto-forwarding rules
  • Encryption of sensitive information – Requires the attacker to obtain a private certificate and encryption key
  • Multifactor authentication – Requires multiple forms of verification for user and privileged accounts

GreatHorn Protections

GreatHorn social-graph analysis can detect unusual mail volume sent to or from a user. This innovative capability can uncover a compromised account or data exfiltration.

Back to Top

email threat assessment icon

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.