MITRE ATT&CK and CAPEC Frameworks

MITRE ATT&CK and CAPEC Frameworks: Complete Guide for CompTIA Security+

Introduction to MITRE ATT&CK and CAPEC Frameworks

In today's cybersecurity landscape, understanding adversary tactics and techniques is crucial for any security professional. The MITRE ATT&CK and CAPEC frameworks provide structured, empirical approaches to categorizing and understanding cyber attacks. For CompTIA Security+ exam takers, mastering these frameworks is essential for answering questions about threat intelligence, incident response, and security architecture.

Why These Frameworks Are Important

Standardized Language: Both frameworks provide a common vocabulary that security professionals use globally. This standardization helps organizations communicate about threats and vulnerabilities more effectively.

Threat Intelligence: Understanding MITRE ATT&CK helps you map real-world attacks to documented tactics and techniques, improving your ability to detect and respond to threats.

Defense Prioritization: These frameworks help security teams identify which attacks are most prevalent and dangerous, allowing them to prioritize defensive measures accordingly.

Exam Relevance: CompTIA Security+ expects candidates to understand how to use these frameworks for threat analysis, incident response planning, and security risk assessment.

What is MITRE ATT&CK?

Definition: MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyber attacks.

Structure: The framework is organized hierarchically:

Tactics: The 'why' - the strategic objectives of an attacker (e.g., Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact).

Techniques: The 'how' - specific methods attackers use to accomplish tactical objectives. Each technique includes detailed descriptions, examples, and mitigation strategies.

Sub-techniques: More granular variations of techniques, providing additional specificity about how attacks are executed.

Platforms Covered: MITRE ATT&CK includes information relevant to:
- Windows
- Linux
- macOS
- iOS
- Android
- Cloud platforms (AWS, Azure, GCP)
- Network devices
- Containers

What is CAPEC?

Definition: CAPEC (Common Attack Pattern Expression and Classification) is a comprehensive dictionary and classification taxonomy of known attack patterns, their characteristics, and the methods used to execute them.

Purpose: CAPEC focuses on the mechanisms of attacks - how attackers actually exploit vulnerabilities - providing a more technical and detailed perspective than ATT&CK.

Structure: CAPEC is organized into categories and attack patterns that describe:
- Attack mechanisms
- Prerequisites for successful attacks
- Attack step sequences
- Related exploits and vulnerabilities
- Consequences and impact
- Mitigation and detection strategies

Key Difference from ATT&CK: While ATT&CK focuses on what adversaries do and why, CAPEC focuses on how they technically achieve their objectives. CAPEC is more detailed about the technical exploitation process.

How MITRE ATT&CK Works

The Tactical Framework:

1. Initial Access: Techniques for gaining a foothold in a network (phishing, supply chain compromise, valid accounts)

2. Execution: Running malicious code (command line, scripts, PowerShell)

3. Persistence: Maintaining presence in the environment (scheduled tasks, registry modifications, web shells)

4. Privilege Escalation: Gaining higher-level access (exploiting vulnerabilities, credential dumping)

5. Defense Evasion: Avoiding detection (disabling security tools, obfuscation, living off the land)

6. Credential Access: Stealing credentials (brute force, credential dumping, keylogging)

7. Discovery: Learning about the target system and network (network scanning, system enumeration)

8. Lateral Movement: Moving through the network to reach objectives (pass the hash, remote services)

9. Collection: Gathering data of interest (screen capture, clipboard data, email collection)

10. Command and Control: Communicating with compromised systems (DNS, HTTP/HTTPS, dead drop)

11. Exfiltration: Stealing data from the network (data compression, encrypted channels)

12. Impact: Achieving final objectives (data destruction, resource hijacking, service degradation)

Using the Kill Chain Model: ATT&CK aligns with the Cyber Kill Chain concept, where attackers progress through stages. Understanding this progression helps identify where defensive measures should be implemented.

How CAPEC Works

Attack Pattern Categories:

1. Social Engineering: Manipulating people to divulge confidential information

2. Supply Chain: Targeting systems through upstream suppliers or dependencies

3. Web-based: Exploiting web applications (SQL injection, cross-site scripting)

4. Software-based: Exploiting vulnerabilities in software execution

5. Physical: Exploiting physical security weaknesses

6. Hardware-based: Exploiting hardware vulnerabilities

How CAPEC Details Attacks:

Each CAPEC pattern includes:
- Attack Steps: Sequential actions an attacker must take
- Prerequisites: Conditions that must exist for the attack to work
- Related Vulnerabilities: CWEs (Common Weakness Enumeration) that enable the attack
- Mitigations: Defensive strategies to prevent or mitigate the attack
- Example Scenarios: Real-world instances of the attack pattern

Relationship Between MITRE ATT&CK and CAPEC

Complementary Perspectives:

- MITRE ATT&CK: Answers 'What did the attacker do?' and 'Why did they do it?' at a strategic level
- CAPEC: Answers 'How did the attacker do it?' with technical detail

Integration in Security Analysis:
A security professional might use both frameworks together. For example:
- A MITRE ATT&CK technique of 'Credential Access via Credential Dumping' could correspond to multiple CAPEC patterns that detail the specific technical methods (LSASS memory dump, registry hive dump, etc.)
- CAPEC helps identify which specific vulnerabilities or misconfigurations enable the ATT&CK techniques
- Together, they provide comprehensive threat intelligence for defense strategy

How to Answer Exam Questions on These Frameworks

Question Type 1: Identifying Tactics and Techniques

Example: 'A threat actor has disabled Windows Defender and Windows Firewall on a compromised system. Which MITRE ATT&CK tactic is being employed?'

Answer Strategy:
- Recognize the action (disabling security tools)
- Identify the goal (avoiding detection)
- Match to the appropriate tactic (Defense Evasion)
- Consider the specific technique (Disable or Modify Tools, Impair Defenses)

Question Type 2: Kill Chain Progression

Example: 'After gaining initial access through a phishing email, an attacker needs to establish persistent access and avoid detection. Which tactics should they employ in sequence?'

Answer Strategy:
- Start with the tactic that aligns with 'initial access' (Initial Access)
- Progress to execution of payload (Execution)
- Then establish long-term presence (Persistence)
- Hide from detection (Defense Evasion)
- Remember the logical progression of the kill chain

Question Type 3: CAPEC-Specific Technical Details

Example: 'What technical prerequisites must an attacker have to execute a SQL injection attack?'

Answer Strategy:
- Identify this as a CAPEC question (asking about technical mechanisms)
- Think about technical requirements: access to user input fields, unsanitized input handling, database connectivity
- Reference CAPEC categories (web-based attacks)
- Consider related CWEs (CWE-89 for SQL Injection)

Question Type 4: Mitigation and Detection

Example: 'How can organizations detect and mitigate Living off the Land attacks?'

Answer Strategy:
- Recognize 'Living off the Land' as a Defense Evasion technique
- Consider mitigations: application whitelisting, script blocking, behavioral analysis
- Think about detection: audit logs, process monitoring, command line logging
- Both frameworks include mitigation strategies you should familiarize yourself with

Question Type 5: Framework Selection

Example: 'A security analyst is creating detection rules for command injection attacks. Should they reference MITRE ATT&CK or CAPEC?'

Answer Strategy:
- CAPEC is better for understanding the technical exploitation method
- ATT&CK is better for understanding the attacker's strategic objective
- For specific detection rules, CAPEC provides more technical granularity
- The answer here would be CAPEC for technical implementation

Question Type 6: Adversary Attribution

Example: 'An organization has been targeted with spear-phishing, lateral movement via Pass the Hash, and data exfiltration through encrypted channels. Using MITRE ATT&CK, what can you infer about this adversary?'

Answer Strategy:
- Map the observed activities to specific tactics (Initial Access, Lateral Movement, Exfiltration)
- Consider what these techniques suggest about adversary sophistication
- Think about potential motivations and resources
- Use the framework to create a profile of the threat actor

Exam Tips: Answering Questions on MITRE ATT&CK and CAPEC Frameworks

Tip 1: Memorize the 12 MITRE ATT&CK Tactics in Order
Create a memorable sequence:
Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact

Remembering this progression helps you answer kill chain questions correctly. The order represents a logical flow of attacker activities.

Tip 2: Understand Tactic vs. Technique
On the exam, you might see questions asking which 'tactic' or which 'technique' is being used. Remember:
- Tactics are the 12 strategic objectives (usually one or two words)
- Techniques are the specific methods used (usually more detailed descriptions)
- If a question asks 'which tactic,' choose from the 12 main categories
- If it asks 'which technique,' be more specific about the method

Tip 3: Focus on Context Clues
Exam questions often include behavioral indicators. For example:
- Disabling security tools → Defense Evasion
- Stealing passwords → Credential Access
- Moving between systems → Lateral Movement
- Sending data out → Exfiltration
- Learn these associations

Tip 4: Distinguish Between ATT&CK and CAPEC Questions
- If the question asks 'why' or 'what objective' → likely MITRE ATT&CK
- If the question asks 'how technically' or mentions specific vulnerabilities → likely CAPEC
- If the question mentions 'attack patterns' or 'exploitation steps' → definitely CAPEC

Tip 5: Use Frameworks for Risk Assessment
On the exam, you might be asked how to prioritize defenses. Use the frameworks:
- Identify which tactics are most relevant to your environment
- Determine which techniques are most likely given your threat model
- Implement controls against the highest-risk combinations
- This demonstrates comprehensive security thinking

Tip 6: Connect to the Kill Chain Model
MITRE ATT&CK aligns with the Cyber Kill Chain:
- Reconnaissance (MITRE Discovery)r>- Weaponization (not explicitly ATT&CK, but relates to attack preparation)r>- Delivery (Initial Access)r>- Exploitation (Execution, Privilege Escalation)r>- Installation (Persistence)r>- Command and Control (Command and Control)r>- Actions on Objectives (Collection, Exfiltration, Impact)

Understanding this connection helps you answer strategic questions.

Tip 7: Know Real-World Examples
Study how real adversary groups use specific techniques:
- APT28 commonly uses spear-phishing for Initial Access
- Lazarus Group has used watering hole attacks
- Emotet used lateral movement via RDP
- Understanding real-world usage helps you answer scenario-based questions

Tip 8: Understand Mitigation Strategies
For each major tactic, know common mitigations:
- Initial Access: Email filtering, user training, network segmentation
- Persistence: File integrity monitoring, process monitoring, registry monitoring
- Defense Evasion: Application whitelisting, script blocking, behavioral analysis
- Credential Access: MFA, password policy, credential guard
- Lateral Movement: Network segmentation, monitoring internal traffic

Tip 9: Practice with Scenario Questions
Exam questions often present realistic scenarios. Practice:
- Reading complex attack descriptions
- Mapping multiple steps to different tactics
- Identifying the most important tactic or technique in context
- Recommending appropriate controls

Tip 10: Don't Overthink Tactic Assignment
Some exam questions might feel ambiguous - an action could fit multiple tactics. General guidance:
- Choose the primary tactic that best represents the main objective
- If 'Execution' and 'Persistence' both seem applicable, consider which is the primary goal
- The exam usually has one best answer even if multiple could work
- Read all options before selecting

Tip 11: Understand CAPEC for Vulnerability Context
When CAPEC appears on the exam, it's usually asking about:
- How specific vulnerabilities are exploited
- Prerequisites for attacks to work
- Technical details of exploitation
- Defense at the vulnerability level rather than the tactic level

Tip 12: Use the Frameworks for Incident Response
Many Security+ questions involve incident response. Use the frameworks to:
- Determine which tactics are being employed
- Identify the attack's likely progression
- Prioritize detection and response measures
- Recommend controls to prevent similar attacks

Tip 13: Remember Sub-techniques
While MITRE ATT&CK's 12 tactics are primary, remember that:
- Techniques are variations within tactics
- Sub-techniques are even more specific variations
- Exam questions might reference specific techniques
- You don't need to memorize all of them, but understand the hierarchical structure

Tip 14: Correlate with Other Security Concepts
MITRE ATT&CK and CAPEC don't exist in isolation. Correlate with:
- NIST Cybersecurity Framework: Map tactics to Identify, Protect, Detect, Respond, Recover functions
- Zero Trust: How tactics exploit trust assumptions
- Defense in Depth: How multiple controls prevent different tactics
- Risk Management: How to prioritize controls based on tactic likelihood and impact

Tip 15: Create a Personal Reference Sheet
Before the exam, create a cheat sheet with:
- The 12 ATT&CK tactics and brief definitions
- Common techniques for each tactic
- Real-world examples
- Associated mitigation strategies
- CAPEC vs. ATT&CK differences

While you can't use this in the exam, creating it forces you to learn the material actively.

Practical Application for Exam Success

Sample Exam Question Practice:

Question: 'A security analyst discovers that an attacker has created a scheduled task that executes a malicious script every morning at 4 AM. The script connects to an external server and downloads updates. Which two MITRE ATT&CK tactics does this demonstrate?'

Analysis Process:
1. Identify the behaviors: scheduled task creation and malicious script execution
2. First tactic: Persistence (scheduled task maintains presence)
3. Second tactic: Command and Control (connecting to external server)
4. Consider Defense Evasion: early morning timing suggests timing-based evasion
5. Best answer: Persistence and Command and Control (most direct behaviors)

This demonstrates that you should:
- Identify multiple tactics in complex scenarios
- Prioritize the most obvious ones
- Consider temporal and behavioral indicators
- Apply the framework systematically

Another Sample Question:

Question: 'Which CAPEC pattern would describe an attack where unsanitized user input is used to construct SQL queries, allowing attackers to modify query logic?'

Analysis Process:
1. Recognize technical exploitation mechanism → CAPEC question
2. Identify the vulnerability: SQL injection (CWE-89)
3. Understand the attack pattern: user input manipulation
4. Consider prerequisites: web application, database connectivity, input validation failure
5. Answer would reference: CAPEC-66 SQL Injection or similar pattern

This shows you should:
- Recognize when CAPEC is more appropriate
- Think technically about exploitation mechanisms
- Reference CWEs when relevant
- Consider prerequisites and consequences

Conclusion

MITRE ATT&CK and CAPEC frameworks are essential knowledge for CompTIA Security+ exam success. By understanding the strategic perspective of ATT&CK (what attackers do) and the technical perspective of CAPEC (how they do it), you'll be well-equipped to answer questions about threat intelligence, incident response, and security architecture. Practice identifying tactics and techniques in real-world scenarios, memorize the attack chain progression, and always read questions carefully to determine whether they're asking for tactical or technical analysis. With these frameworks firmly in your knowledge base, you'll not only pass the exam but also develop practical skills applicable to real-world cybersecurity work.