Just what are "tactics"?
is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.
At a high-level, ATT&CK is a behavioral model that consists of the following core components:
• Tactics, denoting short-term, tactical adversary goals during an attack;
• Techniques, describing the means by which adversaries achieve tactical goals;
• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
• Documented adversary usage of techniques, their procedures, and other metadata.
My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.
The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."
Examples of ATT&CK Tactics
|MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/|
Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.
Military Theory and Definitions
As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.
I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.
In his book On Tactics, B. A. Friedman defines tactics as "the use of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)
"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...
The word tactics originates in the Greek taxis, meaning order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. From this, the Greek historian Xenophon derived the term tactica, the art of drawing up soldiers in array. Likewise, the Tactica, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the ways of fighting with them.
The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of Disposing any Number of Men into a proposed form of Battle...'"
From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. Tactics are the methods by which leaders achieve goals.
How Did This Happen?
I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase"tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders drew with military experience drew on that language when developing concepts like indicators of compromise
. That fixation might have led MITRE to use "tactics" for their top-level structure.
It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.
It's Not Just the Military
Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek Strategos or strategus, plural strategoi, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, stratagos; meaning "army leader").
That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:
This guide for ice hockey coaches
mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."
In the civilian world, tactics are how leaders achieve goals or objectives.
In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals."
However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a common language used across security disciplines."
If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.
"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."