{"id":346,"date":"2021-02-10T23:03:00","date_gmt":"2021-02-10T23:03:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=346"},"modified":"2025-05-13T11:54:39","modified_gmt":"2025-05-13T18:54:39","slug":"mitre-attack-move-toward-pre-attack","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/","title":{"rendered":"MITRE ATT&CK – Shift to the Left toward PRE-ATT&CK"},"content":{"rendered":"\n

The MITRE PRE-ATT&CK framework<\/a> released in 2017 consisted of 15 tactics and 148 techniques designed to address community concerns about what adversaries are doing before the adversary achieves access.However, it was completely separate from MITRE Enterprise ATT&CK because the Enterprise ATT&CK focused only on the behaviors of attackers after they\u2019ve gotten into an enterprise. On October 27, 2020 that all changed when the MITRE Pre-ATT&CK folded into Enterprise ATT&CK with a concise format of Reconnaissance, Resource Development, and Initial Access that really works!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The reason for the new format is that security practitioners and the team at MITRE observed that a lack of insights into pre-compromise behaviors hindered organizations\u2019 ability to implement controls that mitigate tactics used later in the framework. For me it was also further recognition of the need to shift security posture to the \u201cleft\u201d — meaning earlier in the attack chain, well before the enterprise is compromised — as a way to keep the bad guys out by knowing what and where they are going to attack before they do. This change to the framework means that the capabilities that the CyCognito platform brings to bear can help you address far more of the tactics in the framework, and really preempt attackers. In other words, we take care of reconnaissance automatically so your organization can focus on remediation, mitigation, and detection at those initial access points in the attack surface.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The diagram above shows a snapshot of the techniques CyCognito contributes to in the first three tactics; with orange indicating significant coverage and yellow indicating secondary mapping. <\/p>\n\n\n\n

Now I\u2019d like to walk you through the first two tactics in particular, and the remaining in net, and give an overview into how CyCognito can help.  <\/p>\n\n\n\n

Phase 1: Resource Development<\/h2>\n\n\n\n

The first phase of MITRE ATT&CK version 8.0 is the Reconnaissance<\/a> tactic which focuses on a potential attacker gathering information they can use to plan future operations. With 10 techniques and 31 subtechniques this tactic is all about information gathering and is usually undetectable, so mitigation is about limiting the information available. In this phase our secret weapon is human intelligence<\/a>. Human analysts working off of our customer\u2019s initial request to be targeted by our platform apply their expertise and knowledge to further enhance our platform\u2019s machine learning and data gathering cloud-scaling botnet. By working closely with the system, analysts train it to know our customer\u2019s attack surface<\/a> so our customers can protect their systems by limiting the information that can be gathered and then remediating, mitigating, and monitoring the assets that are discoverable and most likely to be targeted.<\/p>\n\n\n\n

Phase 2: Resource Development<\/h2>\n\n\n\n

The second phase is the Resource Development<\/a> tactic where the adversary creates, purchases, or steals resources that can be used in an attack. With six techniques and 26 subtechniques this tactic is about building the capabilities to launch attacks without being detected. But how do you combat attackers in the build stage? At CyCognito we have built the infrastructure necessary to emulate attacker operations, based on nation-state grade architecture<\/a>, and make it available as an easy-to-adopt cloud-based service. At the center of this capability is our world-class global botnet which uses attacker-like reconnaissance techniques to scan, discover, fingerprint, and classify billions of digital assets all over the world. And because CyCognito works the way adversaries do, no input or configuration are needed. The big difference at the end of the process is that CyCognito tells our customers what we found rather than launch an attack.<\/p>\n\n\n\n

Subsequent Phases<\/h2>\n\n\n\n

All subsequent phases of the MITRE ATT&CK framework go into details about tactics and techniques that can typically be detected through technical means via network or host monitoring. For example,\u00a0Initial Access<\/a>\u00a0might be achieved by\u00a0Exploiting Public Facing Applications<\/a>\u00a0and while CyCognito won\u2019t detect this exploit in real time, the platform will identify vulnerabilities and exposures via external\u00a0vulnerability scanning<\/a>\u00a0and\u00a0automated pentesting<\/a>\u00a0and can suggest assets that should have\u00a0network segmentation<\/a>. In all cases, knowing how an adversary sees targeted systems can and should help the security team protect the enterprise and the mission. And by mapping the CyCognito platform detections to MITRE ATT&CK techniques, they will be prioritized appropriately before they become an incident to be handled.<\/p>\n\n\n\n

What It Looks Like In Real Life<\/h2>\n\n\n\n

In practice all assets the CyCognito platform discovers will be reported as part of \u201creconnaissance.\u201d The discovery path information will group these assets to the technique used, which may be by nine of the 10 techniques (we aren\u2019t Phishing for Information<\/a> from anyone). To give you an idea of what this discovery information looks like, here is a screenshot from the CyCognito platform on an anonymized asset showing that we Gather Victim Network Information: DNS<\/a> and then Search Victim-Owned Websites<\/a> to find associated attack surface assets:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The diagram above shows the \u201cDiscovery Path\u201d capability of the CyCognito platform showing automatic DNS record searching, organizational attribution, asset fingerprinting, and web app identification.<\/p>\n\n\n\n

What all this means is that you will be able to utilize the CyCognito platform mappings to the MITRE ATT&CK framework to shift your security posture to the left from the bad stuff that occurs after a breach. With our capabilities, you can move to proactive defense before the attack occurs by looking at your network the way the attackers do. So, while these newly formatted PRE-ATT&CK tactics and techniques<\/a> aren\u2019t something you can easily address with the three traditional controls of detection, prevention, and correction, you can still learn through attack simulation. Even if the simulation of information collection isn\u2019t identical to every scenario you might face (for example, the platform will not be phishing for information<\/a>), by using the CyCognito platform you\u2019ll understand what attackers are able to collect and how they would collect it. You can then examine these exposures and the information gathered and allow that information to inform prioritization of your security issues, and make better and faster decisions with a laser focus on keeping intruders out.<\/p>\n","protected":false},"excerpt":{"rendered":"

PRE-ATT&CK tactics and techniques can’t easily be addressed with traditional controls. You must look at your network the way the hackers do.<\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,105,9,94],"class_list":["post-346","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-attack-surface-management","tag-cloud-security","tag-cybersecurity","tag-mitre-attck"],"yoast_head":"\nMITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"PRE-ATT&CK tactics and techniques can't easily be addressed with traditional controls. You must look at your network the way the hackers do.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-10T23:03:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-13T18:54:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Jim Wachhaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jim Wachhaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\"},\"author\":{\"name\":\"Jim Wachhaus\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\"},\"headline\":\"MITRE ATT&CK – Shift to the Left toward PRE-ATT&CK\",\"datePublished\":\"2021-02-10T23:03:00+00:00\",\"dateModified\":\"2025-05-13T18:54:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\"},\"wordCount\":1045,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png\",\"keywords\":[\"Attack Surface Management\",\"Cloud Security\",\"Cybersecurity\",\"MITRE ATT&CK\"],\"articleSection\":[\"Perspectives\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\",\"name\":\"MITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png\",\"datePublished\":\"2021-02-10T23:03:00+00:00\",\"dateModified\":\"2025-05-13T18:54:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png\",\"width\":500,\"height\":300},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MITRE ATT&CK – Shift to the Left toward PRE-ATT&CK\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0\",\"name\":\"Jim Wachhaus\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g\",\"caption\":\"Jim Wachhaus\"},\"description\":\"Was Director of Technical Product Marketing at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/","og_locale":"en_US","og_type":"article","og_title":"MITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog","og_description":"PRE-ATT&CK tactics and techniques can't easily be addressed with traditional controls. You must look at your network the way the hackers do.","og_url":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/","og_site_name":"CyCognito Blog","article_published_time":"2021-02-10T23:03:00+00:00","article_modified_time":"2025-05-13T18:54:39+00:00","og_image":[{"width":500,"height":300,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png","type":"image\/png"}],"author":"Jim Wachhaus","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jim Wachhaus","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/"},"author":{"name":"Jim Wachhaus","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0"},"headline":"MITRE ATT&CK – Shift to the Left toward PRE-ATT&CK","datePublished":"2021-02-10T23:03:00+00:00","dateModified":"2025-05-13T18:54:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/"},"wordCount":1045,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png","keywords":["Attack Surface Management","Cloud Security","Cybersecurity","MITRE ATT&CK"],"articleSection":["Perspectives"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/","url":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/","name":"MITRE ATT&CK - Shift to the Left toward PRE-ATT&CK | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png","datePublished":"2021-02-10T23:03:00+00:00","dateModified":"2025-05-13T18:54:39+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/mitre-attack.png","width":500,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/mitre-attack-move-toward-pre-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"MITRE ATT&CK – Shift to the Left toward PRE-ATT&CK"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/26e362ecf750edd0380a7de5746cf8d0","name":"Jim Wachhaus","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/79b6bf97cd7168a87f54b0b9f6ce82be?s=96&d=mm&r=g","caption":"Jim Wachhaus"},"description":"Was Director of Technical Product Marketing at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/jim-wachhaus\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=346"}],"version-history":[{"count":8,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/346\/revisions"}],"predecessor-version":[{"id":1528,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/346\/revisions\/1528"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}