MITRE ATT&CK v9 is out and includes ATT&CK for Containers

MITRE ATT&CK v9 is out and includes ATT&CK for Containers

For those not familiar, ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques maintained by MITRE based on real-world data. The MITRE ATT&CK framework is used by organizations and security experts globally as a common knowledge base for developing threat models and methodologies using a common taxonomy. In line with the ever-shifting nature of cybersecurity threats and countermeasures, ATT&CK is frequently updated and expanded upon to reflect the boots-on-the-ground reality of cybersecurity. On 29 April 2021, v9 was officially released with updates to Techniques, Groups, and Software for Enterprise, Mobile, and ICS. In development of ATT&CK for Containers, MITRE worked closely with real-world partners.

Among a number of major changes, the addition of Containers for Enterprises was one of the most significant. Some of the other notable updates were a new matrix for Enterprise Cloud Google Workspaces, the replacement of the AWS, GCP, and Azure platforms with a single IaaS (Infrastructure as a Service) platform, and changes in how the ATT&CK framework describes data sources. Significant updates and additions were also made to macOS-specific TTPs and malware.

In total, this amounted to 16 new groups and 67 new software as well as updates to 36 existing groups and 51 software entries.

Using a framework, such as ATT&CK to shore up your knowledge of adversary TTPs and streamline response procedures is just one part of a holistic proactive defense posture.


LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.


What’s New for Containers in ATT&CK v9?

As more organizations adopt container technology, either at the container-level (e.g., Docker) or at the organization-level (e.g., Kubernetes), so has the need for understanding the risks associated with using containers. This spans everything from misconfigurations which are often lead to vulnerabilities exploited as initial attack vectors to actual TTPs observed by threat actors in the wild.

In development of ATT&CK for Containers, MITRE worked closely with real-world partners. For example, the ATT&CK matrix for Kubernetes was largely based on the threat matrix developed by the Azure Security Center team for Azure Defender. This matrix was further fleshed out in a collaborative effort between the Center for Threat-Informed Defense teams and Microsoft.

In working closely with the community, lead Cybersecurity Engineer at MITRE, Jen Burns revealed that the vast majority of adversary activity inside containers lead to cryptomining. However, this is likely not the only threat facing those using containers, with Jen elaborating that:

“…evidence from a number of parties led us to conclude that adversaries utilizing containers for more “traditional” purposes, such as exfiltration and collection of sensitive data, is publicly under reported. Ultimately, this led the ATT&CK team to make the decision to include container-related techniques in ATT&CK.”

You can find the complete Containers Matrix for the ATT&CK framework here. However, as you can see, it covers a lot of ground from TTPs used to gain initial access to the ultimate impact these attacks might have. As with other ATT&CK matrices, security professionals can lean on the practical real-world data to identify the risks and tell-tale signs of attacks aimed at containers.

For example, by digging down further, we see that attackers commonly abuse container administration services to execute commands within a container,  such as docker exec or kubectl exec.

Furthermore, attackers often achieve persistence by abusing task scheduler functionality, such as Remsec. As noted, while gaining access to resources for activities such as cryptomining is a key driver of container-based attacks, they can also lead to various DoS (denial of service) eventualities.