ATT&CK Matrix for Enterprise
Everchanging Threat Landscape and continous Adversary’s Playbook to aid minimize the overall security risks for organisations. MITRE’s ATT&CK methodology is Chief Information Security Officer’s best friend.
Initial Access consists of techniques that use numerous entry vectors to attain their primary space within a system of networks. Methods used to gain a foothold involve targeted spearphishing and exploiting vulnerabilities on public-facing networks. Footholds acquired through initial access may admit for continued access, like legitimate user accounts and usage of external remote services, or perhaps limited-use due to modifying passphrases.
The adversary is attempting to operate malicious code. The implementation consists of ways that produce in the adversary-controlled system running on a local or remote system. Techniques that run malicious code are often paired with technologies from all other tactics to accomplish more progressive goals, like traversing a network or seizing data. For instance, an enemy might use a remote access agent to operate a PowerShell script that begins Remote System Discovery.
The adversary is seeking to sustain their foothold. It comprises of techniques that adversaries use to retain access to networks across system reboots, modified credentials, and additional breaks that could cut off their entree. Approaches used for persistence cover any access, progress, or configuration changes. It lets them advance their foothold on operations, such as reinstating or hijacking authorised code or supplementing startup code.
The rival is attempting to gain higher-level permissions to the accounts. Privilege Escalation consists of techniques that opponents use to obtain higher-level elevation on a system or network. Enemies can regularly invade and explore a network with unprivileged access but require elevated permissions to accompany on their intentions. Conventional approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of escalated access comprise: • SYSTEM/root level • local administrator • user account with admin-like access • user accounts with access to the specific system or perform a particular function. These techniques frequently overlay with Endurance methods, as OS characteristics that gave a foe persevere can play in an elevated context.
The adversary is striving to circumvent the disclosure. Defence Avoidance consists of techniques that enemies employ to elude discovery during their compromise. Technologies applied for defence evasion include uninstalling/incapacitating security software. And, obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defences.
The adversary is working to steal account names and phrases. Credential Access consists of methods for robbing credentials like user account names and passphrases. Techniques utilised to acquire credentials involve keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems; make them harder to detect, and present the possibility to generate more accounts to achieve their goals further.
The opponent is analysing to comprehend your environment. Discovery consists of methods an enemy may use to augment information about the system and private network. These ways ease adversaries discern the situation and orient themselves before deciding how to act. They also provide adversaries to traverse what they can manage and what’s encompassing their entry point to determine how it could profit their current purpose. Native operating system tools aid toward this post-compromise information-gathering goal.
The foe is seeking to drive through your environment. Lateral Movement consists of procedures that adversaries practice to infiltrate and manage remote systems on a network. Watching through on their initial goal frequently necessitates traversing the entire network to attain their target and afterwards earning a path to it. Relinquishing their aim often includes pivoting through various systems and accounts to win. Adversaries might install their remote access tools to accomplish Lateral Movement. They use authentic credentials with a native network and operating system tools, which may be more clandestine.
The rival is striving to deduce data of interest to their purpose. The compilation consists of techniques enemies may employ to assemble information, and the sources knowledge from that are appropriate to follow through on the adversary's aspirations. Usually, the next intention after consolidating data is to rob (exfiltrate) the data. Natural target sources involve various drive types, browsers, audio, video, and email. Current acquisition plans include saving screenshots and keyboard input.
Command and Control
The foe is attempting to convey with compromised policies to master them. Command and Control consist of methods that foes may use to interact with systems under their authority within a victim network. Adversaries regularly endeavour to impersonate established, exacted traffic to elude detection. There are countless ways an adversary can ascertain command and control with different levels of secrecy, depending on the victim’s network arrangement and defence-in-depth.
The adversary is attempting to take data. Exfiltration consists of procedures that adversaries may use to catch data from your network. Once they’ve assembled data, opponents often package it to evade detection while eliminating it. It can involve compression and encryption. Techniques for receiving data out of a target network typically comprise conveying it over their command and control channel. And, a substitute can involve may also entail setting capacity limits on the delivery.
The adversary is seeking to manipulate, intervene, or damage your systems and data. Impact consists of procedures that foes use to disrupt availability or trade-off integrity by manipulating company and operatMethodsesses. Techniques used for impact can involve destroying or tampering with data. In some cases, business processes look absolute, however, may have been reconstructed to avail the adversaries’ objects. These methods might aid to tailgate on their end object. Or they are calling for a confidentiality breach.