MITRE ATT&CK..But With Memes

Welcome to a special edition of WeekendBytes. I’m taking time off, but the fun doesn’t need to stop, especially not the memes.

We’re about to embark on a meme journey to understand how certain cyber attacks unfold, guided by the MITRE Enterprise ATT&CK Matrix.

It’s a handy taxonomy and knowledge base of adversary tactics and techniques. As you read through, remember that this is not a linear process. In a cyber attack, many of these phases happen concurrently.

Enjoy!

-Jason

p.s. if you enjoy this newsletter and want to see more like it, reply to this email and let me know!

Reconnaissance: The attacker first gathers info to facilitate their attack. This could be information to help with social engineering or scanning the target’s network for vulnerabilities. A little information can go a long way.

Resource Development: Once the attacker knows how they might gain access, they set up their attack infrastructure. For sophisticated attacks, this could include setting up new servers or preparing a zero-day vulnerability. For ransomware attacks, it can be as basic as buying compromised access or credentials to the target’s network. Not much work required.

Initial Access: With everything prepped, the attacker launches the first move of their attack to gain a foothold in the victim’s environment. This could be exploiting the vulnerability discussed before or simply logging in with the compromised credentials.

Execution: The attacker is ready to take their first steps in their new environment. This may include launching reconnaissance scripts, installing malware, or any number of things.

Persistence: No attacker wants to lose the access they have already built. They look to maintain persistent access to the environment through backdoors that start even if a system is rebooted or establish alternative avenues of getting back into the environment if their initial access is cut off.

Privilege Escalation: To be successful, the attacker needs more than any ordinary user account. They need an administrator account that can access everything in the environment. The attacker will try many techniques to snag accounts with administrator privileges, such as exploiting vulnerabilities or using password-dumping tools.

Defense Evasion: At this point, the attacker is getting noisy. They must avoid creating too much of a ruckus to avoid getting caught. They may try to disable AV or hide their malware and activity in plain sight, attempting to blend in with the normal activity of the system or network.

Credential Access: Remember when the attacker tried to elevate their privileges by finding an administrator account? Yeah, there are more of those. You can never have enough to help you move properly throughout the network, and the tighter the network, the more administrator accounts the attacker will need.

Discovery: Now it’s time for the real reconnaissance. The attacker starts mapping the environment and getting their bearings on what’s around them in their new digital world. This process is often intermixed with credential access and the next stage (lateral movement). There’s no need for this process to be a waterfall method.

Lateral Movement: With all of the fancy admin accounts and knowledge of the network, the attacker starts sneaking around the environment from system to system, expanding their reach and insights as they go along.

Collection: The attacker scoops up data along their travels because why not? For nation-state threat actors, this data may help them in their journey through the network, or it could be the data they want to steal. For ransomware groups, it will be the data they will use to extort the victim.

Command and Control: The attacker needs to call home to mom command and control servers, which they set up in the resource development phase. This happened when the attacker’s backdoors were installed in the persistence phase. The attacker may also try to set up new malware to different command and control servers for more persistence.

Exfiltration: With data collected and command and control servers standing by, the attacker can transfer their stolen data outside the victim’s network. This could happen through the backdoors or, as many attackers opt for, they simply upload to some shady file upload sites.

Impact: Not all attacks have to reach this stage, like nation-state attacks. They want to stay stealthy so they can continue to steal data. But for ransomware groups, it’s their final act—time to deploy the ransomware to the environment. 

Meanwhile, throughout all of this activity, the organization’s security tools do their best…

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!