Derive from Red Force and Attack Matrix
1. Reconnaissance
Reconnaissance is the preliminary phase of a cyber attack where adversaries gather as much information as possible about their target. This includes identifying IP addresses, domain names, email addresses, and other pertinent details that can reveal vulnerabilities. Techniques used in this phase include open-source intelligence (OSINT), social engineering, and network scanning. The primary goal is to compile a comprehensive target profile to effectively plan subsequent attack stages. Understanding the intricacies of the target’s environment helps attackers strategize their approach to avoid detection and maximize impact.
2. Resource Development
Resource Development involves preparing and acquiring resources necessary for an attack. This phase includes creating fake websites, registering domains, procuring malware, and developing tools. Attackers may also recruit accomplices or purchase access to compromised systems on the dark web. The aim is to build a robust infrastructure supporting the planned attack operations. Proper resource development ensures attackers have the tools and platforms to launch and sustain their activities against the targeted organization.
3. Initial Access
Initial Access marks the first successful penetration of the target network. Adversaries use tactics such as phishing emails, exploiting software vulnerabilities, and leveraging weak credentials to gain an initial foothold. This phase is critical as it establishes the foundation for deeper infiltration. Attackers may deploy malicious code or establish backdoors to secure ongoing access. The effectiveness of initial access techniques often determines the overall success of the attack, making this a focal point for both attackers and defenders.
4. Execution
Execution refers to the phase where attackers run malicious code within the target environment. This could involve executing scripts, launching malware, or triggering automated tasks to achieve specific objectives. The execution phase aims to establish control over the compromised systems and initiate the planned malicious activities. Techniques used during execution include PowerShell scripts, command-line interfaces, and exploitation of application vulnerabilities. Successful execution enables attackers to manipulate system functions and prepare for further actions.
5. Persistence
Persistence ensures that attackers maintain access to the compromised systems even after disruptions such as reboots or changes in credentials. This is achieved through various methods, such as creating new user accounts, modifying system services, or implanting rootkits. Persistence mechanisms are designed to be stealthy, making them difficult to detect and remove. By establishing persistence, attackers can secure a long-term presence within the target network, allowing them to continue their operations without repeatedly breaching the perimeter.
6. Privilege Escalation
Privilege Escalation involves gaining higher-level permissions within the target network. Attackers exploit vulnerabilities or leverage stolen credentials to elevate their access from a lower-level user to an administrator or superuser. This expanded access allows them to perform actions that would otherwise be restricted, such as altering system configurations, accessing sensitive data, and disabling security mechanisms. Privilege escalation is a pivotal phase that significantly enhances an attacker’s control over the compromised environment and broadens the scope of potential damage.
7. Defence Evasion
Defence Evasion encompasses a variety of techniques used by attackers to avoid detection and bypass security controls. This includes tactics such as code obfuscation, disabling security tools, and using anti-forensic methods to erase traces of their presence. Attackers may also exploit legitimate software and processes to blend in with everyday activities. The goal is to remain undetected for as long as possible, allowing attackers to carry out their objectives without interference. Effective defence evasion complicates detection and response efforts, increasing the likelihood of a successful attack.
8. Credential Access
Credential Access involves obtaining sensitive authentication data such as usernames, passwords, and cryptographic keys. Attackers use keylogging, phishing, credential dumping, and brute force attacks to acquire valid credentials. With legitimate credentials, attackers can move laterally within the network, access restricted areas, and exfiltrate data without raising immediate alarms. Credential access is a critical step that facilitates deeper penetration and enhances the attackers’ ability to masquerade as legitimate users.
9. Discovery
Discovery is the phase where attackers gather information about the internal structure and systems of the compromised network. This includes identifying active directories, connected devices, running services, and network topology. Tools and techniques such as network scanners, system enumeration, and directory queries are employed to map out the environment. The information collected during discovery enables attackers to plan their movements and target high-value assets. Understanding the network layout and identifying key systems are crucial for executing subsequent phases effectively.
10. Lateral Movement
Lateral Movement refers to traversing the network from the initially compromised system to other systems and devices. Attackers use techniques such as pass-the-hash, pass-the-ticket, and exploiting remote services to move laterally. The objective is to access additional resources, gain control, and reach critical systems or data. Lateral movement requires stealth and precision to avoid detection. Successful lateral movement broadens the attackers’ footprint within the network and positions them to achieve their ultimate goals.
11. Collection
Collection involves gathering data of interest from the compromised environment. This can include sensitive documents, emails, databases, and intellectual property. Attackers use automated tools to identify, compress, and prepare data for exfiltration. The collection phase focuses on acquiring information that can be monetized, used for further attacks, or leveraged for strategic gains. Properly executed collection efforts ensure that attackers obtain valuable assets while minimizing the risk of detection during the data-gathering process.
12. Command and Control
Command and Control (C2) is the phase where attackers establish a covert communication channel to control compromised systems remotely. This involves setting up C2 servers, using encrypted communications, and leveraging legitimate services to issue commands and receive data. C2 channels allow attackers to orchestrate activities, deploy additional payloads, and exfiltrate data. Maintaining a robust C2 infrastructure is critical for sustaining long-term operations and ensuring attackers can manage their compromised assets effectively.
13. Exfiltration
Exfiltration is the unauthorized transfer of data from the target environment to an external location controlled by the attackers. Methods include using secure transfer protocols, disguising data within regular traffic, and leveraging cloud services to move data. Exfiltration techniques aim to avoid detection by mimicking legitimate network activity. Successfully exfiltrating data allows attackers to monetize the information, sell it on black markets, or use it for further exploitation. Protecting against exfiltration requires monitoring for unusual data transfer patterns and implementing robust data loss prevention measures.
14. Impact
Impact refers to the actions taken by attackers directly affecting the integrity, availability, or confidentiality of the target’s systems and data. This can include deploying ransomware, deleting critical data, disrupting services, or manipulating information. The goal is to achieve the attackers’ ultimate objectives, whether financial gain, espionage, or causing operational disruptions. The impact phase is where the consequences of the attack are most acutely felt by the victim organization, emphasizing the importance of comprehensive defence strategies to mitigate potential damages.