Skip to main content

ATT&CK Series: Impact

September 24, 2019

Often an attacker will have an exit strategy or want to provide confidential cover for a breach by misdirecting investigations away from the attacker’s true goal. This can impact an organization by spending time and money trying to recover data and identify the depth of compromise.

In this post, we will look at ATT&CK’s Impact Phase as it affects availability and integrity. There are several different techniques adversaries can use to impact an environment. Here we will cover three commonly used techniques by adversaries to cover their tracks or to achieve financial gain.

Techniques 

T1486 - Data Encrypted for Impact

Description
Once only used by governments and military forces, encryption takes plaintext and converts it to ciphertext with the goal of only allowing authorized parties access the content. Now, encryption is widely available and can be used by almost anyone, including attackers, who use encryption in a variety of ways that can affect the availability of systems and data.

What's the Risk?
An organization may be impacted by the threat actor restricting or removing the availability of data and network resources. This can be achieved by encrypting data and throwing away the key. Additionally, ransomware is a popular tool used to gain compensation from a target. Ransomware often looks for files that might be of value to the target, encrypts the data, and holds it for ransom by offering the key in exchange for money.

How to Mitigate
A Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP) should be implemented. This should include defending against intentional human and technical disruptive events. The plan should be tested through exercises and plan maintenance regularly performed. Additionally, monitoring for file modifications, and binaries that can be used for data encryption and destruction should be in place.

T1496 - Resource Hijacking

Description
With the rise of cryptocurrency, computing resources have become more valuable to attackers. Cryptocurrency is created by solving complex problems that require great amounts of computing power. The process is often called cryptocurrency mining, crypto mining, or crypto coin mining.

What's the Risk?
The availability of affected endpoints can be compromised due to heavy resource usage and can become unresponsive. Cloud computing is often a target due its ability to handle heavy processing and its scalability. This can greatly increase cloud computing costs in a short amount of time due to the increased computing resource usage.

How to Mitigate
A baseline of CPU, memory, graphics processing, and network traffic should be created. The resources should then be monitored for activity outside the baseline. Additionally, known cryptomining processes and names should be monitored.

T1492 - Stored Data Manipulation

Description
Stored data can be any data at rest on persistent storage. For example, documents, databases and emails are types of data at rest. Stored data manipulation is the result of modifying or deleting data at rest. This is done to change the outcome of events or hide previous activities.

What's the Risk
Stored data manipulation can result in compromising the integrity and availability of data at rest. It can be used to misdirect focus during or after an attack, or to remove activity such as logs or complete system destruction.

How to Mitigate
Sensitive information should always be encrypted. This will greatly reduce an adversary’s ability to modify data. Additionally, as mentioned previously in T1486 - Data Encrypted for Impact, a well-defined disaster recovery plan should be implemented to restore data if necessary. Furthermore, files and directories should implement a least privilege approach. File hashes and attributes should be monitored to alert when unexpected changes have been made.

Conclusion

In conclusion, we have covered three techniques used by adversaries to affect integrity and availability during the impact phase. Adversaries are continuously developing new techniques and tools to perform high impact attacks. It is important to have a Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP). The DRP should be continuously maintained and updated as a living document. Processes, resource load, and files should be monitored for unplanned or unusual activity.

This series will continue to cover each of the ATT&CK tactics to provide knowledge on the dangers of each tactic and some of the most critical techniques.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:


    Robert Gilbert

By: Robert Gilbert

Senior Security Consultant | CISSP, GWAPT, CEH

See More

Related Blogs

May 14, 2019

ATT&CK Series: Defense Evasion

There are multiple ways that an attacker can hide while attempting to access a network and move laterally within it. Windows systems often unintentio...

See Details

June 25, 2019

ATT&CK Series: Lateral Movement Techniques

There are several different methods that adversaries can employ to move throughout a network. However, we will cover two techniques commonly used by a...

See Details

July 16, 2019

ATT&CK Series: Exfiltration

In this post, we will address some of the MITRE ATT&CK’s Exfiltration techniques and tactics, from an attacker’s point of view, that may be used to ex...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.