ATT&CK Series: Impact

Often an attacker will have an exit strategy or want to provide confidential cover for a breach by misdirecting investigations away from the attacker’s true goal. This can impact an organization by spending time and money trying to recover data and identify the depth of compromise.

In this post, we will look at ATT&CK’s Impact Phase as it affects availability and integrity. There are several different techniques adversaries can use to impact an environment. Here we will cover three commonly used techniques by adversaries to cover their tracks or to achieve financial gain.

Techniques

T1486 - Data Encrypted for Impact

Description
Once only used by governments and military forces, encryption takes plaintext and converts it to ciphertext with the goal of only allowing authorized parties access the content. Now, encryption is widely available and can be used by almost anyone, including attackers, who use encryption in a variety of ways that can affect the availability of systems and data.

What's the Risk?
An organization may be impacted by the threat actor restricting or removing the availability of data and network resources. This can be achieved by encrypting data and throwing away the key. Additionally, ransomware is a popular tool used to gain compensation from a target. Ransomware often looks for files that might be of value to the target, encrypts the data, and holds it for ransom by offering the key in exchange for money.

How to Mitigate
A Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP) should be implemented. This should include defending against intentional human and technical disruptive events. The plan should be tested through exercises and plan maintenance regularly performed. Additionally, monitoring for file modifications, and binaries that can be used for data encryption and destruction should be in place.

T1496 - Resource Hijacking

Description
With the rise of cryptocurrency, computing resources have become more valuable to attackers. Cryptocurrency is created by solving complex problems that require great amounts of computing power. The process is often called cryptocurrency mining, crypto mining, or crypto coin mining.

What's the Risk?
The availability of affected endpoints can be compromised due to heavy resource usage and can become unresponsive. Cloud computing is often a target due its ability to handle heavy processing and its scalability. This can greatly increase cloud computing costs in a short amount of time due to the increased computing resource usage.

How to Mitigate
A baseline of CPU, memory, graphics processing, and network traffic should be created. The resources should then be monitored for activity outside the baseline. Additionally, known cryptomining processes and names should be monitored.

T1492 - Stored Data Manipulation

Description
Stored data can be any data at rest on persistent storage. For example, documents, databases and emails are types of data at rest. Stored data manipulation is the result of modifying or deleting data at rest. This is done to change the outcome of events or hide previous activities.

What's the Risk
Stored data manipulation can result in compromising the integrity and availability of data at rest. It can be used to misdirect focus during or after an attack, or to remove activity such as logs or complete system destruction.

How to Mitigate
Sensitive information should always be encrypted. This will greatly reduce an adversary’s ability to modify data. Additionally, as mentioned previously in T1486 - Data Encrypted for Impact, a well-defined disaster recovery plan should be implemented to restore data if necessary. Furthermore, files and directories should implement a least privilege approach. File hashes and attributes should be monitored to alert when unexpected changes have been made.

Conclusion

In conclusion, we have covered three techniques used by adversaries to affect integrity and availability during the impact phase. Adversaries are continuously developing new techniques and tools to perform high impact attacks. It is important to have a Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP). The DRP should be continuously maintained and updated as a living document. Processes, resource load, and files should be monitored for unplanned or unusual activity.

This series will continue to cover each of the ATT&CK tactics to provide knowledge on the dangers of each tactic and some of the most critical techniques.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two – April, 2020
• ATT&CK Series: Impact – September, 2019