Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
ATT&CK Series: Impact
Often an attacker will have an exit strategy or want to provide confidential cover for a breach by misdirecting investigations away from the attacker’s true goal. This can impact an organization by spending time and money trying to recover data and identify the depth of compromise.
In this post, we will look at ATT&CK’s Impact Phase as it affects availability and integrity. There are several different techniques adversaries can use to impact an environment. Here we will cover three commonly used techniques by adversaries to cover their tracks or to achieve financial gain.
T1486 - Data Encrypted for Impact
Once only used by governments and military forces, encryption takes plaintext and converts it to ciphertext with the goal of only allowing authorized parties access the content. Now, encryption is widely available and can be used by almost anyone, including attackers, who use encryption in a variety of ways that can affect the availability of systems and data.
What's the Risk?
An organization may be impacted by the threat actor restricting or removing the availability of data and network resources. This can be achieved by encrypting data and throwing away the key. Additionally, ransomware is a popular tool used to gain compensation from a target. Ransomware often looks for files that might be of value to the target, encrypts the data, and holds it for ransom by offering the key in exchange for money.
How to Mitigate
A Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP) should be implemented. This should include defending against intentional human and technical disruptive events. The plan should be tested through exercises and plan maintenance regularly performed. Additionally, monitoring for file modifications, and binaries that can be used for data encryption and destruction should be in place.
T1496 - Resource Hijacking
With the rise of cryptocurrency, computing resources have become more valuable to attackers. Cryptocurrency is created by solving complex problems that require great amounts of computing power. The process is often called cryptocurrency mining, crypto mining, or crypto coin mining.
What's the Risk?
The availability of affected endpoints can be compromised due to heavy resource usage and can become unresponsive. Cloud computing is often a target due its ability to handle heavy processing and its scalability. This can greatly increase cloud computing costs in a short amount of time due to the increased computing resource usage.
How to Mitigate
A baseline of CPU, memory, graphics processing, and network traffic should be created. The resources should then be monitored for activity outside the baseline. Additionally, known cryptomining processes and names should be monitored.
T1492 - Stored Data Manipulation
Stored data can be any data at rest on persistent storage. For example, documents, databases and emails are types of data at rest. Stored data manipulation is the result of modifying or deleting data at rest. This is done to change the outcome of events or hide previous activities.
What's the Risk
Stored data manipulation can result in compromising the integrity and availability of data at rest. It can be used to misdirect focus during or after an attack, or to remove activity such as logs or complete system destruction.
How to Mitigate
Sensitive information should always be encrypted. This will greatly reduce an adversary’s ability to modify data. Additionally, as mentioned previously in T1486 - Data Encrypted for Impact, a well-defined disaster recovery plan should be implemented to restore data if necessary. Furthermore, files and directories should implement a least privilege approach. File hashes and attributes should be monitored to alert when unexpected changes have been made.
In conclusion, we have covered three techniques used by adversaries to affect integrity and availability during the impact phase. Adversaries are continuously developing new techniques and tools to perform high impact attacks. It is important to have a Business Continuity Plan (BCP) that contains a well-defined Disaster Recovery Plan (DRP). The DRP should be continuously maintained and updated as a living document. Processes, resource load, and files should be monitored for unplanned or unusual activity.
This series will continue to cover each of the ATT&CK tactics to provide knowledge on the dangers of each tactic and some of the most critical techniques.
Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:
Let us know what you need, and we will have an Optiv professional contact you shortly.