MITRE ATT&CK for CySA+: Understanding All 14 Adversary Tactics

 MITRE ATT&CK 14 Stages

The "stages" of the MITRE ATT&CK Framework are officially called Tactics. In the widely used Enterprise Matrix, there are 14 Tactics that capture the tactical goals of a cyber-adversary. 

Unlike linear models like the Lockheed Martin Cyber Kill Chain, the MITRE ATT&CK framework is non-linear. Attackers can skip stages, repeat them, or run them simultaneously. 

The 14 distinct stages are broken down chronologically below into Pre-Attacking, Initial Compromise, Internal Operations, and Ultimate Objectives phases.

_______________________________________

Phase 1: Pre-Attacking 

These steps occur outside the victim's network before the actual compromise takes place. 

1. Reconnaissance: The adversary gathers data to plan future attacks. They use techniques like active port scanning, tracking public social media accounts, or leveraging Open Source Intelligence (OSINT).

2. Resource Development: The adversary builds or purchases infrastructure to support operations. This includes creating fake accounts, purchasing malicious domains, renting virtual servers, or buying pre-made malware. 

Phase 2: Initial Compromise

This phase marks the transition from planning to active entry into the environment. 

3. Initial Access: The adversary uses various means to gain a baseline foothold in your network. Classic examples include sending phishing emails, exploiting public-facing software vulnerabilities, or using stolen remote desktop (RDP) credentials. 

4. Execution: The attacker triggers malicious code on a local or remote target machine. They often abuse native system tools (like executing a malicious PowerShell command or Windows Management Instrumentation) to evade traditional antivirus software. 

Phase 3: Internal Operations (Post-Compromise) 

Once inside, attackers navigate the environment to secure and expand their control. 

5. Persistence: The adversary deploys methods to maintain their access across computer restarts, system reconfigurations, or credential resets. Common methods include creating rogue scheduled tasks or modifying system registry keys.

6. Privilege Escalation: The attacker attempts to bypass restrictive safety configurations to gain higher-level administrative, system, or root permissions. They achieve this by leveraging zero-day software bugs or exploiting weak system configurations.

7. Defense Evasion: The adversary actively works to avoid detection by security teams. They will hide their activities by disabling system firewalls, deleting computer event logs, masquerading malware files as legitimate applications, or encrypting their files.

8. Credential Access: The attacker targets authentication secrets to gain broader system access. They dump RAM caches to steal login tokens, run keyloggers to record typing, or force brute-force attacks against system passwords.

9. Discovery: The attacker explores your network to figure out what systems, user accounts, databases, and network architectures exist. They run system discovery queries to locate valuable data repositories.

10. Lateral Movement: The adversary shifts from the initially compromised device to explore and infect other servers or workstations across the network. They usually leverage legitimate system tools using stolen credentials.

11. Collection: The attacker locates and gathers the critical data aligned with their mission objectives. They aggregate database structures, sensitive text files, or email communications into compressed ZIP files to prepare them for extraction.

12. Command and Control (C2): The adversary establishes communication lines between inside-the-perimeter malware and an external server they control. They use these covert channels to send remote execution instructions to the infected machines. 

Phase 4: Ultimate Objectives

This is the final phase where the attacker extracts value or inflicts damage. 

13. Exfiltration: The adversary transfers the collected corporate data out of your target network. They sneak data out using encrypted web protocols, cloud storage accounts, or corporate email. 

14. Impact: The adversary manipulates, corrupts, or outright destroys data and systems. This includes deploying ransomware to encrypt files for extortion, or executing data-wiping scripts to disrupt business operations entirely.