Not all attackers are trying to exfiltrate data. In security, we’re all familiar with CIA triad—confidentiality, availability, and integrity. While Exfiltration describes adversarial behavior with the goal of violating confidentiality, attackers may look to manipulate, interrupt, or destroy your systems and data. The Impact tactic describes techniques that adversaries use to compromise the availability or integrity of your systems and data. This tactic was introduced to capture disruptive behavior such as ransomware, denial of service, and other destructive enterprise attacks that aren’t captured by the other ATT&CK tactics.
Over the past decade, the prevalence of ransomware has grown from an annoyance to a major crisis in no smart part due to the introduction of convenient and hard-to-trace payment systems such as cryptocurrencies like bitcoin. In late 2013, ZDNet estimated that the attackers behind Cryptolocker made off with $41.9 million over the span of three months. Ransomware such as Cryptolocker work by encrypting files located on connected drives, often using strong, sound cryptography. The encrypted files are inaccessible by the victims until they receive the decryption key, which attackers may or may not divulge upon payment. These keys are often randomly generated, so no single key will be usable by two different victims.
Best practices for mitigating Data Encrypted for Impact and data destruction techniques are good offline data backup schemes and restricting file and directory permissions. (See CIS control 10: Data Recovery Capabilities.) Increasingly advanced ransomware variants are designed to seek out local and cloud backups and encrypt those, as well. So, recovery plans should contain procedures for regularly taking, testing, and protecting backups.
Other techniques that affect system, network, or data availability and integrity include Endpoint and Network Denial of Service, Stored and Transmitted Data Manipulation, Inhibit System Recovery, Resource HIjacking, and more.
Much of the mitigation guidance in the Impact category involves data backup and network filtering, but some techniques in this category cannot be easily mitigated.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
READ MORE ABOUT THE MITRE ATT&CK FRAMEWORK HERE:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control
- The MITRE ATT&CK Framework: Impact