Last week we started with the Recon phase of an adversary’s playbook. This research really sets the stage for all that comes after it. As we’ll see today, adversaries apply that context in preparing for their operation. It’s like one of those movie montages where the bad guys are prepping for a sneak attack. Think Death Star firing up the lasers to blow up Alderaan, or the Orcs getting armed at Eisengard. In any of these cases, we were all screaming from the theater seats that victims could have done to prevent or detect it. Could they have? Let’s see how the bad guys get suited up for the opening battle and take a look at the Resource Development stage in ATT&CK of an adversary’s operation!

Resource Development – Boring name, ominous purpose

Threat actors can’t just wish an attack into being. Much like the systems they target, they need infrastructure! They need resources to host the various portions of the attack. They very likely will need some applications, accounts, certificates and more just to carry out the simplest of capers. When an adversary needs to intercept your traffic, for instance, they have to have a means by which to direct traffic to systems they control and a place to store any gleaned information. Even a simple, spiteful Denial of Service requires coordination of assets to launch joint attacks. If we take a look at the techniques in this Tactic, it looks an awful lot like setting up a legitimate hybrid enterprise from scratch! Aside from the botnets. I have used a snapshot from Resource Development in ATT&CK Navigator rather than the Enterprise Matrix homepage because it renders a little more compactly:

The Resource Development Phase may seem boring, but this is what separates the APT from the script kiddie.

The number in parenthesis indicates the number of Sub-techniques contained in each Technique. I blew up the first three Techniques to help show how those look.

Acquiring Access – letting someone else blaze trails

Quite a few of these are direct results of the Recon phase (TA0043), like Acquire Access (T1650). In this Technique, the adversary may either cultivate their own access, barter with others for it, or purchase that access via an initial access broker. What might seem confusing here is that this seems like it would come in a later tactic, right? Maybe Initial Access (TA0001)? I think what is going on here is that most APTs have plans for gaining initial access in their operation based on recon, but look for a simpler, pre-existing path first. This has distinct advantages:

  • It is probably quicker than starting from scratch
  • It gives them an opportunity to preserve their own techniques for tougher targets
  • Using someone else’s techniques throws defenders off the scent

Acquiring Infrastructure – building a forward operating base

Our antagonists need systems to actually perform their attacks (or tests). The way in which they do this is as much a part of their DNA as anything that comes later, and how they select or focus their efforts says a ton about their longevity and scale. More established and protected (state-sponsored) APTs might be able to establish a core framework on which to run all of their operations.

We see a lot of the Russian and Chinese sponsored outfits do resource development as outlined in ATT&CK, allowing them to run multiple high-complexity operations simultaneously. Lots of the “Bears” and “Pandas” in particular have infrastructure that falls into this category. In these cases, they spend considerable time Acquiring Infrastructure (T1583) and doing so with a lens toward longevity. These same adversaries understand all too well how easy that makes them to track. They thus expend considerable resources on intermediary resources as well. Cloud infrastructure (servers, serverless or function-based capabilities, DNS infrastructure, etc.) is a very common burnable resource pool. These help abstract or obscure their own environment from authorities.

TA505’s a big fan of setting up DNS, Domain, and Malware infrastructure. (H/T https://ma-insights.vercel.app/adversaries)

Less protected adversaries (folks like LAPSUS$ or TA505) also spend time in both Acquiring and Compromising Infrastructure. Unlike the state-sponsored folks, they focus less on permanence or longevity. This is not always a weakness. APTs operating without the cover of a nation-state prefer expendable and evergreen infrastructure to help evade long-term counter-surveillance.

Compromising Accounts and Infrastructure – sending in the sappers before landing!

Both of these types of adversaries can only go so far operating from outside of their victims environments. Attackers will also look to Compromise Infrastructure (T1584) and victim resources. To do this, they line up as many Compromised Accounts (T1586) as they can. Assets can be hijacked, backdoored, or otherwise enlisted to aid and abet the attack. APTs get this by either by direct compromise or by using stolen credentials to abuse them. There is a big focus on assets that handle traffic steering – DNS (T1584.002). DNS is essential to any network its compromise is a huge boost for overcoming other security controls. Web Services (T1584.006) are another high-value place to focus. With the advent of APIs they may offer a superhighway that is poorly monitored and can be used for exfiltration, command and control, and more.

Developing or Obtaining Capabilities – Make vs. Buy (vs. Steal) the weapons

Now that the adversary has their base of operations and some potential ‘ins’ via accounts, they need some weapons to use when they land in victim environments. Recon tells them what sorts of systems are in play, and from this intel the adversary can decide whether to purchase off-the-shelf tools (exploits, malware frameworks, certificates, and the like) or to research and build their own. Some capabilities cannot be replicated easily, while having them can be a huge boost in success. Cobalt Strike, despite its usefulness in red-teaming environments, offers massive power-ups to attackers who find the licensing costs (or pirating effort) well worth it given the return. Code-signing certificates are also golden – supply chain attacks are increasingly delivered with valid certificates vouching for payloads. Ember Bear, BlackTech, and Wizard Spider are all known for using this pretty nasty superpower.

Staging Capabilities & Establishing Accounts – position supplies and mobilize sleepers

At this point we are at the eve prior to the attack. I’d argue the attack is underway, but from a kinetic standpoint, it is very difficult for the target environment to know what is coming. The APT will now begin to Stage Capabilities (T1608) and Establish Accounts (T1585). Attacker assets (or compromised infrastructure) receives payloads in preparation for later phases of the attack. Social media and email accounts, data sinks, or malicious websites needed for the attack are activated to prepare. If a spoofed portal was needed (Link Target, Drive-by Target), certificate is required, or a cloud service like GitHub, AWS S3, Twitter, or Dropbox are called for, this is when those accounts will be activated and the needed tools deployed.

How to we counter this impending doom?

Much like the Recon Phase, the assumption by many is that we are powerless to detect – much less control – this phase of the attack. Is that true for Resource Development in ATT&CK? I am more bullish. I would first begin with limiting how much I have to protect – turn off and decommission your old stuff, folks! And tighten it up – the more sprawl you have, the less likely you are to have a good handle on it. Inventory (software and hardware) might not be sexy, but getting it under control is the key to soooo much in security. This is why the Center for Internet Security calls them #1 and #2 on their Critical Security Controls. Assuming we start working on that, what else can we do?

Detection Tips

One of the most impactful things we can do here is to step up our own monitoring. Better logging of internal assets can make a huge difference. We need to alert on access attempts, data flow behavior, and service creation to truly make an impact here. We should also observe public infrastructure for signs that someone is preparing to mount an attack against us. Certificate checking services will offer indications of certificate abuse, and would be a fantastic place to start. Likewise, we can monitor DNS registrars for indications that look-alike domains (using punycode or other techniques) are being created in preparation for siphoning or redirecting our traffic.

Within our cloud and on-premises environments, we should also step up our behavioral analytics. While many of the flows are now encrypted, these tools excel at identifying strange new trends that buck the norm. Where there is abnormal behavior, we can very quickly ascertain its place in our networks. Just like in the Recon phase we discussed last week, some Honeypots/Honeynets/Canary Accounts/Canary Tokens can also tips us off to bad actors.

Protection & prevention options

From a prevention standpoint, the single biggest impact we can have is in maintaining a strict access policy fortified by true MFA and privilege segmentation. Even administrators should have limits, and I have seen organizations employ combinations of bastion hosts, segmentation, allow-listed ACLs, and more to lock these vectors down.

Similarly, we can mirror and counter most of the techniques we discussed here by hardening the targeted capability. Web services and DNS can be much better restricted to reduce exposure, and Cloud Security Posture Management (CSPM) tools can do a great job ratcheting down on cloud-hosted infrastructure and help protect against resource development in ATT&CK.

CSPM’s can very quickly reveal the entire picture, giving you the awareness needed to proactively ratchet-down against and detect adversaries (H/T JupiterOne)

Conclusion

Resource Development is the active preparation of an adversary. It can seem like we’re hopeless, but hopefully we’ve given them less to work with in Recon and force them to think on their feet more in later phases. Even with their ill-gotten riches in Recon, we can have some say. The real trick is in learning where they might launch from, and find ways to monitor them. Take control of the situation and make gaining access a lot harder! Look for folks imitating your environment! I hope this post was useful in seeing how important the Resource Development tactic in ATT&CK is to attackers. I also hope you have some ideas and a little bit of comfort in knowing you can do something about it!