In our journey through the MITRE ATT&CK framework, we’ve explored how attackers gain access, establish persistence, and steal data. But what happens when adversaries decide to break things, or to show the defenders that they are in charge? This last post covers ATT&CK’s Impact tactic – the cyber equivalent of leaving a calling card, often with devastating consequences.

The Importance of Impact

Impact is often times the point of an attack. Attacking leaders stake their reputations on whether a battle was worthwhile or not. How do we know?  In the historical warfare realm, we assess whether it changed the outcome of the conflict. Did the battle further the attacker’s goals, capture people or territory, or prevent later losses? Even though the answers to these might be ‘yes,’ we typically talk about the trade-offs. Was it worth it?

In cyberspace, Impact represents the point where attackers transform their access and privileges into tangible effects on the target organization. These effects can range from subtle data manipulation to bringing entire networks to their knees. The goals vary: some attackers aim for financial gain through ransomware, others seek to cause chaos or embarrassment, and some use Impact techniques to cover their tracks or set the stage for future operations. As we’ll see, the way we assess impact differs in some cases, but in the march to present time, that line blurs more and more.

Impact on a geopolitical scale

If you are familiar with earlier posts in this series, I look for historical analogs to the cyber techniques. As this is the last post in this series, I am finally bringing it together! (Eventually, I do get to the point!) So let’s look at one of the most famous examples in cyber history: Stuxnet. If you haven’t read “Countdown to Zero Day” by Kim Zetter, you are missing out! Anyway, here we go.

Discovered in 2010, Stuxnet was a sophisticated computer worm some believe to have been developed by the United States and Israel to target Iran’s nuclear program. The thinking was that a well-placed and articulated attack might disrupt Iran’s ability to enrich Uranium needed to develop nuclear warheads. Without the fissile material, Iran wouldn’t be able to muster enough inventory to make these weapons. What made Stuxnet remarkable was not just its complexity, but its physical impact on the real world.

Iranian President Mahmoud Ahmadinejad looking over the new centrifuges installed at the Natanz facility in Iran. (from CBS News and sourced by Getty Images)

Stuxnet targeted specific Siemens industrial control systems, particularly those used in Iran’s uranium enrichment facilities. The worm manipulated the operation of centrifuges, causing them to spin at incorrect speeds. This led to physical damage and disruption of the enrichment process, all while feeding false information to operators that everything was functioning normally. This effort achieved an assumed primary objective of disrupting the program, and likely added a few years to the timeline for Iran’s program.

Stuxnet’s ingenuity is instructive, but would have been for naught had it not also delivered the intended impact: a costly disruption of Iranian Uranium enrichment. Mission accomplished (from Wired article and IAEA reports)

What we learned from Stuxnet

This was remarkable for a LOT of reasons, but here are some of the biggest in my mind:

  1. Precise Targeting: The attackers crafted Stuxnet to affect specific systems, minimizing collateral damage. Even crazier, they targeted both Windows IT devices and very particular Siemens OT controllers.
  2. Stealth: The worm operated for months without detection, slowly causing damage. It did this without a persistent Command & Control link to the attackers themselves, and relied on HUMINT and ELINT to confirm impact was being made. That takes a combination of preparation, patience, and confidence not seen elsewhere.
  3. Physical Consequences: It bridged the gap between cyber and physical worlds. This is perhaps the most impactful to us all – we now see nation-state actors targeting critical infrastructure, fearlessly and pervasively.
  4. Persistence: The impact continued over an extended period – which is impressive given the lack of full-length C2. Again, the patience and craftsmanship were top-notch.
  5. Deception: False information was presented to mask the actual impact. Understanding how the victim’s operators would see and respond were critical here, and it shows that Deception or Defense Evasion don’t just have to be a gimmick to bypass a control, but may play into the defender’s playbooks.
It was a long path from crafting the Stuxnet attack to its making an impact, but the bottom bubble is where the first mark is made. It can be argued the impact was much bigger than that, however. (from ISS Source reporting by Eric Byres, Andrew Ginter and Joel Langill)

Consensus has it that Stuxnet also ushered in a whole new era of cyber warfare. Its use set a precedent that now sees cyber attacks accompany or even replace physical warfare with much lower consequences to the threat actor. While the tactical impact was a great success, it is the long tail of geopolitical impact beyond ATT&CK that continues to bring consequences to all of us every day.

Impact in Modern Cyberspace

As we transition to discussing modern cyber Impact techniques, it’s clear that many of these principles and goals might be achieved by either means – physical or cyber. Today’s attackers still aim for precision, stealth, and often seek to cause real-world consequences. However, the scale and speed at which Impact techniques can be deployed have increased dramatically. And the risks to the adversary have (so far) appeared to be much lower than those of a physical attack or action. For these reasons, cyber attacks are quickly becoming the preferred tool versus committing forces to a traditional attack.

Some of this is due to the asymmetric aspects of cyber attacks. In today’s global digital world, a single ransomware attack can cripple a multinational corporation in hours. Data manipulation can sway stock markets or elections. And as we become increasingly reliant on technology, the potential for physical impact grows – from disrupting power grids to interfering with medical devices. Time, distance, and resources don’t pose the same restrictions in this realm.

Another aspect here is the risks posed to the threat actor. Adversaries no longer need to fear numbers – they know that they are likely to evade defenses, avoid attribution, and get away with the attacks. And very rarely does the threat actor fear for their lives while carrying out these actions. While history on cyber attacks is much less extensive, precedent shows that – even when caught in the act – state sponsored threat actors rarely see justice served. Cybercriminal organizations have gotten smart quickly and aligned themselves with friendly governments or hidden their locations to complicate prosecution. Even worse, disinformation campaigns may even mislead the court of public opinion into taking opposing sides, doubting attribution, or mischaracterizing the threat.

New rules going forward?

This is new ground for all of us. We clearly don’t have the entire picture and can assume that there are covert operations underway by victim organizations or nation states. But cyber events are testing the lines of an ‘act of war’ and it remains to be seen how defenders and their host countries will respond. And it seems we might all be wrestling with how to quantify the impact of something as transformational as Stuxnet:

Its quite the eye chart, but this view of Stuxnet (S0603) shows that ATT&CK isn’t always the end-all, be-all of mapping things. Why was Impact empty here? Maybe because its hard to express in one of the existing techniques. But as we’ve seen, Impact was the point. And it was made.

Impact Techniques in action

The MITRE ATT&CK framework lists 14 techniques and 13 sub-techniques under the Impact (TA0040) tactic. What I find interesting is that these are very focused on system impacts, measurable and technical in nature. This seems to defer tagging of Impact based on more nebulous, political, societal, or unique attributed. I totally get that – some of those are hard to quantify even years after an attack, and I wouldn’t put that burden on a SOC operator, incident responder, or even CISO. Given what is left, let’s break the techniques we do have down based on their primary focus:

Data Abuse

Attackers often target the integrity and availability of data, causing chaos and potentially long-lasting damage. Adversaries use Data Manipulation (T1565) to disrupt operations, spread misinformation, or cover their tracks. Looking for an example? In 2013, the Syrian Electronic Army hacked the Associated Press Twitter account to post a false tweet about explosions at the White House, briefly causing a $136 billion dip in the S&P 500 index.

Sometimes Data Destruction (T1485) is more the goal though. The 2014 attack on Sony Pictures Entertainment saw terabytes of data wiped from the company’s networks using RawDisk, causing massive disruption. Somehow The Interview still managed get released. Kim Jong-Un’s cyber goons (thought to be Lazarus) may have failed at preventing its release, but they managed to cause huge damage to Sony Pictures and – by extension – Hollywood’s bottom line.

Ransomware still remains the most popular method of abusing the data, and Data Encrypted for Impact (T1486) is a hallmark for WannaCry or NotPetya operations of yesterday or BlackSuit/ALPHV, Volcano Demon, or DoNex of today. In tales as old as (cyber) time, they data and hold it for ransom, causing both financial and operational impacts. Or maybe depriving everyone of that data is more beneficial? Disk Wipe (T1561) (in NotPetya’s case) is a common approach when the attacker’s goal is to simply deprive everyone of that data.

The flip side of ransomware is extortion or otherwise profiting from selling the sensitive data. Even more base than that is just stealing the money outright. a lot of business email compromise (BEC) campaigns, spearphishing, and crypto scams faciliate Financial Theft (T1657).

System Availability Impact

These techniques aim to disrupt normal operations, often causing immediate and visible effects. Attackers might overwhelm specific systems with Endpoint Denial of Service (T1499), targeting application servers, to disrupt services. The 2016 Mirai botnet attack on DynDNS servers, which disrupted major websites across the US, is a prime example. By flooding environments with traffic and causing a Network Denial of Service (T1498) attackers can bring down entire organizations. The 2007 cyber attacks on Estonia, which crippled government, media, and banking websites, demonstrate the potential scale of such attacks.

Stopping critical services – Service Stop (T1489) – can halt operations. 2015’s BlackEnergy campaign by Russian APT Sandworm crippled Ukraine’s electrical grid, and while ransomware was part of that, they also impeded detection systems, shut down response paths, and more. System Shutdown/Reboot (T1529) and Inhibit System Recovery (T1490) are similarly used alternatives.

System Hijacking

Some Impact techniques set the stage for future attacks or create long-term vulnerabilities. With Firmware Corruption (T1495), attackers can create persistent backdoors or render devices inoperable. The Equation Group’s use of this technique, revealed by The Shadow Brokers release, showed how this technique can create nearly undetectable, long-term footholds.

While often seen as a calling card, Defacement (T1491) can also be used to spread disinformation or damage brand reputation. The 2013 hack of the US Marine Corps recruitment website by the Syrian Electronic Army is a notable example.

By removing access to accounts with Account Access Removal (T1531), attackers can create chaos and even lock out security teams. The 2020 Twitter hack, where high-profile accounts were compromised, included locking out legitimate users as part of the attack. Interesting to note how much now-owner Elon Musk’s account was abused.

Resource Hijacking (T1496) may appear last, but it is also typically the most covert. Attackers like to keep it that way, and this is the realm of cryptojacking outfits, who look to have others pay the bill for helping pad their crypto wallets.

How Can We Mitigate Impact?

Impact has some different goals. Assuming that your data or continued operation are important, your focus should be on a quick recovery and the reliable backup of your data. but it doesn’t mean we need to cede territory! Plan on interrupting their actions earlier in the attack, and maybe we won’t get to this point! Either way, we need to hold the fort, so-to-speak. Like many other tactics before it, preventing and detecting Impact techniques is more effective when enlisting a multi-layered approach:

  1. Robust Backup Strategy: Regular, secure backups can mitigate the effects of data destruction or encryption attacks. Protecting that backup path and monitoring it as well is super important! Paying the ransom is not a viable alternative. Just ask Change Healthcare.
  2. Network Segmentation: Limit the spread of attacks by properly segmenting networks. The old adage of “don’t put your eggs in one basket” seems to apply here.
  3. Endpoint Protection: Deploy and maintain up-to-date endpoint security solutions. After all, it is your endpoints and servers that house the good stuff!
  4. Monitoring and Alerting: Implement systems to detect unusual activities that might indicate an impending Impact attack. This one is hard – but essential. With valid credentials often used, detecting abuse and monitoring behavior becomes critical.
  5. Incident Response Planning: Develop and regularly test plans for responding to various Impact scenarios. Lots of IR plans are still based on comet impacts or Hurricane Sandy. Is cyber part of yours? And does everyone know their role?
  6. Access Control: Implement strict access controls and multi-factor authentication to prevent unauthorized system changes. This may seem like a broken record, but it pops up a lot because it is fundamental!
  7. Firmware Security: Regularly update firmware and use secure boot processes where possible. A lot of new access methods take advantage of this oft-forgotten part of any system.
  8. DDoS Protection: Employ DDoS mitigation services or appliances to protect against availability attacks. This is very important when uptime and availability are your lifeblood.

Conclusion

Impact techniques are what we all fear happening most. Everything prior is really just a prelude to the damage the attacker plans to cause. By understanding these techniques, we can better prepare our defenses and minimize the damage when attacks occur. Remember, in the world of cybersecurity, it’s not just about keeping attackers out – it’s about limiting what they can do if they get in. In all of MITRE ATT&CK’s 14 tactics, this is the one that our non-technical folks tend to grasp and fear most. Help them see the linkage between mitigations implemented earlier reducing the risk of Impact later.

As we’ve seen throughout this series, effective defense benefits from a better understanding of attacker tactics and techniques. Not just how they do it, but why? MITRE ATT&CK isn’t going to solve all of your problems, but it can be a very handy tool for better understanding and communicating about threat behaviors amongst stakeholders. Use it, but understand its limits. You’ll need other tools too, like those that help structure your organization, or bolster your processes, or deploy solid defensive technology. Throughout that journey, you can use tools like ATT&CK to better characterize what you are up against. Make it your own.

Thank you for reading this entry in the ATT&CK Tactic Series. It’s been a long journey, but I feel like I learned a lot putting these together and I hope sharing that journey was helpful to someone. I’ll probably take a little breather while deciding what to tackle next, but feel free to share your thoughts and experiences in the comments below!