Raiders of the Lost ARP

Amateur Security Archaeologists, trying not to break things.

Tag: Threat Modeling (Page 3 of 7)

cartoon of a middle-aged and bearded Indiana Jones who is trying to squeeze into an army uniform while hiding behind a stack of crates.
I wonder how long I have to wait before the attack - I can't hold it much longer!

Persistence: How Uninvited Attackers Avoid Being Bounced from the Party

April 2, 2024 /

Hello folks – welcome to Part 5 of the series on MITRE ATT&CK Tactics! Today we’re talking about how adversaries maintain a foothold. Like any invading force, threat actors work hard to ensure that they get initial access, and they would rather not have to repeat that effort. Traditional aggressors most often resolve to maintaining pressure on the front once their initial attack lands. This has the effect of exhausting the defenders and ensuring they are unable to reset or respond effectively. Some attackers will leverage asymmetrical warfare elements like guerilla forces, local resistance forces, or agents to undermine defenses and guarantee access. Cyber adversaries need the same sort of effects, and that guaranteed access is arguably their highest priority. So let’s discuss the MITRE ATT&CK Persistence tactic and see why it is vital and how they might achieve it!

Continue reading
AI Generated image of Mongol warriors having fun while making a scary shadow puppet show for their victims.
We should take this one to Broadway, boys! Shadow puppets are way more fun than germ warfare!

Execution: Ruthless attackers run malicious code on your systems

March 25, 2024 /

Welcome to Part 4 of our series on MITRE’s ATT&CK Tactics! At this point in the attack, adversaries have pulled the trigger on an attack and defenders have had their first fair shot at detecting the transgression. Like a fortress’s defenders seeing the build-out of siege weapons and the digging of trenches, defenders now know from where a part of the attack is coming. For the attacker, they are relying on their preparation, coordination, and focus to overcome defensive efforts. For the defender, they are likely depending on the training and processes – and their garrison’s trust and cohesion – to disrupt and repel. How able are the attackers to carry out their plan, to sap the fortifications, to breach the walls? This is the MITRE ATT&CK Execution Tactic, and it is the phase from which all later phases branch.

Continue reading
Horrible AI-generated image of Roman Soldiers all looking outward for attacks while completely ignoring things already happening inside.
Hey Salvius - are we sure Tacitus will let us know if any of these sneak in?

Initial Access: “It’s go time!” for an adversary

March 18, 2024 /

Welcome to Part 3 of a series in which we walk through MITRE’s ATT&CK Tactics! Continuing the theme of any movie portraying a conflict, this is where someone takes action against their target. In HBO’s Band of Brothers, an entire episode is spent showing how Easy Company was formed and prepared for D-Day. Not only did they drill and train on general airborne skills and fitness, but they studied their sand tables and maps intently. Eventually, someone has to call the shot – in this case Eisenhower issued the order and they boarded planes & ships. Once the paratroopers, glider troops, trailblazers, and other recon units crossed the channel, the invasion had passed the point of no return. Initial Access was attempted. If you’re the Allies, hopefully the Recon and Resource Development were done right! Now let’s see how all of that pays off for the adversary in ATT&CK – Initial Access.

Continue reading
AI-generated image of a hacker making special electronic gadgets to be used in his next exploit
Grounding straps are for boomers - Hack the Planet!!!

Resource Dev: What makes it seem Ominous and Inevitable?

March 10, 2024 /

Last week we started with the Recon phase of an adversary’s playbook. This research really sets the stage for all that comes after it. As we’ll see today, adversaries apply that context in preparing for their operation. It’s like one of those movie montages where the bad guys are prepping for a sneak attack. Think Death Star firing up the lasers to blow up Alderaan, or the Orcs getting armed at Eisengard. In any of these cases, we were all screaming from the theater seats that victims could have done to prevent or detect it. Could they have? Let’s see how the bad guys get suited up for the opening battle and take a look at the Resource Development stage in ATT&CK of an adversary’s operation!

Continue reading
cartoon of a hacker sitting in a beach chair using binoculars with a cocktail on the table next to them
Dang, reconning this target is so easy - they're really leaving nothing to the imagination!

Target Recon Phase: Don’t make it too easy!

March 4, 2024 /

Most adversaries have a plan. Those plans vary greatly – in both complexity and rigor – from actor to actor, target to target. As we’ve discussed in prior posts, adversary plans are usually built from repeatable procedures – techniques and sub-techniques. The power of MITRE’s ATT&CK, CAPEC, or LMCO Kill Chain is that they help us track behaviors. Most of the time, I see organizations rush to address techniques through either detection & visibility or through protection. I think we all could use a dash of prevention – not just policy, but waaaay out front. We need to make even the selection of the plan difficult, and to reveal so little that the bad guys struggle to select the right plans. So let’s talk about making the recon phase hard for the adversary!

Continue reading
« Older posts Newer posts »

© 2025 Raiders of the Lost ARP

Theme by Anders NorenUp ↑

Verified by MonsterInsights