fbpx

MITRE ATT&CK STAGES

How MDR Can Help

mitre logo

For years, security practitioners and stakeholders have searched for a common language to describe threats and align appropriate defenses. MITRE ATT&CK is an open framework and knowledge base of adversary tactics and techniques based on real-world threat observations. It covers reconnaissance, often the first stage in an attack, when an attacker is first gathering information about a potential target, through data exfiltration and business impact.

At Pondurance, we protect our Managed Detection and Response (MDR) customers at every stage of the ATT&CK framework with our 24/7 monitoring, detection and response services. This graphic describes the different ATT&CK stages, attacker methods and how we help our clients.

MITRE ATT&CK Stages:

Reconnaissance

What Are the Goals?

Search for victims and find a way in.

Methods

Research internet facing devices, running applications, open ports and unpatched vulnerabilities.

How Pondurance Helps

Our Vulnerability Management service adds precision, priority and efficiency, reducing the attack surface presented to would-be attackers.

Our MDR service can detect reconnaissance activities, initiate proactive blocking and leverage threat intelligence to distinguish between opportunistic and targeted attackers.

binoculars

puzzle image

Resource Development

What Are the Goals?

Build, buy or partner to get the tools needed for an attack.

Methods

Prepare for the attack by choosing exploits to run, domains and malware to use.

How Pondurance Helps

Our threat research team, a component of our MDR service, maintains a view into new attacker tools, techniques and infrastructure, such as newly observed domains (NODs).

Initial Access

What Are the Goals?

Take advantage of an operational or technical vulnerability to get “one foot in the door.”

Methods

Leverage brute force, stolen credentials, software vulnerabilities or spear-phishing techniques to gain access.

How Pondurance Helps

Through monitoring network, endpoint, application, cloud infrastructure and end-user activity and applying threat intelligence and analytics, our MDR service is able to identify attackers attempting to gain access and quickly close the door on them.

door image

shield image

Execution

What Are the Goals?

Get a victim’s system to do what they want it to do.

Methods

Leverage malicious code or benign software to run commands of interest on a target machine.

How Pondurance Helps

Our MDR service is able to both identify malware in transit and on endpoints. We apply machine learning and artificial intelligence to uncover previously unknown malware samples, blocking them prior to execution.

Persistence

What Are the Goals?

Ensure they can maintain access even if passwords are changed.

Methods

Manipulate credentials, authentication keys and system boot instructions or install a backdoor.

How Pondurance Helps

Our MDR service actively monitors for and prevents unauthorized changes to persistent locations while actively hunting for prior compromises. This includes monitoring for changes that are different from normal day-to-day activities, by location or time of day.

persistence

stair image

Privilege Escalation

What Are the Goals?

Gain more permissions on the victim systems.

Methods

Escalate their privileges in the victim’s network either through creating an administrator account or changing settings. Their main target is often the highest privilege they can get, which is the domain controller.

How Pondurance Helps

Our MDR service both blocks and monitors for attempts to modify credential management processes or the domain controller.

Defense Evasion

What Are the Goals?

Avoid being detected by security controls.

Methods

Cover their footprints by modifying audit logs, blending in as a normal user or using packed or obfuscated tools.

How Pondurance Helps

While attackers are attempting to cover their tracks and blend in, our MDR service blocks and monitors for attempts to modify audit logs and impersonate legitimate processes, while actively monitoring for attacks on security controls.

defense evasion image

lock image

Credential Access

What Are the Goals?

Gain access to legitimate usernames and passwords.

Methods

Use techniques such as keylogging, credential dumping or brute force methods to gain access to credentials and expand access across systems.

How Pondurance Helps

Our MDR service is able to both detect and block attempts to executive credential stealing techniques, while closely monitoring and protecting key credential stores such as the domain controller.

Discovery

What Are the Goals?

Study the network and connected systems.

Methods

Scour the network to understand accounts, software and systems on the internal network, often using native tools.

How Pondurance Helps

While many discovery techniques are designed to look benign, our MDR service actively monitors for these occurrences and leverages analytics to distinguish between legitimate and malicious occurrences.

hand and magnifying glass

lateral movement

Lateral Movement

What Are the Goals?

Move to other systems.

Methods

Take advantage of stolen credentials or exploit techniques to move across the network to gain better positioning and advance attack goals.

How Pondurance Helps

Through 360˚ visibility across the network, endpoint, cloud infrastructure and logs, our MDR service is able to trace attacker steps, detecting and blocking them.

Collection

What Are the Goals?

Gather data of interest.

Methods

Gather intellectual property, PII or customer data of interest to ultimately achieve their goal and stage for exfiltration.

How Pondurance Helps

Our MDR service monitors for and prevents attacker attempts to access and dump valuable data from applications or systems.

data collection

signal image

Command and Control

What Are the Goals?

Send remote commands to compromised systems.

Methods

Control the attack by sending remote commands across the network while trying to blend into normal network patterns.

How Pondurance Helps

Our MDR service monitors network traffic across a variety of protocols to reveal and stop hidden command and control attempts, even those that leverage legitimate domains or sequences to blend in with employee work patterns.

Exfiltration

What Are the Goals?

Steal data of interest.

Methods

Attempt to steal data from the victim. Once they’ve collected the data they want, they often package it to avoid detection.

How Pondurance Helps

Our MDR service leverages multiple techniques across the attack kill chain to stop an attacker before data exfiltration. However, we also actively monitor network, log, cloud infrastructure and endpoint activity to uncover exfiltration at the earliest attempt.

exfiltration image

hammer image

Impact

What Are the Goals?

Manipulate, interrupt or destroy systems and data.

Methods

For example, bad actors encrypt the data and require a ransom payment to unlock it.

How Pondurance Helps

Our MDR service monitors, detects and blocks attempts to take actions that impact the availability or integrity of systems. In close partnership with our Incident Response team, we act fast, reducing the damage or loss that can occur from such attacker tactics.