Mapping a cyber attack — the Italian case
Following the previous post (link) covering the Incident Response activity of an actual Italian case attributable to activity known as “Big Game Hunting” (BGH), we focus attention on the use of the ATT&CK matrix for defensive purposes.
Specifically, the ATT&CK matrix (Adversarial Tactics, Techniques & Common Knowledge) was developed by MITRE with the objective of providing a tool that enables mapping of all offensive criminal activities. The matrix can be considered a more extensive tool compared to the Cyber Kill-Chain developed by Lockheed Martin.
Below is the result of mapping the Threat Actor’s movements within the IT infrastructure of the company from the previous post. The outcome of the attack was information loss and generalised service disruption of servers and the Backup system that impacted the Company’s operations.
The criminals compromised the entire Active Directory environment, executing a DCSync to copy user credentials from the infrastructure, and also tampering with the entire Backup flow, deleting copies from the previous 12 months.
A non-exhaustive portion of the 12 Tactics of the ATT&CK matrix and the mapping of activities performed by the criminals
Initial Access [TA001]
The Threat Actor, for initial access to the infrastructure, used Malware delivery via E-Mail (Spearphishing Attachment [T1566.001]) to compromise the systems of several Company employees. With control of the operating systems of the first victims, the actor leveraged these credentials to access other services and Servers on the corporate LAN (Valid Accounts [T1078]).
Lateral Movement [TA0008]
With the accounts obtained in phase TA001, the criminals executed Lateral Movement manoeuvres to access other servers in the company’s infrastructure. For these operations, sessions were established via RDP [T1021.001], SMB [T1021.002] and WinRM [T1021.006].
Privilege Escalation [TA0004]
The criminals, having obtained multiple accesses to various workstations and servers, initiated privilege escalation activities using the getsystem command. Specifically, getsystem is a command from Meterpreter and CobaltStrike that performs privilege escalation by creating and starting a system service and exploiting its security context, in this case SYSTEM.
The event with ID 7045 on the right is the Windows server event indicating service creation during the escalation activity.
Further details.
Discovery [TA0007]
The Discovery phase consists of the series of technical operations that adversaries execute to acquire information about systems and networks. These activities enable adversaries to better understand the environment in which they operate and direct attention to the most interesting systems. This often allows them to explore what is in the vicinity of their access point. Native operating system tools are frequently used in this post-compromise information-gathering phase.
Specifically, the criminals executed multiple accesses to company servers and positioned the file netscan.exe at the path “C:\Users\Public\Downloads”, subsequently used for network scanning activities [T1046]. Our Managed SOC detected this reconnaissance pattern through correlation of file placement events and subsequent network enumeration behaviour.
The mapping of adversary TTPs against the MITRE ATT&CK framework enables systematic identification of detection gaps and prioritisation of defensive controls across the intrusion lifecycle.
