Although ATT&CK is not laid out in any linear order, Initial Access will be the point at which an attacker gains a foothold in your environment. This tactic is a nice transition point from PRE-ATT&CK to ATT&CK for Enterprise. What is different about the techniques within Initial Access is that they are more high-level than some of the other techniques. An attacker will use a different technique to achieve an Initial Access technique.

For example, let’s assume an attacker were to use a Spearphishing Attachment. The attachment itself will have some type of exploit to achieve that level of access, maybe PowerShell or another Scripting technique. If the execution were successful, it would allow them to pivot into other tactics and techniques to achieve their ultimate goal.

Anyone who has been in security for any amount of time will recognize most if not all of these techniques. These are usually what’s discussed most often in news reports and the Verizon Data Breach Investigation Reports. Fortunately, since these are well known, there are a lot of technologies and processes available to both mitigate and detect abuse for each technique.

While the power of the ATT&CK framework comes partly from the mitigation and detection sections of each technique, I like to tie in different frameworks, as well to get a wider breadth of knowledge. For this tactic, I see three of the CIS Controls being useful.

Control 4 is the Controlled Use of Administrative Privileges. This is important due to what will happen after one of these techniques were to be successful. If an attacker can successfully use a valid account or get an administrator to open a spearphishing attachment, they will be able to pivot around to any other technique with relative ease.

Control 7 is the Email and Web Browser (Read more...)