MITRE ATT&CK April 2019 Update

MITRE has released an April 2019 update to its ATT&CK framework. It’s been a year since the last major update featuring a new tactic. There are a number of changes for this year: the most major being the addition of a 12th Tactic, Impact, which contains 14 new Techniques. There are also 7 new Techniques under existing Tactics as well as a number of other minor changes.

Impact

The Impact Tactic covers integrity and availability attacks against enterprise systems. The 14 Techniques included in this update are as follows:

• Data Destruction
• Data Encrypted for Impact
• Defacement
• Disk Content Wipe
• Disk Structure Wipe
• Endpoint Denial of Service
• Firmware Corruption
• Inhibit System Recovery
• Network Denial of Service
• Resource Hijacking
• Runtime Data Manipulation
• Service Stop
• Stored Data Manipulation
• Transmitted Data Manipulation

Of particular significance here are Techniques that describe behavior related to ransomware, DoS/DDoS attacks, and illicit cryptocurrency mining, which, according to Verizon’s 2019 Data Breach Investigations Report, are increasing in prevalence or severity.

T1486: Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

T1486 describes behavior most commonly associated with ransomware; and, given that 39% of all identified malware in 2018 was classified as ransomware, this Technique is a welcome update.

T1496: Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive (Read more...)