The MITRE ATT&CK Framework: Initial Access – Info CCrime

For example, let’s assume an attacker were to use a Spearphishing Attachment. The attachment itself will have some type of exploit to achieve that level of access, maybe PowerShell or another Scripting technique. If the execution were successful, it would allow them to pivot into other tactics and techniques to achieve their ultimate goal.

Anyone who has been in security for any amount of time will recognize most if not all of these techniques. These are usually what’s discussed most often in news reports and the Verizon Data Breach Investigation Reports. Fortunately, since these are well known, there are a lot of technologies and processes available to both mitigate and detect abuse for each technique.

Control 4 is the Controlled Use of Administrative Privileges. This is important due to what will happen after one of these techniques were to be successful. If an attacker can successfully use a valid account or get an administrator to open a spearphishing attachment, they will be able to pivot around to any other technique with relative ease.

Control 7 is the Email and Web Browser Protections. Since many of these techniques involve the use of email and/or a web browser, then the sub-controls in control 7 will be very useful.

The final control I see being useful is Control 16, Account Monitoring and Control. I like this control for this tactic because of the Valid Accounts and Trusted Relationship techniques. Having a good understanding of what accounts should be doing and locking down permissions will help both limit the potential damage of a breach but also unlock the ability to detect abuse of valid accounts within the network.

Take a look at each of the techniques and understand the mitigation and detection aspects of each. Also, read through the CIS controls I mentioned above and get an understanding of how to further mitigate some of these techniques.

Initial Access is the funnel point in which an attacker is going to gain a foothold in your environment. If you can focus energy on stopping an attack sooner rather than later, Initial Access would be a great starting point to do so.

^th at 11AM PDT.

Read more about the MITRE ATT&CK Framework here: