Understanding the MITRE ATT&CK Tactics:
The MITRE ATT&CK framework categorizes various tactics and techniques used by adversaries to
achieve their objectives.
Tactics represent the objectives of an attack, while techniques represent how those objectives are
achieved.
Analyzing the Incident Report:
Phishing Email Campaign: This tactic is commonly used for gaining initial access to a system.
Malicious Link and RAT Download: Clicking a malicious link and downloading a RAT is indicative of
establishing initial access.
Remote Access Trojan (RAT): Once installed, the RAT allows attackers to maintain access over an
extended period, which is a persistence tactic.
Mapping to MITRE ATT&CK Tactics:
Initial Access:
This tactic covers techniques used to gain an initial foothold within a network.
Techniques include phishing and exploiting external remote services.
The phishing campaign and malicious link click fit this category.
Persistence:
This tactic includes methods that adversaries use to maintain their foothold.
Techniques include installing malware that can survive reboots and persist on the system.
The RAT provides persistent remote access, fitting this tactic.
Exclusions:
Defense Evasion:
This involves techniques to avoid detection and evade defenses.
While potentially relevant in a broader context, the incident report does not specifically describe
actions taken to evade defenses.
Lateral Movement:
This involves moving through the network to other systems.
The report does not indicate actions beyond initial access and maintaining that access.
Conclusion:
The incident report captures the tactics of Initial Access and Persistence.
Reference:
MITRE ATT&CK Framework documentation on Initial Access and Persistence tactics.
Incident analysis and mapping to MITRE ATT&CK tactics.
