The Privilege Escalation tactic in the MITRE ATT&CK framework involves techniques used by attackers

to gain higher-level permissions on a system or network, allowing greater access to internal servers

and sensitive data.

Multiple attack vectors – APTs often use various methods (phishing, malware, lateral movement) to

infiltrate and maintain access to a target.

Repeated pursuit of objective – APTs are known for their persistent nature, involving continuous

efforts over time to achieve their goals, such as data theft or surveillance.

Lateral movement is a key stage where the attacker moves across the network to find valuable

targets.

Privilege escalation involves gaining higher access rights to expand control within the compromised

environment.

Communication with covert channels is a tactic used during persistence or exfiltration, while deletion

of critical data is not a standard APT lifecycle stage — it’s more characteristic of destructive attacks.

SaaS financial botnets are often sold as kits, enabling attackers to license and reuse the malicious

code easily.

These kits allow attackers to build and operate their own botnets, often targeting financial data or

systems.

Financial botnets are typically smaller but more targeted than spamming or DDoS botnets. Botnets

are not a defense mechanism, but rather a threat.

Application allow listing is a security practice that permits only pre-approved (trusted) applications,

files, and processes to run on a system. This approach helps prevent unauthorized or malicious

software from executing, thereby reducing the attack surface.

A TLS handshake occurs after the TCP handshake is complete. The TLS handshake is responsible for

establishing a secure, encrypted session between client and server, including the negotiation of

encryption algorithms and exchange of keys.

Mobile Device Management (MDM) enables firewall administrators to remotely and efficiently

deploy corporate configurations, such as email accounts and VPN settings, to targeted mobile

devices. It ensures consistent policy enforcement and security across all managed devices.

A container-based NGFW is specifically designed to integrate with Kubernetes environments,

providing full application visibility and control within containerized workloads. It operates at the pod

level, making it ideal for securing dynamic microservices architectures.

Serverless architecture is primarily implemented through Function as a Service (FaaS), where

developers write and deploy individual functions without managing the underlying infrastructure.

The cloud provider handles scaling, resource allocation, and execution on demand.

Whaling is a targeted phishing attack aimed at high-profile individuals, such as executives. The

attacker impersonates a trusted entity (e.g., IT department) to trick the executive into revealing

sensitive credentials. This is a form of spear phishing specifically focused on “big fish” targets.