The step-by-step description details a specific implementation of an attack. It names the exact tool used (Cobalt Strike), the specific configuration ("non-default beacon profile"), the delivery method ("unique email...based on extensive research"), and the infrastructure ("compromised website"). This level of specific, operational detail corresponds to the definition of a Procedure within standard cybersecurity frameworks like MITRE ATT&CK. A procedure describes precisely how a specific adversary or piece of malware implements a technique.

A. Tactic: A tactic represents the high-level goal or objective of an attacker, such as 'Initial Access' or 'Command and Control', not the specific steps taken to achieve it.

B. Policy: A policy is a set of guiding principles or rules established by an organization for governance and security, which is irrelevant to an attacker's actions.

D. Technique: A technique is the general method used to achieve a tactical goal (e.g., "Phishing"). The description provided is a specific instance of a technique, making "Procedure" the more precise term.

---

1. MITRE ATT&CK® Documentation: The official ATT&CK documentation defines the relationship between tactics

techniques

and procedures. It states

"Procedures are the specific implementation of a technique or sub-technique by an adversary

" providing examples like the specific malware or tools used. The scenario in the question perfectly aligns with this definition.

Source: MITRE. (n.d.). ATT&CK Basics. MITRE ATT&CK®. Retrieved from https://attack.mitre.org/docs/ATTACKBasics.pdf (Section: "Procedures").

2. Splunk Official Blog: Splunk's own educational materials on the MITRE ATT&CK framework reinforce these definitions. A Splunk blog post clarifies: "Procedures are the specific implementation of a technique. For example

a specific threat group may use a particular phishing email variant to deliver a specific malware payload." This directly mirrors the question's scenario.

Source: Splunk Inc. (2022

August 24). What Is the MITRE ATT&CK Framework?. Splunk.com. (Section: "Tactics

Techniques and Procedures (TTPs)").

3. Carnegie Mellon University

Software Engineering Institute (SEI): Academic and research institutions focused on cybersecurity provide formal definitions. The SEI defines procedures as "the specific steps and tools an actor uses to carry out an attack

" which is precisely what the question describes with Cobalt Strike and a custom beacon.

Source: Prowell

S. J. (2020). A Method for Characterizing Adversary Behavior. Carnegie Mellon University

Software Engineering Institute. CMU/SEI-2020-TR-003

Page 7

Section 2.2.2.