Tactic

Initial Access
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

Respond’s Approach

The Respond Analyst analyzes events from a variety of technologies, including Network IDS/IPS (NIDPS), Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) to identify exploitation and determine if a systems or accounts were compromised as a result.

Execution
Execution consists of techniques that result in adversary-controlled code running on a local or remote system.

The Respond Analyst determines if files were written to disk or processes were able to execute leveraging EPP and EDR technologies to determine if the execution phase has been reached during an incident.

Persistence
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

The Respond Analyst determines persistence by analyzing the behavior of systems and accounts to identify malicious processes that run consistently or periodically and accounts that have been compromised to gain continued access to the organization.

Privilege Escalation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

 

The Respond Analyst determines Privilege Escalation by analyzing suspicious process behavior attempting to increase account permissions or gain access to a higher-level account via Endpoint Detection and Response solutions.

Defense Evasion
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.

The Respond Analyst determines Defensive Evasion by analyzing suspicious process behavior of systems and accounts via Endpoint Detection and Response solutions.

Credential Access
Credential Access consists of techniques for stealing credentials like account names and passwords.

 

The Respond Analyst analyzes events from a variety of technologies, including Network IDS/IPS (NIDPS), Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) to identify when credentials are accessed in a suspicious ways with native tools or malicious software indicative of an attacker attempting to gain further persistence and access.

Discovery
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

The Respond Analyst analyzes events from Network IDS/IPS (NIDPS) and Endpoint Detection and Response (EDR) to identify discovery / reconissance activities such as system and domain account informaiton collection conducted by an attacker that are often observed after initially compromising an organization.These activities are traditionally dificult to differentiate from normal user and administrator activity.

Lateral Movement
Lateral Movement consists of techniques that adversaries use to enter, pivot, and control remote systems on a network.

 

The Respond Analyst analyzes events from Network IDS/IPS (NIDPS) and Endpoint Detection and Response (EDR) to identify lateral movement activities such as remote exploitation or credential dumping that are often observed after initially compromising an organization.These activities are traditionally difficult to differentiate from normal user and administrator activity.

Collection
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.

The Respond Analyst determines Collection by analyzing suspicious process behavior intending to steal system credentials via Endpoint Detection and Response solutions.

Command and Control
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network.

The Respond Analyst analyzes events from Network IDS/IPS and Web Filtering logs to identify command and control, understand the beaconing pattern, and evaluate attributes of the external adversary. In addition, the Respond Analyst analyzes events from EPP and EDR solutions to understand the malware and process enabling command and control.

Exfiltration
Exfiltration consists of techniques that adversaries may use to steal data from your network.

The Respond Analyst analyzes events from EDR solutions to identify suspicious behaviors like data compression prior to adversaries exfiltrating data.

Impact
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

The Respond Analyst specifically identifies Ransomware by evaluating the malware and process information within endpoint protection and endpoint detection alerts.