MITRE | ATT&CK

Resource Development
Background
• Resource Development is a MITRE
PRE-ATT&CK preparation that
follows the reconnaissance phase.
• The main purpose of this tactic is to
acquire the best suitable "tools" to
support the given operation.
• It is comparable to the
weaponization phase of Lockheed
Martin Cyber Kill Chain  
The term 'kill chain' originates from the military and defines the steps an enemy uses to
attack a target.
In 2011, Lockheed Martin took this military model and used it to define the steps used in
today's cyber attacks.
The theory is that by understanding the seven stages an attack progresses through,
security teams will have a better chance of stopping them or forcing them to make
enough noise to be easily detected.
Resource- A resource is a material or product used to
produce a benefit, which requires some effort to
achieve. Resources are usually materials, products,
services, human capital, or other assets. Utilization of
resources may lead to increased wealth, well-being,
satisfaction of needs, desires, proper functioning of
systems and their improvement.
 Resource Development- The
adversary is trying to establish
resources they can use to support
operations.
Resource Development consists of techniques that
involve adversaries:

Purchasing resources  Creating resources  Compromising/stealing

resources 
 Techniques
Acquire Infrastructure- Adversaries may buy, lease, or rent
infrastructure that can be used during targeting.
A wide variety of infrastructure exists for hosting and
orchestrating adversary operations.
Infrastructure solutions include physical or cloud servers,
domains, and third-party web services
 Techniques
Virtual Private Server- Adversaries may rent Virtual
Private Servers (VPSs) that can be used during targeting.
There exist a variety of cloud service providers that will
sell virtual machines/containers as a service. By utilizing a
VPS, adversaries can make it difficult to physically tie back
operations to them.
Techniques

Compromise Infrastructure- Adversaries may compromise third-party infrastructure that can be used during
targeting.
Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during
other phases of the adversary lifecycle.
Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
 Techniques
Establish Accounts- Adversaries may create and
cultivate accounts with services that can be used
during targeting. Adversaries can create accounts that
can be used to build a persona to further operations.
Persona development consists of the development of
public information, presence, history and appropriate
affiliations.
Techniques

Email Accounts- Adversaries may create email accounts that can be used during
targeting. Adversaries can use accounts created with email providers to further their
operations, such as leveraging them to conduct Phishing for
Information or Phishing. Adversaries may also take steps to cultivate a persona
around the email account, such as through use of Social Media Accounts, to increase
the chance of success of follow-on behaviors.
Techniques
Compromise Accounts- Adversaries may compromise accounts with
services that can be used during targeting. For operations incorporating
social engineering, the utilization of an online persona may be
important. Rather than creating and cultivating accounts (i.e. Establish
Accounts), adversaries may compromise existing accounts. Utilizing an
existing persona may engender a level of trust in a potential victim if
they have a relationship, or knowledge of, the compromised persona

Adversaries may compromise social media accounts that can be used

during targeting. For operations incorporating social engineering.
Techniques

Develop Capabilities- Adversaries may build capabilities that can be used during
targeting. Rather than purchasing, freely downloading, or stealing capabilities,
adversaries may develop their own capabilities in-house. This is the process of
identifying development requirements and building solutions such as malware,
exploits, and self-signed certificates. Adversaries may develop capabilities to
support their operations throughout numerous phases of the adversary lifecycle.

Stuxnet- In June 2010, Stuxnet was found lurking in the data-banks of power plants’
traffic control systems and factories all over the world. 
It was the most complex malware ever discovered at the time. 
Its development probably began back in 2005 and used an unprecedented four zero-
day attacks.
Techniques

Obtain Capabilities- Adversaries may buy and/or steal capabilities that can be used during
targeting. Rather than developing their own capabilities in-house, adversaries may purchase,
freely download, or steal them.

Tool- A tool can be used for malicious purposes by an

adversary, but (unlike malware) were not intended to be used
for those purposes.

PsExec: https://nvd.nist.gov/vuln/detail/CVE-2021-1733
 
Techniques

Stage Capabilities- Adversaries may upload, install, or otherwise set up capabilities

that can be used during targeting. To support their operations, an adversary may
need to take capabilities they developed (Develop Capabilities) or obtained (Obtain
Capabilities) and stage them on infrastructure under their control. These capabilities
may be staged on infrastructure that was previously purchased/rented by the
adversary (Acquire Infrastructure) or was otherwise compromised by them
(Compromise Infrastructure). Capabilities may also be staged on web services, such
as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable
users to easily provision applications.

Drive-by Target- Adversaries may prepare an operational environment to infect

systems that visit a website over the normal course of browsing. Endpoint systems
may be compromised through browsing to adversary controlled sites, as in 
Drive-by Compromise. In such cases, the user's web browser is typically targeted for
exploitation (often not requiring any extra user interaction once landing on the site)