Professional Documents
Culture Documents
Resource Development
Background
• Resource Development is a MITRE
PRE-ATT&CK preparation that
follows the reconnaissance phase.
• The main purpose of this tactic is to
acquire the best suitable "tools" to
support the given operation.
• It is comparable to the
weaponization phase of Lockheed
Martin Cyber Kill Chain
The term 'kill chain' originates from the military and defines the steps an enemy uses to
attack a target.
In 2011, Lockheed Martin took this military model and used it to define the steps used in
today's cyber attacks.
The theory is that by understanding the seven stages an attack progresses through,
security teams will have a better chance of stopping them or forcing them to make
enough noise to be easily detected.
Resource- A resource is a material or product used to
produce a benefit, which requires some effort to
achieve. Resources are usually materials, products,
services, human capital, or other assets. Utilization of
resources may lead to increased wealth, well-being,
satisfaction of needs, desires, proper functioning of
systems and their improvement.
Resource Development- The
adversary is trying to establish
resources they can use to support
operations.
Resource Development consists of techniques that
involve adversaries:
Compromise Infrastructure- Adversaries may compromise third-party infrastructure that can be used during
targeting.
Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during
other phases of the adversary lifecycle.
Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Techniques
Establish Accounts- Adversaries may create and
cultivate accounts with services that can be used
during targeting. Adversaries can create accounts that
can be used to build a persona to further operations.
Persona development consists of the development of
public information, presence, history and appropriate
affiliations.
Techniques
Email Accounts- Adversaries may create email accounts that can be used during
targeting. Adversaries can use accounts created with email providers to further their
operations, such as leveraging them to conduct Phishing for
Information or Phishing. Adversaries may also take steps to cultivate a persona
around the email account, such as through use of Social Media Accounts, to increase
the chance of success of follow-on behaviors.
Techniques
Compromise Accounts- Adversaries may compromise accounts with
services that can be used during targeting. For operations incorporating
social engineering, the utilization of an online persona may be
important. Rather than creating and cultivating accounts (i.e. Establish
Accounts), adversaries may compromise existing accounts. Utilizing an
existing persona may engender a level of trust in a potential victim if
they have a relationship, or knowledge of, the compromised persona
Develop Capabilities- Adversaries may build capabilities that can be used during
targeting. Rather than purchasing, freely downloading, or stealing capabilities,
adversaries may develop their own capabilities in-house. This is the process of
identifying development requirements and building solutions such as malware,
exploits, and self-signed certificates. Adversaries may develop capabilities to
support their operations throughout numerous phases of the adversary lifecycle.
Stuxnet- In June 2010, Stuxnet was found lurking in the data-banks of power plants’
traffic control systems and factories all over the world.
It was the most complex malware ever discovered at the time.
Its development probably began back in 2005 and used an unprecedented four zero-
day attacks.
Techniques
Obtain Capabilities- Adversaries may buy and/or steal capabilities that can be used during
targeting. Rather than developing their own capabilities in-house, adversaries may purchase,
freely download, or steal them.
PsExec: https://nvd.nist.gov/vuln/detail/CVE-2021-1733
Techniques