Review the following incident report: Attackers leveraged a phishing email campaign targeting your employees. The email likely impersonated a trusted source, such as the IT department, and requested login credentials. An unsuspecting employee clicked a malicious link in the email, leading to the download and execution of a Remote Access Trojan (RAT). The RAT provided the attackers with remote access and a foothold in the compromised system. Which two MITRE ATT&CK tactics does this incident report capture? (Choose two.)
Correct Answer: A,D
* Understanding the MITRE ATT&CK Tactics: * The MITRE ATT&CK framework categorizes various tactics and techniques used by adversaries to achieve their objectives. * Tactics represent the objectives of an attack, while techniques represent how those objectives are achieved. * Analyzing the Incident Report: * Phishing Email Campaign:This tactic is commonly used for gaining initial access to a system. * Malicious Link and RAT Download:Clicking a malicious link and downloading a RAT is indicative of establishing initial access. * Remote Access Trojan (RAT):Once installed, the RAT allows attackers to maintain access over an extended period, which is a persistence tactic. * Mapping to MITRE ATT&CK Tactics: * Initial Access: * This tactic covers techniques used to gain an initial foothold within a network. * Techniques include phishing and exploiting external remote services. * The phishing campaign and malicious link click fit this category. * Persistence: * This tactic includes methods that adversaries use to maintain their foothold. * Techniques include installing malware that can survive reboots and persist on the system. * The RAT provides persistent remote access, fitting this tactic. * Exclusions: * Defense Evasion: * This involves techniques to avoid detection and evade defenses. * While potentially relevant in a broader context, the incident report does not specifically describe actions taken to evade defenses. * Lateral Movement: * This involves moving through the network to other systems. * The report does not indicate actions beyond initial access and maintaining that access. Conclusion: * The incident report captures the tactics ofInitial AccessandPersistence. References: * MITRE ATT&CK Framework documentation on Initial Access and Persistence tactics. * Incident analysis and mapping to MITRE ATT&CK tactics.
