Phishing Attack to Data Exfiltration
Key Points
- The attacker begins with reconnaissance to map the organization’s web, email, database, and file‑sharing systems before launching a phishing email that tricks a user into revealing credentials.
- Captured credentials are reused to access other internal resources, where the attacker discovers stored passwords in an unsecured flat file (e.g., Excel) and uses them to infiltrate the critical database.
- After locating the valuable data, the attacker exfiltrates it and then deletes the original files, leaving the victim with nothing.
- This multi‑step compromise can be categorized using the TTP framework: tactics (the attacker’s goals such as reconnaissance or credential harvesting), techniques (the specific methods like phishing or lateral movement), and procedures (the exact actions taken to execute each technique).
Sections
- Phishing Attack Anatomy and Lateral Movement - The passage outlines an attacker’s recon, phishing email, credential theft, and subsequent use of those credentials to access email and file servers within a network.
- Mapping Phishing to MITRE ATT&CK - The speaker explains how to classify a phishing campaign using the MITRE ATT&CK framework by breaking it down into tactics, techniques, and procedures, and demonstrates mapping the scenario’s reconnaissance and initial access steps to the appropriate ATT&CK categories.
- Mapping Threat Data to Attack Tactics - The speaker explains how security tools such as IBM’s SOAR and SIEM ingest indicators of compromise, map them to a standardized attack framework, and empower organizations to use people, process, and technology (PPT) to counter adversary tactics, techniques, and procedures.
Full Transcript
# Phishing Attack to Data Exfiltration **Source:** [https://www.youtube.com/watch?v=2icKi2q6NS4](https://www.youtube.com/watch?v=2icKi2q6NS4) **Duration:** 00:07:42 ## Summary - The attacker begins with reconnaissance to map the organization’s web, email, database, and file‑sharing systems before launching a phishing email that tricks a user into revealing credentials. - Captured credentials are reused to access other internal resources, where the attacker discovers stored passwords in an unsecured flat file (e.g., Excel) and uses them to infiltrate the critical database. - After locating the valuable data, the attacker exfiltrates it and then deletes the original files, leaving the victim with nothing. - This multi‑step compromise can be categorized using the TTP framework: tactics (the attacker’s goals such as reconnaissance or credential harvesting), techniques (the specific methods like phishing or lateral movement), and procedures (the exact actions taken to execute each technique). ## Sections - [00:00:00](https://www.youtube.com/watch?v=2icKi2q6NS4&t=0s) **Phishing Attack Anatomy and Lateral Movement** - The passage outlines an attacker’s recon, phishing email, credential theft, and subsequent use of those credentials to access email and file servers within a network. - [00:03:06](https://www.youtube.com/watch?v=2icKi2q6NS4&t=186s) **Mapping Phishing to MITRE ATT&CK** - The speaker explains how to classify a phishing campaign using the MITRE ATT&CK framework by breaking it down into tactics, techniques, and procedures, and demonstrates mapping the scenario’s reconnaissance and initial access steps to the appropriate ATT&CK categories. - [00:06:15](https://www.youtube.com/watch?v=2icKi2q6NS4&t=375s) **Mapping Threat Data to Attack Tactics** - The speaker explains how security tools such as IBM’s SOAR and SIEM ingest indicators of compromise, map them to a standardized attack framework, and empower organizations to use people, process, and technology (PPT) to counter adversary tactics, techniques, and procedures. ## Full Transcript
A "bad guy" just broke in and stole your data, leaving you empty handed.
How did he do it?
Let's take a look at the anatomy of an attack.
How would something like this work?
Well, let's say we've got a web server.
And it's connected to a database.
And we also have email server.
And maybe some file sharing system that's out here.
And now we have, in addition to all of this, a bad guy, an attacker, who's going to try to take advantage of this.
Well, how is he going to do that?
There's a number of things he could do.
He starts his attack with a reconnaissance phase, with a scan, and he looks and discovers what systems are out here.
He realizes there's an email system.
So he sends to that a phishing attack.
Phishing now is going to have an email with a link in it, and it's going to encourage this unsuspecting internal user to log in.
And when they take a look at their email, they're going to see the email, click on the link,
the link is going to tell them to log into this website to verify their details or accept an order or something like that,
some ruse of that sort.
And when he does, he's going to basically give his credentials to the bad guy in the process.
That's how a phishing attack often works.
Now, what happens next?
The bad guy then takes a look at this and says, "okay, I now have access to this email.
I can log in to that and see what happens.".
"I also look and see that I discovered that there was this file server and I'm going to see if I can use
the credentials that he provided for me to log in to the file sharing system."
On there, he discovers that this guy has stored his passwords in an unencrypted file, just a flat file,
maybe an Excel spreadsheet, something like that.
Something that's convenient.
He uses these credentials then to log in to the database back here that has the actual critical data.
Up to this point, we haven't really dealt with anything all that sensitive.
This is part of the critical operation of the organization.
Well, once he sees that, he says "I'm going to exfiltrate",
in other words, "I'm going to get a copy of all of that and send it back to myself."
Then, he does the final piece and destroys the data and leaves you empty handed.
He has your data and you don't.
So that's the way an attack could go.
There are a lot of different variations, but that's one way to look at it.
Well, how do we look at something complex like this?
And this is actually a relatively simple attack scenario, but can we put some some sort of common nomenclature,
some common way of understanding that so that we can understand it even better?
Well, it turns out bad guys use things that we think of this way.
It's tactics, techniques and procedures.
Tactics are basically what they're trying to do-- not in the larger scheme of things, but sort of the sub-goal.
I want to do reconnaissance.
I want to do this.
I want to do a phishing type of campaign.
That's the tactic.
The next thing would be the technique.
That's the how.
How am I going to go actually and do this sort of thing?
And then the procedures are the details, the real implementation details that go into the how
and spell out what tools I'm going to use and things like that.
So this is one way of thinking about this and classifying it.
In addition to this, there's a group called MITRE that put together this is what we call the MITRE Att&ck framework.
Att&ck also is an acronym.
It stands for Adversarial, Tactics, Techniques & Common Knowledge.
So the MITRE Attack framework is an industry standard that everyone can use.
Think of it as a common language for describing, classifying, therefore, a taxonomy on what attacks look like.
So let's take this MITRE Attack framework and map our scenario to it.
So this is what the framework looks like.
Now you can see there's a lot of stuff here, a lot of detail.
You don't need to know all of these details, but this is how we classify all of these things.
So there's a number of things that are going to happen.
Let's take the scenario we went through and map it to attack.
The first thing that happened then was a reconnaissance phase, a reconnaissance tactic.
And under that, the technique that was used was active scanning.
Remember, this guy went out and scanned and discovered the environment.
Then he moved on to a different tactic of initial access with the phishing campaign and then using valid accounts to log in.
Once he had gotten the credentials. The next thing he did was move to a different tactic with credential access.
And credential access then allowed him to use these unsecured credentials that were down here on this file sharing system
to log in to another system, which is an example of privilege escalation, yet another tactic using a valid account.
Now he's gone from a low-level-- where he was an outsider --to a low level account to now a very sensitive account.
The next thing he's going to do is collection.
That's the tactic next.
Collection is when he takes the data and then he does the next tactic and exfiltrate it, sends it to himself over the network.
And then the final piece he does is the impact tactic.
T. Hat's where he destroys the data.
So now, if you think about it this way, we've described what that looks like in a common way.
I could tell you that an attacker went through the following tactics and the following techniques,
and you would understand something about that attack, if you knew what this framework was.
And the beautiful thing about this is, you can actually click in on any one of these and see, for instance, on the phishing one,
if you click through on that, then you'll get another page of detail that comes up and tells you
what are some of the things that go into that procedure. How do you detect it?
How do you mitigate against it?
What are references that give you more information about it?
So it's a nice way of trying to understand this-- classify --and then therefore
get your arms around it when you actually find one of these attacks.
Now, how would this look in the real world?
You're not going to take this big, complicated diagram.
That's going to be a lot.
What you'd like is to have a tool, a threat management tool, that can take the information that's come in, the artifacts,
the indicators of compromise, all the alarms-- map all of those activities to the attack framework,
and then tell you exactly just which ones of those tactics were involved in this case.
And that's what this shows you.
So here's a screenshot that shows you in in, for example, in IBM's threat management solution, how we would depict this,
in our SOAR-- our security orchestration, automation response capability,
in our SIEM, our security information event management capability.
We've got a number of different ways of depicting this.
But given this now, I can say, I can describe this attack in a way that everyone in the industry will understand.
So if you think about it this way, the bad guys have their TTPs.
What are the good guys have?
Well, we've got just the opposite: PPT.
We've got people, process, and technology.
That's what's working for us.
And if we can understand the problem better, we can contain the problem and respond to it better.
So we're going to use our PPTs to respond to their TTPs.
Thanks for watching.
If you found this video interesting and would like to learn more about cybersecurity,
please remember to hit like and subscribe to this channel.