For a while now, I've wanted to start a mini-series on the interesting topics we encounter in our Security Operations Center (SOC). This post is the first in what I hope will become a series exploring real-world lessons from the front lines of incident response.
Each article will be built on notes from our team discussions, reverse engineering sessions, and active incident responses.
During a recent SOC discussion at one of our retrospectives, we encountered a common scenario: an attacker sent a phishing mail with a link to a fake login page designed to harvest a mindless user's credentials. At first glance, it looked like the typical spearphishing attempt. But something didn't quite add up when we tried mapping it to MITRE ATT&CK.
The question:
If the goal of the attacker is to steal credentials, does this still fall under Phishing (T1566) for initial access (TA0001)? Or should it be categorised differently?
Spoiler: it's not Initial Access - and the distinction matters.
Phishing for initial access
Largely speaking, MITRE ATT&CK tactics represent why an attacker is doing something, whereas techniques represent how. This is important as it clearly shows the goal of a threat actor and what actions are needed to achieve them. This mindset can be mapped onto our question from the introduction. There is no doubt that the phishing mail is the how. But what is the end goal of the attacker?
Is this really to gain an initial access into the victim's network? Not really... The mail did not contain any malicious document attached to it, nor did the phishing link lead to a page that was trying to infect the user with some form of malware.
The goal of the attacker is not directly to get a foothold in the network, rather to collect information which can be used at a later stage in the kill chain. As a result, initial access does not correctly reflect the intent of this threat actor. Referenties voor content bekijken.
📌 Finding the correct tactic
Trying to trick the user into handing over credentials more closely resembles that the attacker is gathering information that can be used to plan future operations. This is exactly how MITRE ATT&CK defines Reconnaissance (TA0043) [1]. Quickly skimming through all possible tactics we can find T1598 - Phishing for Information. Bingo!
MITRE even mentions the distinction we are trying to make. If the goal is not to execute attacker controlled malicious code, it is not Phishing (T1566). Rather Phishing for Information should be used to label the incident:
“Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code [2]."
Why even bother?
During this discussion, one of the analysts made a valid point: "Why even bother by skimming trough the 400+ ATT&CK mappings when we can just take action?". This is a valid point and touches upon the reasons why ATT&CK was created in the first place.
By correctly using ATT&CK our case could look as follows:
- Step 1: Reconnaissance - T1598.003 Spearphishing link. Attackers sends phishing mail to gather credentials
- Step 2: Credential Access - T1056.003 Web Portal Capture. Fake login page captures user credentials
- Step 3: Initial Access - T1078 Valid Accounts. Attacker logs into real service using stolen credentials
This clearly shows the intent of the attacker though various stages of a breach using a shared taxonomy. This uniform language leads to better reporting and communication between teams or even between parties of shared cyber threat intelligence (CTI). For example, if an actor like APT28 is known to perform recon-phishing to valid accounts [3], we can attribute observed behaviour to known groups. Furthermore, we are more precise and less ambiguous than simply categorising the case as "phishing".
Next to this, MITRE ATT&CK mappings over time can be a good source to measure SOC maturity. Presented with a precise mapping, we can answer the question:
Are we only catching mails with malicious attachment, or can we also catch credential harvesting?
Conclusion
In a SOC, precision matters. It is not just about what an attacker did, but the reason why he did this. This guides further investigations and incident response and clarifies any later reporting.
Not all phishing mails are the same - and your ATT&CK mapping should reflect that.
Field notes from the SOC - 1 - Not all phishing mails are the same