The MITRE ATT&CK Framework defines 13 techniques within the Impact category. These techniques describe how adversaries can disrupt the availability, integrity, or confidentiality of systems and data. Below is a description of each:
Account Access Removal: This technique involves actions taken by a threat actor to effectively lock a user out of their network account. This is typically achieved by changing account credentials or deleting the targeted account.
Data Destruction: This refers to the irreversible erasure or wiping of data, causing the target organization to lose access. While data might be recoverable with forensic techniques depending on the method used, employing disk content or structure wiping can make recovery without backups impossible.
Data Encrypted for Impact: In this technique, a threat actor encrypts data, rendering it inaccessible to the target organization. This is commonly observed in ransomware attacks, where valuable data is encrypted and held for ransom. In other instances, if the threat actor has no intention of decryption, this can effectively function as data destruction.
Data Manipulation: This technique involves any alteration of data by a threat actor. It can be used for various purposes, such as influencing reporting by modifying source data to spread disinformation. The core of this technique is the unauthorized modification of information.
Defacement: This technique involves a threat actor modifying data to display a completely different message, most commonly on websites. Examples include altering a website to display warning messages against the target organization or promoting opposing viewpoints, such as defacing a vaccine producer’s website with anti-vaccination content.
Disk Wipe: Similar to Data Destruction, Disk Wipe focuses on erasing the entire contents of a disk rather than specific data sets.
Endpoint Denial of Service: This technique aims to prevent an endpoint (like a workstation or server) from operating. This is often achieved by overwhelming the endpoint with excessive processing demands, rendering it unavailable for legitimate tasks and potentially hindering administrative functions. Alternatively, a threat actor might cause an application to repeatedly crash, preventing its use.
Firmware Corruption: This technique involves compromising the firmware of a device, potentially rendering it inoperable or installing malware within the firmware itself.
Inhibit System Recovery: This technique is typically used in conjunction with other impact techniques to prevent the target organization from reversing or mitigating the damage. An example is destroying accessible backups, which guarantees data loss by eliminating recovery options.
Network Denial of Service: This technique involves overwhelming network devices with more traffic than they can handle, preventing remote users from accessing resources. Threat actors often manipulate network packets to achieve this efficiently. While legitimate traffic could theoretically cause this, attackers often craft specific packets that require disproportionate processing time by the target, making the attack more effective and harder to distinguish from normal traffic.
Resource Hijacking: This occurs when a threat actor takes control of a resource, such as a server or workstation, and uses it for their own purposes instead of its intended function. Installing cryptocurrency miners is a common example, as it steals CPU/GPU resources for the attacker’s benefit at the victim’s expense.
Service Stop: This technique can effectively act as a denial of service by shutting down a service running on a target server or workstation. This typically requires initial access and privilege escalation.
System Shutdown/Reboot: This technique can also serve as a form of Denial of Service by abruptly shutting down or rebooting a server or workstation. This can cause brief service disruptions or longer outages depending on the time required for the target organization to restore the affected system.