Skip to content

Latest commit

 

History

History
156 lines (102 loc) · 3.29 KB

File metadata and controls

156 lines (102 loc) · 3.29 KB

07 - MITRE ATT&CK Mapping

1. Objective

This document maps the observed suspicious activity to relevant MITRE ATT&CK techniques in order to:

  • Standardize threat classification
  • Align detection logic with global threat intelligence
  • Improve defensive strategy
  • Enhance SOC reporting maturity

2. Threat Summary

Observed Behavior:

  • Successful authentication
  • Wildcard API enumeration
  • Cross-factory data access
  • Sequential machine querying
  • Infrastructure mapping activity

These actions align with reconnaissance and discovery tactics.


3. MITRE ATT&CK Technique Mapping

Tactic: Reconnaissance

Technique: Active Scanning
Technique ID: T1595

Mapping Justification: The repeated wildcard API queries and broad data requests indicate active scanning of application resources to map available infrastructure components.


Tactic: Discovery

Technique: Account Discovery
Technique ID: T1087

Mapping Justification: Authenticated access suggests use of valid credentials, potentially to discover accessible system scope and authorized resource visibility.


Tactic: Discovery

Technique: System Information Discovery
Technique ID: T1082

Mapping Justification: Sequential machine-level API queries indicate attempts to identify system components and operational status.


Tactic: Discovery

Technique: Network Service Discovery
Technique ID: T1046

Mapping Justification: Cross-factory queries resemble internal service mapping and infrastructure visibility probing.


Tactic: Collection

Technique: Data from Information Repositories
Technique ID: T1213

Mapping Justification: Machine status data appears to be retrieved from application data repositories via authorized API calls.


4. Kill Chain Stage Mapping

Kill Chain Phase Observed Activity
Reconnaissance Wildcard API scanning
Discovery Cross-factory enumeration
Collection Machine-level data retrieval
Exfiltration Not observed
Impact Not observed

The activity appears to remain within the Reconnaissance and Discovery phases.


5. Threat Maturity Assessment

Based on observed behavior:

  • No exploitation attempt
  • No privilege escalation
  • No lateral movement detected
  • No destructive behavior observed

Threat Level: Early-Stage Internal Reconnaissance


6. Defensive Recommendations Aligned to MITRE

To counter mapped techniques:

  • Implement anomaly detection for discovery patterns
  • Restrict broad query capabilities
  • Monitor unusual authenticated activity
  • Deploy User and Entity Behavior Analytics (UEBA)
  • Apply least-privilege access enforcement

7. MITRE Coverage Gap Analysis

Current Defensive Gaps:

  • No behavioral monitoring for discovery tactics
  • No detection for enumeration patterns
  • Limited API usage visibility controls

Improvement Priority: High


8. Conclusion

The suspicious API activity aligns with multiple MITRE ATT&CK Discovery and Reconnaissance techniques.

Although no exploitation or impact phase was observed, the behavior represents a precursor to potential escalation.

Mapping to MITRE provides structured threat classification and supports maturity improvement in detection engineering.


Prepared By: Threat Intelligence & SOC Team (Simulation)