ATAGS Tactic: Resource Development
| ID | Name | Description | |
| ATAGS-T1014 | Acquire Access | Threat actors may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other. | |
| ATAGS-T1015 | Acquire or Build Infrastructure | Threat actors may acquire a Ground Segment, a Ground Station service (e.g. Amazon service ), satellite(s), or other infrastructure that can be useful to his attacking plans. Such an infrastructure can be a set of antennas, lasers, Software Defined Radios (SDR) or other equipment able to transmit the desired signals. Such equipment can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .001 | Acquire Ground-station/ Ground segment | Threat actors may build a new ground station or gaining control of an existing one. | |
| .002 | Acquire jamming equipment | Antennas, lasers, or other equipment able to jam a radio or visible-light frequency can be useful to prevent communication or an image acquisition. These instruments can be fixed on ground, mounted on vehicles like trucks, ships, aircraft, or also installed on board of satellites. | |
| .003 | Acquire Satellite | Launching a new satellite or gaining control of an existing satellite. | |
| .004 | Rent ground segment as a service | Building it, or renting a cloud based Ground Segment (e.g., AWS) | |
| ATAGS-T1016 | Compromise Infrastructure | Threat actors may compromise third-party infrastructure that can be used for future campaigns or to perpetuate other techniques. Infrastructure solutions include physical devices such as antenna, amplifiers, and convertors, as well as software used by satellite communicators. Instead of buying or renting infrastructure, a threat actor may compromise infrastructure and use it during other phases of the campaign's lifecycle. | |
| .001 | 3rd Party Ground System | Threat actors may compromise access to third-party ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems can be or may have already been configured for communications to the victim. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. | |
| .002 | 3rd-Party Spacecraft | Threat actors may compromise access to third-party ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems can be or may have already been configured for communications to the victim ground station. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. | |
| .003 | Botnet | Threat actors may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Threat actors may purchase a subscription to use an existing botnet from a booter/stresser service. | |
| .004 | Compromise Ground Segment | If a Ground System is located in a remote area with limited physical security controls, a physical violation of the site is possible. There should be authentication systems implemented that make difficult to use it without a proper authorization. | |
| .005 | Compromise Satellite(s) | Compromised or malicious satellites might be abused by Threat actors to achieve kinetic effects on other satellites in orbit, such as sensor interference or manipulation. | |
| .006 | DNS Server | Threat actors may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, Threat actors may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, Threat actors may opt to configure and run their own DNS servers in support of operations. | |
| .007 | Domains | Threat actors may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. | |
| .008 | Malvertising | Threat actors may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements. Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. | |
| .009 | Mission-Operated Ground System | Threat actors may compromise mission owned/operated ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim ground station. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration. | |
| .010 | Network Devices | Threat actors may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting. | |
| .011 | Server | Threat actors may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, Threat actors may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, Threat actors may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. | |
| .012 | Serverless | Threat actors may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, Threat actors can make it more difficult to attribute infrastructure used during operations back to them. | |
| .013 | Virtual Private Server | Threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, Threat actors can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for Threat actors to rapidly provision, modify, and shut down their infrastructure. | |
| .014 | Web Services | Threat actors may register for web services that can be used during targeting. A variety of popular websites exist for Threat actors to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for Threat actors to hide in expected noise. By utilizing a web service, Threat actors can make it difficult to physically tie back operations to them. | |
| ATAGS-T1017 | Compromise or Establish Accounts | Threat actors may compromise or establish accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Threat actors may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations; while persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity. | |
| ATAGS-T1018 | Develop or Obtain Cyber Capabilities | Threat actors may build, buy or steal capabilities that can be used during targeting. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. | |
| ATAGS-T1019 | Develop or Obtain Non-Cyber Capabilities | Threat actors may obtain non-cyber capabilities, primarily physical weapons or systems. These capabilities vary significantly in the types of effects they create, the level of technological sophistication required, and the level of resources needed to develop and deploy them. These diverse capabilities also differ in how they are employed and how easy they are to detect and attribute and the permanence of the effects they have on their target. | |
| ATAGS-T1020 | Stage Capabilities | Threat actors may upload, install, or otherwise set up capabilities that can be used for future campaigns or to perpetuate other techniques. To support their operations, a threat actor may need to develop their own capabilities or obtain them in some way in order to stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased or rented by the threat actor or was otherwise compromised by them. | |
| .001 | Drive-by Target | Threat actors may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but Threat actors may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, Threat actors must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure). | |
| .002 | Identify/Select Delivery Mechanism | Threat actors may identify, select, and prepare a delivery mechanism in which to attack the space system (i.e., communicate with the victim ground station, deny the ground, etc.) to achieve their desired impact. This mechanism may be located on infrastructure that was previously purchased or rented by the threat actor or was otherwise compromised by them. The mechanism must include all aspects needed to communicate with the spacecraft, including ground antenna, converters, and amplifiers. | |
| .003 | Install Digital Certificate | Threat actors may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it. | |
| .004 | Link Target | Threat actors may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link. | |
| .005 | SEO Poisoning | Threat actors may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms. | |
| .006 | Upload Exploit/Payload | Threat actors may upload exploits and payloads to a third-party infrastructure that they have purchased or rented or stage it on an otherwise compromised ground station. Exploits and payloads would include files and commands to be uploaded to the victim groundstation in order to conduct the threat actor's attack. | |
| .007 | Upload Malware | Threat actors may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Threat actors may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. | |
| .008 | Upload Tool | Threat actors may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Threat actors may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server. | |