Technical Weakness Identification

Table of Contents

Technical Weakness Identification

  • Technical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).

Analyze application security posture

  • Analyze application security posture- Pre-ATT&CK
    • An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

Analyze architecture and configuration posture

  • Analyze architecture and configuration posture - Pre-ATT&CK
    • An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls.

Analyze data collected

  • Analyze data collected- Pre-ATT&CK
    • An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture.

Analyze hardware/software security defensive capabilities

Analyze organizational skillsets and deficiencies

Identify vulnerabilities in third-party software libraries

  • Identify vulnerabilities in third-party software libraries - Pre-ATT&CK
    • Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library.

Research visibility gap of security vendors

Test signature detection

  • Test signature detection - Pre-ATT&CK
    • An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure.

Research relevant vulnerabilities/CVEs

  • Research relevant vulnerabilities/CVEs - Pre-ATT&CK
    • Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable.