Info
ID: AT-RD003.001
Technique: Obtain Capabilities
Tactic: Resource Development
Platforms: PRE
Version: 1.0
Vulnerabilities
Within the Resource Development phase, adversaries might exploit vulnerabilities as a means to Obtain Capabilities for subsequent attack operations. This involves identifying or acquiring code that takes advantage of security weaknesses in systems, applications, or services. Adversaries typically leverage these vulnerabilities to establish initial access, elevate privileges, or persist within target environments. They may discover vulnerabilities through independent research, purchase exploit code from underground markets, or repurpose publicly disclosed proof-of-concept exploits. These capabilities could target known Common Vulnerabilities and Exposures (CVEs), zero-day vulnerabilities with no available patches, or security misconfigurations that create exploitable conditions. The acquisition of vulnerability exploits represents a critical preparatory step that enables adversaries to develop a technical advantage before engaging with target systems, significantly enhancing their ability to breach defenses during later attack phases.
Data Sources
- Vulnerability Databases: CVE databases, security advisories, and vulnerability disclosure platforms
- Exploit Marketplaces: Underground exploit sale platforms and vulnerability broker communications
- Application Logs: Vulnerability scanning and exploitation attempt logs
- Threat Intelligence: Intelligence reports documenting adversary exploit acquisition and development
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0042 | Threat Intelligence | Subscribe to dark-web crawler feeds for exploit sale advertisements containing organisation asset keywords. |
| DS0021 | Code Repository | Detect forks or pull-requests that introduce known CVE PoCs into internal testing repos. |
| DS0015 | Application Log | Correlate vulnerability-scanner API tokens running excessive unauthenticated scans against production ranges. |
| DS0029 | Network Traffic Content | Identify outbound traffic to well-known exploit databases (exploit-db, packetstorm) from build/CI environments. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1016 | Vulnerability Scanning | Deploy continuous, authenticated scanning and integrate findings into risk register with SLA patch timelines. |
| M1051 | Update Software | Automate patch pipelines and virtual-patching WAF rules for zero-day coverage. |
| M1055 | Do Not Mitigate | Adopt bug-bounty disclosure program with rapid triage and reward to reduce black-market exploit sale. |