Incident Score: Analysis & Impact (ATTIBM1780946436)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate confidence (50%), with evidence including breaches affecting its core network, and aPT 10 may have breached IBM’s systems over 56,000 times and Trusted Relationship (T1199) with moderate to high confidence (70%), with evidence including aT&T managed IBM’s network infrastructure, and breaches extended to at least two IBM subsidiaries. Under the Persistence tactic, the analysis identified Account Manipulation (T1098) with moderate confidence (60%), supported by evidence indicating aPT 10 breached systems over 56,000 times during three-year period and Create Account (T1136) with moderate confidence (50%), supported by evidence indicating poor network design and insufficient logging may have enabled persistence. Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate confidence (60%), supported by evidence indicating neither IBM nor AT&T could confirm what data was accessed or altered and Unsecured Credentials (T1552) with moderate to high confidence (70%), supported by evidence indicating poor network design and insufficient logging. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate confidence (60%), supported by evidence indicating breaches extended to at least two IBM subsidiaries and Network Service Discovery (T1046) with moderate to high confidence (70%), supported by evidence indicating aPT 10 breached IBM’s core network over 56,000 times. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), with evidence including data breach involving state-sponsored espionage, and personally identifiable information compromised and Data from Information Repositories (T1213) with moderate to high confidence (70%), supported by evidence indicating breaches affecting IBM’s core network and subsidiaries. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), with evidence including data exfiltration confirmed, and aPT 10 attributed to state-sponsored espionage and Exfiltration Over Web Service (T1567) with moderate confidence (60%), supported by evidence indicating insufficient logging prevented confirmation of exfiltration methods. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (70%), with evidence including aPT 10 breached systems over 56,000 times, and state-sponsored threat actor and Encrypted Channel (T1573) with moderate confidence (60%), supported by evidence indicating insufficient logging prevented detailed analysis of C2 methods. Under the Defense Evasion tactic, the analysis identified Indicator Removal (T1070) with moderate to high confidence (80%), with evidence including iBM lacked critical logs to determine scope of breaches, and alleged concealment of breaches and Impair Defenses (T1562) with moderate to high confidence (70%), supported by evidence indicating poor network design and insufficient logging. Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (40%), supported by evidence indicating neither IBM nor AT&T could confirm what data was altered and Defacement (T1491) with lower confidence (30%), supported by evidence indicating brand reputation impact due to alleged cover-up. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.