Incident Score: Analysis & Impact (MERIBM1780698286)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating outdated and vulnerable infrastructure and Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating compromising 400 accounts across 18 countries. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating aPT 10 potentially breached IBM’s network over 56,000 times and External Remote Services (T1133) with moderate to high confidence (70%), supported by evidence indicating hackers moving undetected across its systems. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating 400 accounts compromised across multiple business units. Under the Defense Evasion tactic, the analysis identified Indicator Removal (T1070) with high confidence (90%), supported by evidence indicating iBM allegedly did not retain access logs and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating outdated and vulnerable infrastructure. Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate to high confidence (80%), supported by evidence indicating 400 accounts compromised and Adversary-in-the-Middle (T1557) with moderate confidence (60%), supported by evidence indicating hackers moving undetected across its systems. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (80%), supported by evidence indicating 400 accounts compromised across 18 countries and File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating nearly 200 systems compromised. Under the Lateral Movement tactic, the analysis identified Remote Services (T1021) with high confidence (90%), supported by evidence indicating hackers moving undetected across its systems in 18 countries and Valid Accounts (T1078) with high confidence (90%), supported by evidence indicating 400 accounts compromised. Under the Collection tactic, the analysis identified Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating healthcare data, federal client data potentially compromised and Data from Information Repositories (T1213) with moderate to high confidence (70%), supported by evidence indicating truven (healthcare data company) breached post-acquisition. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (70%), supported by evidence indicating aPT 10 campaign spanning 2013–2016 and Proxy (T1090) with moderate confidence (60%), supported by evidence indicating state-sponsored group operating undetected. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration motivation; 56,000 breaches and Exfiltration Over Web Service (T1567) with moderate confidence (60%), supported by evidence indicating state-sponsored group with espionage motives. Under the Impact tactic, the analysis identified Defacement (T1491) with lower confidence (40%), supported by evidence indicating undisclosed breaches at major tech firm and Data Destruction (T1485) with lower confidence (30%), supported by evidence indicating lack of access log retention. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.