Earlier this year, identity threat detection and response (ITDR) software detected suspicious activity in a company's HR/finance platform. Someone had accessed and changed direct deposit bank account data for multiple employees in the payroll system and recipient account data for items in accounts payable.

Had the incident gone undetected, the affected employees would not have received their paychecks, and payments would have gone to threat actors rather than the affected vendors. From there, presumably, the money would have been laundered to eliminate any trace of it. Instead, the ITDR software detected the anomalous behavior, alerted the security operations center (SOC) team, and prevented the theft from occurring.

While this outcome was successful, the security team recognized that a significant breach had taken place. They decided to map the incident to the MITRE ATT&CK threat model to gain a better understanding of the flaws in their security perimeter so that they could secure their application.

What Is MITRE ATT&CK?

In 2013, MITRE Corporation released the first version of its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix. The goal was to create a common language for cybersecurity professionals to discuss issues, as well as map out the steps threat actors take in an attack. In April 2024, MITRE released version 15.1.

Mapping attacks to this matrix is instructional for security professionals. By analyzing successful infiltrations, they can fine-tune their security roadmaps and better understand where to apply resources.

An HR Platform Comes Under Attack

Here's how the attack described above unfolded.

A threat actor conducted a spear-phishing attack to gain access to the HR platform, then leveraged that initial access to escalate permissions and ensure persistence. The threat actor then infiltrated the actual user account and modified the payroll payment information. The attacker used different proxy servers and randomized user agents to avoid detection.

The following steps and MITRE ATT&CK mapping cover some of the key moments in the breach.

Step 1: Initial Access

The threat actor who changed the bank account information gained initial access following a spear phishing attack. The company had single sign-on (SSO) turned on but the compromised user had local access rights. In the parlance of MITRE, the phishing attack was the technique used for initial access.

Screenshot of the phishing technique in the MITRE ATT&CK Threat Model [https://attack.mitre.org/matrices/enterprise/]

Step 2: Persistence

Once the threat actor had access, their next move was to ensure they would be able to remain within the application (persistence in the MITRE matrix). They modified the authentication process so that they could come and go at will.

Step 3: Defense Evasion

Sitting within the application, the threat actor now had to take steps to prevent getting caught. Called defense evasion in the matrix, they relied on user agent regeneration to impersonate other users for brief moments in time and remain safely within the application.

Step 4: Collection

Using automated processes, the threat actor began to make their move. They used a technique called automated collection to find high-value accounts to compromise. In this attack, that meant finding highly paid employees.

Step 5: Command and Control 

In this type of attack, threat actors don’t want to take full control over the application. If they did, security measures put in place would cancel automated salary payments and the money would not be deposited in their account.

The threat actor used a nonstandard port and hid behind proxy software to make the changes to the target accounts.

At this point, threat-detection software detected the threat. The accounts were reverted back to their original settings, and salaries were paid as usual to employees.

Step 6: Impact

The last piece of the MITRE ATT&CK framework looks at impact. In this case, it was financial theft. Although the theft was averted, knowing threat actors are trying to steal money, intellectual property, or cause some other type of harm is helpful in preparing for the next threat.

Proactive Threat Detection and Mitigation

The successful detection of suspicious activity highlights the critical importance of integrating ITDR with Software-as-a-Service (SaaS) Security Posture Management (SSPM). The insights following the attack, such as the need to update employee training on phishing techniques or the need to monitor for agent regeneration in SaaS applications, came from mapping the attack to the MITRE ATT&CK matrix. As cyber threats evolve, adopting a proactive and adaptive approach is essential.

Leveraging ITDR connected to SSPM ensures the automatic detection of these types of threats. Advanced machine learning and behavioral analytics help identify anomalies swiftly, preventing significant impacts.

Meanwhile, utilizing the MITRE ATT&CK framework fosters a common language for effective collaboration and information sharing within the cybersecurity community.

Integrating ITDR with SSPM for automatic threat detection and aligning with MITRE ATT&CK are vital for proactive security of the entire stack, especially for sensitive applications that contain financial and personal information such as Workday, SAP Success Factors, BambooHR, HiBob, and more. Continuous improvement and collaboration can keep organizations safeguarded against breaches.

By Hananel Livneh, Head of Product Marketing, Adaptive Shield

About the Author

Hananel Livneh is head of product marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a senior product analyst. Hananel completed an MBA with honors from the Open University of Israel, and earned a B.A. from Hebrew University in economics, political science, and philosophy (PPE). He loves to go mountain climbing and is an avid Broadway enthusiast.