Use Case 9 - Most Common Mitre ATT&CK Methods - eCommerce-Retail
Use Case 9 - Most Common Mitre ATT&CK Methods - eCommerce-Retail
Nota importada desde Inbox durante consolidacion bulk.
Use Case 9 - Most Common MITRE ATT&CK Methods - eCommerce/Retail
Resumen
This use case maps the most common MITRE ATT&CK techniques used against the eCommerce and Retail sector. It covers four primary attack categories: credential phishing/spearphishing, web application attacks, supply chain compromise, and Magecart-style JavaScript skimming attacks. Each category includes specific ATT&CK technique IDs, relevant tactics, and operational descriptions. This mapping informs detection rule development, threat hunting hypotheses, and security control prioritization.
Objetivo
Map and document the most prevalent MITRE ATT&CK techniques targeting the eCommerce/Retail sector to inform detection engineering, threat hunting priorities, and security control investments.
Entradas (Inputs)
- MITRE ATT&CK framework (Enterprise matrix)
- Sector-specific threat intelligence reports
- Historical incident data from eCommerce/Retail breaches
- CTI feed data from use-case-02-cti-feeds
- Vulnerability intelligence for web applications from use-case-03-vulnerability-intelligence
Proceso / Flujo de Trabajo
Relevant ATT&CK Techniques (Quick Reference)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1566.003 - Spearphishing via Service
- T1190 - Exploit Public-Facing Application
- T1129 - Cross-Site Scripting (XSS)
- T1195 - Supply Chain Compromise
- T1195.001 - Compromise Software Supply Chain
- T1195.002 - Compromise Hardware Supply Chain
- T1195.003 - Compromise Software Dependencies and Development Tools
- T1189 - Drive-by Compromise
- T1135 - External Remote Services
- T1584 - Compromise Client-Side Target
1. Credential Phishing/Spearphishing
- Tactics: Initial Access, Execution
- Techniques:
- Phishing (T1566)
- Spearphishing Attachment (T1566.001)
- Spearphishing Link (T1566.002)
- Spearphishing via Service (T1566.003)
How it Works: Attackers attempt to trick victims (customers or employees) into revealing sensitive login credentials or downloading malware using carefully crafted emails or websites.
2. Web Application Attacks
- Tactics: Execution, Persistence, Privilege Escalation, Credential Access, Discovery
- Techniques:
- SQL Injection (T1190) - Injecting malicious SQL code to manipulate the database.
- Exploit Public-Facing Application (T1190) - Exploiting vulnerabilities in public-facing web applications.
3. Supply Chain Attacks
- Tactics: Initial Access, Persistence, Privilege Escalation, Defense Evasion
- Techniques:
- Supply Chain Compromise (T1195)
- Compromise Software Supply Chain (T1195.001)
- Compromise Hardware Supply Chain (T1195.002)
- Compromise Software Dependencies and Development Tools (T1195.003)
How it Works: Attackers compromise third-party services or software components that the e-commerce platform relies on, providing an indirect route to the systems.
4. Magecart-Style Attacks
- Tactics: Initial Access, Collection, Credential Access, Exfiltration
- Techniques:
- Drive-by Compromise (T1189) - Compromising a legitimate website to redirect users to malicious sites.
- Application or API (T1189) - Injecting malicious code into web application frameworks or APIs.
- External Remote Services (T1135) - Compromising external services that the website utilizes.
- Client-side Target (T1584) - Focuses on compromising client-side systems (browsers, users' devices) through skimming scripts.
How it Works: Attackers inject malicious JavaScript code into e-commerce websites to steal payment card information as customers enter it.
Salidas (Outputs) / Productos
- Sector-specific ATT&CK technique mapping (documented above)
- SIEM detection rules aligned to mapped techniques
- Threat hunting hypotheses per attack category
- Security control gap analysis against mapped techniques
- Prioritized detection engineering roadmap
Fuentes de Inteligencia
- MITRE ATT&CK framework (https://attack.mitre.org/)
- Sector-specific threat reports (Retail/eCommerce)
- Magecart group tracking reports
- Web application security research
- Incident response case studies
Herramientas
- MITRE ATT&CK Navigator
- SIEM (for detection rule implementation)
- WAF (Web Application Firewall)
- CSP (Content Security Policy) monitoring
Métricas de Éxito
- Percentage of mapped techniques with active detection rules
- Number of hunting hypotheses generated from technique mapping
- Detection rate for each mapped attack category
- Time to detect Magecart-style injection attempts
Integración con Otros Use Cases
| Use Case | Relationship |
|---|---|
| use-case-02-cti-feeds | TTP mappings inform feed filtering and enrichment |
| use-case-03-vulnerability-intelligence | Web application vulns map to T1190 exploitation |
| use-case-06-phishing-intelligence | T1566 techniques directly overlap with phishing intel |
| use-case-07-threat-hunting | Sector TTP map guides hunting priorities and hypotheses |
| use-case-08-strategic-intel-report | Sector attack patterns inform strategic risk assessment |
| use-case-10-threat-intel-sharing | Sector-specific TTPs shared with industry peers |
Referencias
- programa CTI corporativo (cliente sector logistica)- programa CTI corporativo
- programa CTI cliente sector logistica
- threat-actor-search
- ems-stride-mitre-attack
- detection-mitigation-common-attacks
- Resumen de Inteligencia - Amenazas al Sector Retail y ECommerce-Plantilla