Overview of MITRE ATT&CK Tactic: TA0040 - Impact

Introduction

The article focuses on Impact tactic, and the techniques adversaries use to disrupt, degrade, or destroy an organization’s systems, data, and operations. Their goal is to brake system availability, corrupt information, or interfere with normal business functions. This will cause financial loss, downtime, and damage to the organization’s reputation. Adversaries may try to gain financial or strategic benefits like demanding a ransom amount in exchange for restoring access to critical data and services. This tactic typically appears in the final stages of an attack chain.

Let us now walk through the various techniques and sub-techniques and understand them in detail and how F5 can help in mitigating some of these threats effectively.

Techniques and Sub-Techniques

T1531 - Account Access Removal

In this technique, adversaries prevent legitimate users from accessing their systems or network resources by tampering with valid user accounts. They manipulate accounts in multiple ways, such as changing passwords, disabling accounts, or revoking user permissions.

T1485 - Data Destruction

Adversaries deliberately destroy data or files on target systems to disrupt availability of services and resources. Unlike simple file deletions, they overwrite file content with random or specially crafted data to ensure they cannot be recovered.

T1485.001 - Lifecycle-Triggered Deletion
Adversaries modify the lifecycle policies of cloud storage buckets such that all data in the bucket is partially or completely removed automatically.

T1486 - Data Encrypted for Impact

Attackers encrypt files, databases, or entire systems to make them inaccessible to the organization users. This behavior is commonly seen in ransomware attacks, where the adversary demands payment in exchange for decryption keys.

T1565 - Data Manipulation

Attackers may modify, remove, or add data to disrupt business processes or mislead an organization. At times, attackers manipulate data within critical services to disrupt operations or produce harmful consequences.

T1565.001 - Stored Data Manipulation
Here, adversaries tamper with or manipulate data that is available in systems or databases.

T1565.002 - Transmitted Data Manipulation
Adversaries may intercept and alter data while it is being transmitted between systems or storage.

T1565.003 - Runtime Data Manipulation
Adversaries modify application binaries responsible for presenting data, enabling them to manipulate information in real time as it is accessed or displayed to users.

T1491 - Defacement

In this technique, the adversary tries to modify visual content of the system to deliver messages, intimidate users, or display disturbing content in order to pressure them to follow accompanying instructions.

T1491.001 - Internal Defacement
Attackers alter visible content within the organization network, such as internal applications, web servers or even user desktop backgrounds with disturbing images or messages that create discomfort for the users.

T1491.002 - External Defacement
Attackers modify content on public-facing websites or applications by altering login pages, replacing legitimate content with warnings, propaganda, or malicious messages. By defacing externally visible systems, adversaries mislead users or damage the organization’s public reputation.

T1561 - Disk Wipe

Adversaries wipe or corrupt disk data in specific or multiple systems in a network. They can overwrite specific disk areas or critical structures like the MBR, or even erase the entire disk.

T1561.001 - Disk Content Wipe
Adversaries will wipe or overwrite parts of a storage device in specific or multiple systems on a network to make data permanently unrecoverable. Instead of targeting individual files or destroying the complete disk structure, they erase sections of the disk itself.

T1561.002 - Disk Structure Wipe
Adversaries try to wipe off entire disk structures on a hard drive, such as the Master Boot Record (MBR), partition tables, or file system metadata, instead of individual files. Destructing these structures makes the system unbootable.

T1667 - Email Bombing

In this technique, attackers use automated bots to send a high volume of emails to the targeted email addresses. This flood of emails will overload the inbox so that legitimate emails related to security events or help desk tickets will be overlooked or delayed.

T1499 - Endpoint Denial of Service

Endpoint Denial of Service (DoS) attacks occur when adversaries target a system to exhaust its resources or exploit vulnerabilities, making hosted services unavailable to users. Rather than saturating the network, they exhaust the system resources that host services like websites, email, DNS, or web applications.

T1499.001 - OS Exhaustion Flood
Adversary targets a systems OS to exhaust its resource limits and prevent services from functioning. These attacks exploit the OS’s mechanisms for managing finite resources rather than exhausting the system entirely. TCP state-exhaustion attacks such as SYN floods, which send excessive SYN packets without completing handshakes, and ACK floods are common attacks

T1499.002 - Service Exhaustion Flood
Adversaries target network services such as DNS and web servers to conduct Denial of Service (DoS) attacks. They use HTTP floods, which send massive numbers of HTTP requests to exhaust server resources.

T1499.003 - Application Exhaustion Flood
Adversaries target resource-intensive features of applications like features that need a lot of memory, CPU or storage to exhaust system resources.

T1499.004 - Application or System Exploitation
Adversaries exploit software vulnerabilities in applications that cause the system or application to be unavailable to users. Zero-day vulnerabilities are commonly exploited.

T1657 - Financial Theft

Adversaries target financial assets and sources of value to obtain money. They perform activities like demanding ransom payments, compromise business email accounts to fraud; trusted parties, use compromised accounts to perform unauthorized money transfers, or exploit vulnerabilities in cryptocurrency networks, bank hacking and others for financial gain

T1495 - Firmware Corruption

Adversaries tamper with or damage the flash memory of the system BIOS or other device’s firmware, causing the hardware to fail to boot or function properly.

T1490 - Inhibit System Recovery

Adversaries deliberately tamper with or delete OS features or services used for system recovery, such as deleting volume shadow copies and Windows backup catalogs, disabling automatic recovery features by modifying boot configuration data and deleting backups or snapshots. These actions prevent the system from being restored after corruption

T1498 - Network Denial of Service

Adversaries perform Network Denial of Service (DoS) attacks to exhaust an organization’s network bandwidth, which makes the services or applications inaccessible. They often use botnets to generate large volumes of traffic and use IP spoofing to hide their identity and make attacks harder to block.

T1498.001 - Direct Network Flood
Adversaries send massive volumes of network traffic to disrupt the services and availability of systems. Any network protocol can be used to generate network floods. Botnets are used to generate these floods either from one system or from multiple systems (DDoS).

T1498.002 - Reflection Amplification
Reflection Amplification attacks exploit third-party servers or protocols that generate a much larger response than the initial request. The adversary spoofs the victim’s IP address and sends small requests to amplifiers. These servers then send large, amplified responses to the victim, exhausting their network. This method hides the attacker’s identity and significantly increases the volume of the attack.

T1496 - Resource Hijacking

In this technique, adversaries do not directly damage the system; instead, they utilize system resources like CPU, bandwidth, storage, or cloud services to perform malicious or unauthorized operations.

T1496.001 - Compute Hijacking
The attacker uses the CPU, GPU and other computing resources of compromised systems to run unauthorized workloads such as cryptocurrency mining and automated bot activity. This utilization will cause systems to slow down and degrade overall service availability for users.

T1496.002 - Bandwidth Hijacking
Adversary misuse network bandwidth of co-opted system by performing malicious activities like launching DDOS bot attacks. They may also engage in proxy jacking, where the victims network bandwidth and IP addresses are sold to proxy ware services, allowing others to route traffic through the compromised system.
T1496.003 - SMS Pumping
The attacker exploits messaging services on the co-opted systems to generate a huge volume of SMS traffic to a specific set of phone numbers obtained from telecommunication providers. By doing so, they gain financial benefit from the telecommunication provider, and these actions will disrupt organizations normal communication services.

T1496.004 - Cloud Service Hijacking
Adversary exploits SaaS applications of co-opted systems, such as leveraging email and SMS services provided by various cloud providers to send phishing emails or SMS messages.

T1489 - Service Stop

Adversaries stop all or a few critical services to make them unavailable to users. By disabling critical components like logging services, antivirus or backup services, the adversary makes the system weaker and easier to damage. In many cases, data-related services must be stopped to perform destructive actions such as corrupting, encrypting, or deleting data

T1529 - System Shutdown/Reboot

Adversaries intentionally shut down or reboot systems to disrupt normal operations for legitimate users. They often perform this action after carrying out other malicious activities such as corrupting disk data or modifying boot settings to prevent recovery.

How F5 can help?

By using the advanced capabilities of F5’s Web Application Firewall (WAF), DDoS Mitigation, and Bot Defense features, organizations can proactively detect destructive system command executions, Distributed Denial-of-Service (DDoS) attacks and mitigate them.

The F5 WAF provides robust protection by identifying and blocking unsafe system command executions that could compromise application and system integrity.

The DDoS Mitigation feature ensures application availability by analyzing high-volume traffic patterns and blocking sophisticated DDoS attempts before they impact performance.

For more information, please contact your local F5 sales team.

Conclusion

It is essential for individuals and organizations to understand the severe consequences a well-planned attack can cause, and the various forms of impact adversaries can inflict, such as data destruction, service disruption, financial loss, and reputational damage. To reduce these risks, organizations should implement layered defenses, maintain reliable backups and high-availability setups, and enforce strong security controls across systems. Taking these proactive measures can significantly limit the damage an attacker can cause.