Adversary Tactics

In the domain of cybersecurity and attack path intelligence, Adversary Tactics represent the high-level strategic goals or objectives a threat actor intends to achieve during a cyberattack. While a "technique" describes the specific method used to act, the tactic answers the "why"—it defines the underlying motivation for each phase of an adversarial movement.

In the context of attack path analysis, adversary tactics serve as the primary stages of an adversarial narrative, allowing organizations to map a sequence of actions from initial reconnaissance to a final business-impacting event.

What are Adversary Tactics?

Adversary tactics categorize an attacker's intent at each stage of a potential breach. In intelligence frameworks like MITRE ATT&CK, tactics represent the columns of a matrix, providing a visual structure for understanding the various goals an attacker must achieve to fulfill their mission.

By identifying these tactical goals, security teams can move from a reactive posture—focusing on static signatures—to an adversary-informed defense that anticipates an attacker’s next move based on their current objective.

The Role of Tactics in Attack Path Intelligence

Attack path intelligence uses adversary tactics to build a cohesive threat model that explains the logical progression of a threat.

• Mapping the Kill Chain: Tactics allow for the linear sequencing of a cyberattack. This helps defenders understand the necessary steps an adversary must negotiate—such as moving from Initial Access to Persistence and eventually to Exfiltration.

• Contextual Clarity: Rather than managing isolated vulnerabilities, security analysts use tactics to understand the context of an alert. For example, knowing that a credential-harvesting event is part of a "Privilege Escalation" tactic enables a more focused, prioritized response.

• Predictive Defense: Understanding an adversary’s tactical goal enables teams to predict likely next steps. If an attacker has achieved a foothold (Initial Access) and is now performing "Discovery," the defender can proactively fortify "Lateral Movement" routes.

Common Categories of Adversary Tactics

Security frameworks typically identify several core tactics used by adversaries to navigate an attack path:

1. Initial Access

The objective is to gain an entry point into the target network.

• Methods: Phishing, exploiting public-facing applications, or using compromised credentials.

2. Execution and Persistence

Once inside, the attacker’s goals are to run malicious code and maintain access even if the system is rebooted or credentials are changed.

• Methods: User execution of malicious files or the establishment of backdoor implants.

3. Lateral Movement and Privilege Escalation

These tactics involve navigating the internal environment to identify high-value targets and gain greater system access.

• Methods: Harvesting passwords from memory or exploiting trust relationships between systems.

4. Collection and Exfiltration

The final tactical goals are to gather the desired information and steal it from the organization.

• Methods: Compressing data for stealthy transfer over Command and Control (C2) channels.

Benefits of Tactical Prioritization

Focusing on tactics enables organizations to optimize their limited security resources for maximum impact.

• Identifying Choke Points: By analyzing attack paths, security teams can find "choke points"—vulnerabilities where multiple tactical paths converge. Breaking the path at a choke point disrupts the most significant number of potential adversarial movements.

• Justifying Security Spend: Tactics translate technical gaps into a business-risk language. This helps security leaders justify investments to the board by explaining how a specific control disrupts a high-level adversarial objective.

Common Questions About Adversary Tactics

What is the difference between a tactic and a technique?

A tactic is the high-level goal or "why" (e.g., Credential Access). A technique is the specific method or "how" used to achieve that goal (e.g., Brute Force Attack).

How do adversary tactics help with incident response?

Tactics inform incident response plans by providing a detailed understanding of how attackers typically operate. This preparedness allows teams to react more quickly and effectively, minimizing the damage of an active breach.

Can adversary tactics be automated?

Yes, many modern security tools use automated threat emulation to execute real-world tactics and techniques safely. This allows organizations to validate their defenses and identify exploitable paths without manual effort.

ThreatNG provides a unified platform for External Attack Surface Management (EASM), Digital Risk Protection, and Security Ratings, designed to identify and disrupt Adversary Tactics from an "outside-in" perspective. By automating the discovery and analysis of an organization's digital footprint, ThreatNG transforms raw technical data into a strategic narrative of adversary behavior.

The following sections detail how ThreatNG secures your environment against modern adversarial strategies.

External Discovery of Tactical Entry Points

The first stage of disrupting an attack path is identifying every possible starting node. ThreatNG performs purely external, unauthenticated discovery to map an organization's internet-facing assets without requiring internal agents or connectors.

• Shadow IT Identification: ThreatNG uncovers unmanaged cloud instances, forgotten subdomains, and temporary development environments that lack corporate oversight and often serve as the initial tactical foothold.

• Domain and Brand Footprinting: The platform discovers official and fraudulent domain permutations (typosquatting) and Web3 domains (e.g., .eth or .crypto), which adversaries use for phishing and brand impersonation tactics.

• Asset Correlation: It identifies domains, IPs, and cloud buckets associated with an organization, establishing the foundation for mapping potential adversarial movement.

External Assessment and DarChain Contextual Intelligence

ThreatNG moves beyond isolated scanning by using DarChain (Digital Attack Risk Contextual Hyper-Analysis Insights Narrative) to perform hyper-analysis on technical, social, and regulatory exposures. This chains disparate findings into a structured threat model, revealing the precise "chained relationships" an adversary would exploit.

Detailed Examples of DarChain Assessment

• The Phishing-to-Credential Theft Path: ThreatNG might discover a registered lookalike domain with an active mail record (MX). DarChain chains this with leaked executive profiles found on LinkedIn and a subdomain missing a Content Security Policy (CSP). This reveals a tactic in which an attacker uses a believable HR-themed persona to trick an employee into providing credentials, which are then harvested through the vulnerable subdomain.

• Initial Access to Cloud Resources: ThreatNG identifies files in publicly accessible cloud buckets. DarChain maps this to configuration data needed to move deeper into the environment. It chains this with hardcoded code secrets found in those files to show how an attacker pivots from a public file to a private database.

• The Regulatory Disclosure Vector: The platform mines SEC 8-K filings and correlates disclosed risks with technical vulnerabilities. If a company discloses a specific risk but has an unpatched critical vulnerability in that area, DarChain highlights this as a "Governance Gap Exploitation" path, where attackers use corporate transparency to validate the value of their target.

Investigation Modules for Deep-Dive Analysis

ThreatNG includes specialized investigation modules that allow security analysts to pivot from a high-level alert to a granular investigation of specific "Step Actions" and identify the "Step Tools" an adversary is likely to use.

Detailed Examples of Investigation Modules

• Sensitive Code Exposure: This module scans public repositories, such as GitHub, for leaked "Non-Human Identities" (NHIs), including AWS Secret Access Keys and Jenkins passwords. Finding a hardcoded secret provides a validated step for an "Unauthorized Access" narrative.

• Dark Web Presence (DarCache Rupture): This module monitors hacker forums for mentions of the brand and compromised credentials. An investigation might reveal attackers discussing an unpatched vulnerability in the organization's tech stack, which would mark that path as a high priority.

• Reddit Discovery: This module turns "conversational risk" from Reddit or LinkedIn into intelligence. If an employee asks for online technical help with server configuration, an attacker can use that information to build a technical blueprint for a targeted social engineering tactic.

Intelligence Repositories (DarCache)

The DarCache suite of intelligence repositories provides the real-world context needed to prioritize adversary tactics. It integrates data from the NVD for technical details, the KEV catalog to confirm active exploitation, and EPSS to predict future likelihood. ThreatNG also tracks over 70 ransomware gangs, allowing organizations to prioritize the tactics currently being weaponized by active threat actors.

Reporting and Continuous Monitoring

To maintain a proactive defense, ThreatNG provides:

• Continuous Monitoring: The platform constantly rescans the external attack surface and digital risks to ensure tactical maps stay current as the landscape shifts.

• Actionable Reporting: ThreatNG delivers technical workbooks and executive reports that pinpoint "Attack Path Choke Points"—critical vulnerabilities where multiple potential attack chains intersect. Fixing a choke point collapses multiple adversarial narratives simultaneously.

Cooperation with Complementary Solutions

ThreatNG provides the external "outside-in" intelligence that triggers and enriches the workflows of internal security tools, allowing organizations to disrupt adversary tactics at multiple stages.

• Identity and Access Management (IAM): When ThreatNG uncovers leaked API keys or credentials in public code, it feeds this data to IAM platforms to trigger immediate key rotation or password resets, effectively ending an "Unauthorized Access" tactic.

• Security Orchestration, Automation, and Response (SOAR): High-priority alerts from a "Subdomain Takeover" narrative can trigger automated SOAR playbooks to delete dangling DNS records or block malicious IP addresses at the perimeter firewall.
  

• Vulnerability Management and EDR: ThreatNG identifies the specific "Tech Stack" and external assets an attacker is targeting. This allows internal scanners to prioritize those assets and enables Endpoint Detection and Response (EDR) tools to increase monitoring sensitivity on the servers identified in a potential attack path.

Common Questions About Adversary Tactics and ThreatNG

How does ThreatNG define an adversary tactic differently from a vulnerability?

A vulnerability is a single technical flaw, such as an open port. An adversary tactic is the high-level goal, or "why," behind an attacker's movement, often achieved by chaining multiple vulnerabilities into a narrative.

What is an "Attack Path Choke Point"?

A choke point is a critical vulnerability or asset that appears in multiple different attack paths. Securing a choke point is the most efficient use of resources because it disrupts the most significant number of potential adversarial narratives at once.

Can non-technical information be used as a tactical starting point?

Yes. ThreatNG treats organizational instability—such as layoff chatter or lawsuits—as a tactical starting point, recognizing that these events provide the psychological "hook" used for technical breaches like Business Email Compromise.