Skip to content

Resource Development

What is "Resource Development" ?

Resource Development refers to one of the tactics defined in the MITRE ATT&CK framework, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This category encompasses activities that adversaries engage in to prepare for operations. These preparations are made before launching attacks and typically involve acquiring and developing network infrastructure, accounts, and tools that will support operations. The resources developed can be used for initial access, execution, persistence, or command and control.

How Do Adversaries Engage ?

Adversaries develop resources by:

  1. Acquiring Infrastructure: This includes purchasing or compromising domains, IP addresses, and servers which can be used to host malicious content or command and control servers.
  2. Obtaining Capabilities: Such as developing or acquiring malware, ransomware, or tools needed for the attack.
  3. Establishing Accounts: Creating or stealing accounts that can be used to further reconnaissance or lateral movement within a network. These might include social media accounts for spear-phishing campaigns or cloud service accounts for hosting malicious services.
  4. Compromising Resources: This involves altering legitimate third-party software or creating malicious versions of software (supply chain compromise) that will later be distributed to target environments.

Where Do These Activities Take Place?

Resource development activities generally take place outside the target network:

  • Online Services: Purchasing domains and infrastructure from web hosting providers.
  • Dark Web: Acquiring stolen credentials, exploit kits, or malware from darknet markets.
  • Third-party Services: Utilizing legitimate services (like cloud storage) to stage or launch attacks.
  • Development Environments: Locally within the adversary's own systems where tools and capabilities are developed and tested.

Why "Resource Development" is Engaged ?

The primary reasons include:

  • Stealth and Efficacy: By preparing robust resources such as bespoke malware tailored to exploit specific vulnerabilities of a target system, adversaries increase their chances of successful exploitation while reducing detection risks.
  • Operational Security (OpSec): Using purchased or compromised infrastructure helps mask their true identity and location from defenders and law enforcement agencies.
  • Sustainability and Scalability: Developing versatile tools (like modular malware) enables reuse across multiple campaigns with minimal adjustment costs, thereby scaling operations efficiently.

In conclusion, resource development is a critical phase where adversaries set up the necessary tools, infrastructure, and accesses required for effective execution of subsequent phases of an attack lifecycle. Understanding this tactic allows cybersecurity professionals to better anticipate potential threats by monitoring related preparatory activities such as unusual domain registrations or spikes in phishing attempts using newly created email accounts.