⚠ Breach Attack Simulation · MITRE ATT&CK v14 · SABSA · MoST/NIST CSF

ASSUME BREACH SABSA × MITRE ATT&CK × MoST

Multi-Cloud Kill Chain · Lateral Movement · WAF · NGFW · Endpoint · Supply Chain · Hybrid · SABSA SC-1–6 · MoST Functions

🔴 SIM ACTIVE | T1566 Phishing · T1190 Public App · T1078 Valid Accts · T1021 Remote Svc · T1550 Alt Auth · T1484 Domain Policy · T1059 Scripting · T1071 App Layer · T1486 Ransomware · T1003 Cred Dump · T1558 Kerberoasting · T1210 Remote Exploit · T1530 Cloud Storage · T1611 Container Escape | SABSA: SC-1 Contextual Risk · SC-2 Conceptual/Policy · SC-3 Logical/Design · SC-4 Physical/Tech · SC-5 Component · SC-6 Operational | MoST/NIST CSF: Identify · Protect · Detect · Respond · Recover | 🔴 SIM ACTIVE

Attack/Threat

Lateral Movement

Defence Control

Landing/Pivot Zone

AWS

Azure

Endpoint/Identity

SABSA Control

T1xxx MITRE TTP

SC-x.x SABSA

MoST NIST CSF

MITRE ATT&CK v14 14 Tactic Timeline

ReconTA0043

Rsrc DevTA0042

Init. AccessTA0001

ExecutionTA0002

PersistenceTA0003

Priv. Esc.TA0004

Def. EvasionTA0005

Cred. AccessTA0006

DiscoveryTA0007

Lateral MvmtTA0008

CollectionTA0009

C2TA0011

ExfiltrationTA0010

ImpactTA0040

① ENTRY VECTORS INITIAL ACCESSTA0001 · TA0043SABSA: SC-1 Contextual · SC-6 OperationalMoST: IDENTIFY

End Users

Corporate Workstation

Drive-by / phishing

T1566T1204SC-6.1

📧

Email Spear-Phishing

Attachment / link

T1566.001T1566.002

🪪

Identity / SSO

Credential stuffing

T1078SC-5.3

VPN / Remote Access

🔓

SSL-VPN Gateway

CVE exploit / auth bypass

T1133T1190SC-4.2

🛡

MFA / ZTNA Control

FIDO2 phish-resistant

SC-5.3PROTECT

👤

Split Tunnel Abuse

Bypass inspection

T1572

Supply Chain

📦

3rd-Party Software

Trojanised update

T1195.002SC-6.5

🔗

Managed Svc Provider

Trusted access pivot

T1199T1195

📜

OSS Dependency

Dependency confusion

T1195.001SC-6.5

Internet Exposure

🌐

Public Web App

SQLi / RCE / SSRF

T1190T1059SC-4.1

🔌

Exposed API

Auth bypass / BOLA

T1190T1552.007

📡

Shadow IT / IoT

Unmanaged endpoint

T1078.001SC-2.1

Insider / Physical

🕵

Malicious Insider

Privilege abuse

T1078.002SC-6.2

🔑

Leaked Credentials

Paste site / dark web

T1589.001

💾

USB Drop

Physical delivery

T1091SC-4.3

🔴 Kill Chain MITRE ATT&CK × SABSA Operational (SC-6) × MoST

🎯 ReconTA0043

→

⚡ Init. AccessTA0001·T1190

→

💻 ExecutionTA0002·T1059

→

🔒 PersistenceTA0003·T1547

→

📈 Priv. Esc.TA0004·T1548

→

🕶 Def. EvasionTA0005·T1562

→

🔐 Cred. AccessTA0006·T1003

→

🗺 DiscoveryTA0007·T1018

→

↔️ Lateral MvmtTA0008·T1021

→

📤 Exfil/ImpactTA0010/40·T1486

② PERIMETER CONTROLS PREVENTION / DETECTIONTA0001·TA0005SABSA: SC-4 Physical · SC-5 ComponentMoST: PROTECT·DETECT

Next-Gen Firewall (NGFW)

🔥

Deep Packet Inspection

L7 app awareness, IPS

SC-4.1SC-5.1PROTECT

🧠

TLS Inspection

Decrypt & re-encrypt

SC-5.2T1573

📋

URL / DNS Filtering

C2 sinkhole

T1071.004SC-5.1

⚠️

Evasion: Fragmented Pkts

Encoded / chunked bypass

T1001.003T1562.004

WAF Web Application Firewall

🔵

Azure Front Door WAF

DRS ruleset · Bot manager

AZURESC-4.1T1190

🟠

AWS WAF + Shield Adv.

Managed rules · DDoS

AWSSC-4.1T1498

🛡

OWASP Top-10 Rules

SQLi, XSS, CSRF, SSRF

SC-5.1PROTECT

🎭

WAF Bypass Technique

Encoding / chunked req.

T1027T1190

Cloud Firewall / SDN

🔵

Azure Firewall Premium

IDPS · TLS · FQDN rules

AZURESC-4.2

🟠

AWS Network Firewall

Suricata IPS engine

AWSSC-4.2

🗂

NSG / Security Groups

Micro-segment enforcement

SC-5.4PROTECT

🌀

IMDS / Metadata Abuse

Cloud cred theft via SSRF

T1552.005T1078.004

③ HYBRID CONNECTIVITYT1021·T1572·T1599SABSA: SC-3 Logical · SC-4 PhysicalMoST: PROTECT

🔵 Azure Hybrid

Azure Connectivity

🔵

ExpressRoute

Private dedicated circuit

SC-4.2

🔵

Azure VPN Gateway

S2S / P2S IPSec

T1133SC-4.2

🔵

Azure Arc

On-prem to cloud bridge

SC-3.1

↔️

Trusted Link Pivot

Lateral to on-prem

T1021.006T1563

On-Premises Datacenter

🏢

Active Directory / LDAP

Kerberoasting / DCSync

T1558.003T1003.006SC-5.3

🛡

PAM / Privileged Access

CyberArk / BeyondTrust

SC-6.2PROTECT

💻

Jump Server / Bastion

Session recording

SC-4.3T1021.004

🔑

Pass-the-Hash / Ticket

Credential relay attack

T1550.002T1550.003

🟠 AWS Hybrid

AWS Connectivity

🟠

AWS Direct Connect

Dedicated private link

SC-4.2

🟠

Transit Gateway

Hub-and-spoke routing

SC-4.2T1599

🟠

AWS Site-to-Site VPN

IPSec / BGP failover

T1133SC-4.2

📡

Route Table Hijack

BGP poisoning

T1599.001

④ LANDING ZONE INITIAL FOOTHOLDTA0002·TA0003·TA0004·TA0005·TA0006SABSA: SC-6 OperationalMoST: DETECT·RESPOND

🎯

Landing Zone COMPROMISED

C2 established · Beaconing · Persistence · Recon begins · SABSA SC-6 Operational controls applied

🐚

Reverse Shell / Beacon

C2 channel established

T1071T1105

🕸

C2 Framework

Cobalt Strike / Sliver

T1219T1571

🔏

LSASS Dump

Mimikatz / ProcDump

T1003.001SC-6.3

🪝

Persistence

Sched task / WMI sub.

T1053T1547

🌐

Internal Recon

BloodHound / LDAP

T1018T1069T1087

📊

EDR Telemetry

SOC triage triggered

SC-6.4DETECT

🔍

SIEM / XDR Correlation

Behavioural anomaly

SC-6.4DETECT

🥷

Living off the Land

LOLBins · Fileless

T1218T1562.001

⑤ EAST-WEST TRAFFIC LATERAL MOVEMENTTA0008·T1021·T1550·T1563SABSA: SC-5 Component · SC-6 OperationalMoST: DETECT·PROTECT

Endpoint Protection

🛡

EDR / XDR Agent

CrowdStrike / Defender

SC-5.5DETECT

🔬

Memory Scanning

Injection detection

T1055SC-5.5

🔒

Application Control

Allow-list enforcement

SC-5.6T1059

🩺

Device Compliance

Patch posture / risk score

SC-6.1

💉

Process Injection

Bypass EDR hooks

T1055.001T1055.012

🎭

Token Impersonation

RunAs / token theft

T1134.001T1134.002

↔ East-West / Lateral Movement Techniques TA0008

🔑 Pass-the-Hash

T1550.002SC-5.3

🎫 Pass-the-Ticket

T1550.003T1558

🖥 RDP / WMI / PsExec

T1021.001T1047

📂 SMB Share Traversal

T1021.002SC-5.4

🔒 SSH / SCP Hop

T1021.004

🕸 WMI Subscription

T1047T1546.003

📡 DCOM Movement

T1021.003

🧬 BloodHound AD Paths

T1069T1087

📦 Container Escape

T1611SC-5.4

☁️ Cloud Metadata Pivot

T1552.005

🎯 VPC Peering Abuse

T1599

🔄 AWS AssumeRole

T1078.004AWS

🔵 Managed Identity Abuse

T1078.004AZ

🔗 Svc Principal Hijack

T1098.001

🌐 DNS/LLMNR Poisoning

T1557.001SC-5.1

🪝 Sched Task Abuse

T1053.005

🔄 MICRO-SEGMENTATION CONTROL POINT   NSG · Calico · GuardDuty · Defender for Cloud  |  SC-5.4 DETECT

Network Segmentation

🔀

Micro-segmentation

Illumio / NSX

SC-5.4PROTECT

🔵

Azure NSG + ASG

App security groups

AZURESC-4.2

🟠

AWS Security Groups

Stateful E-W control

AWSSC-4.2

🏷

Zero Trust Segmentation

Identity-based access

SC-3.2PROTECT

📝

VPC / NSG Flow Logs

Anomalous traffic detect.

SC-6.4T1021

🌀

Covert Channel

DNS tunnelling / ICMP

T1071.004T1001

⑥ CLOUD ENVIRONMENTS AWS & AZURET1530·T1537·T1078.004·T1611SABSA: SC-5 Component · SC-6 OperationalMoST: DETECT·RESPOND

🟠 Amazon Web Services

AWS Landing Zone Targets

🪣

S3 Bucket

Data exfil / misconfig

T1530SC-5.7

⚡

Lambda Function

Serverless pivot

T1648T1059

🖥

EC2 / ECS

Instance compromise

T1059T1496

🔑

IAM Role Abuse

Privilege escalation

T1078.004T1548

🗄

RDS / DynamoDB

Data store exfil

T1530SC-5.7

☸

EKS (Kubernetes)

Container escape

T1611T1610

👁

GuardDuty

Threat detection

SC-6.4DETECT

🔍

CloudTrail / SIEM

Audit & correlation

SC-6.4

🔒

AWS Security Hub

Posture management

SC-2.2

🌐

VPC Flow Logs

E-W traffic audit

SC-6.4

🔵 Microsoft Azure

Azure Landing Zone Targets

📦

Blob Storage

SAS token abuse

T1530SC-5.7

⚡

Azure Functions

Serverless pivot

T1648T1059

🖥

VM / VMSS

Instance compromise

T1059T1496

🔑

Entra ID / App Reg.

OAuth token theft

T1528T1098.001

🗄

SQL / Cosmos DB

Exfil / ransomware

T1530SC-5.7

☸

AKS (Kubernetes)

Container escape

T1611T1610

🛡

Defender for Cloud

CSPM / CWPP

SC-2.2DETECT

📊

Sentinel SIEM/SOAR

Analytics / playbook

SC-6.4RESPOND

🔑

Key Vault

Secret protect / audit

SC-5.7

📋

Activity / NSG Logs

E-W traffic audit

SC-6.4

⑦ TARGET SYSTEMS IMPACT & OBJECTIVESTA0009·TA0010·TA0040SABSA: SC-6 Operational · SC-1 BusinessMoST: RESPOND·RECOVER

Data / IP Exfiltration

💰

PII / PCI Data Store

Structured data exfil

T1041T1537

📁

Source Code Repos

GitHub / ADO / Bitbucket

T1213.003

🔐

Secrets / Key Stores

Vault / Parameter Store

T1552SC-5.7

🕵

DLP / CASB

Exfil detection

SC-6.5DETECT

Ransomware / Disruption

💣

Ransomware Payload

Encrypt / wipe data

T1486T1490

🔁

Backup Destruction

Shadow copy deletion

T1490T1485

⚡

DoS / API Flood

Availability impact

T1498T1499

💾

Immutable Backups

Air-gap recovery

SC-6.6RECOVER

Identity & Credential

👑

Domain Admin Takeover

DCSync / Golden Ticket

T1003.006T1558.001

🔓

Cloud Root / GA Hijack

Entra Global Admin

T1098T1078.004

🛡

PIM / Conditional Access

JIT privilege

SC-6.2PROTECT

📲

MFA / FIDO2

Phish-resistant auth

SC-5.3PROTECT

Detection & Response

🚨

SOC / MDR Alert

Triage & escalation

SC-6.4DETECT

🤖

SOAR Playbook

Auto-isolation / block

SC-6.7RESPOND

🧪

Threat Hunting

Proactive TI sweep

SC-6.4DETECT

📋

IR / Forensics

Evidence & containment

SC-6.7RESPOND

🏛 SABSA Security Architecture Control MatrixSherwood Applied Business Security Architecture 6 Architecture Layers × Security Controls

SC-1 Contextual

Business Layer · WHY

SC-1.1Business risk assessment aligned to crown jewels

SC-1.2Security policy driven by business objectives

SC-1.3Threat & risk appetite definition

SC-1.4Regulatory mapping (GDPR, PCI DSS, SOC 2, ISO 27001)

SC-2 Conceptual

Architecture Layer · WHAT

SC-2.1Asset classification & value framework

SC-2.2Security domain model (Zero Trust architecture)

SC-2.3Trust model & boundary definition

SC-2.4Security attribute taxonomy

SC-3 Logical

Design Layer · HOW

SC-3.1Logical security policy enforcement

SC-3.2IAM & access management architecture

SC-3.3Encryption & key management design

SC-3.4Security service architecture (SSE / SASE)

SC-4 Physical

Technology Layer · WITH WHAT

SC-4.1WAF · NGFW · IPS/IDS deployment

SC-4.2Network perimeter & hybrid connectivity controls

SC-4.3Physical access control & bastion hosts

SC-4.4Cloud-native firewall & NSG services

SC-5 Component

Solution Layer · WHERE / WHEN

SC-5.1Security rule & policy configuration

SC-5.2TLS/mTLS & certificate management

SC-5.3MFA · FIDO2 · PAM controls

SC-5.4Micro-segmentation & VLAN isolation

SC-5.5EDR/XDR agent deployment

SC-5.6Application allow-listing

SC-5.7Data encryption at rest & in transit

SC-6 Operational

Management Layer · WHO

SC-6.1Vulnerability & patch management

SC-6.2Privileged access governance (JIT / JEA)

SC-6.3Credential hygiene & rotation policy

SC-6.4SIEM · SOC · threat detection ops

SC-6.5Supply chain & 3rd-party risk management

SC-6.6Business continuity & DR (air-gap backups)

SC-6.7Incident response & forensics (SOAR)

⑧ BREACH & ATTACK SIMULATION (BAS) OUTPUTSATT&CK CoverageSABSA SC-1 · SC-6MoST: All Functions

Attack Coverage

📊

MITRE ATT&CK Coverage

% TTPs validated

IDENTIFY

🔢

Attack Path Count

Routes to crown jewels

SC-1.3

🎯

Critical Asset Exposure

Reachable crown jewels

SC-1.1

Control Validation

✅

Prevention Rate

Controls that blocked

PROTECTSC-4/5

🔔

Detection Rate

Alerts triggered

DETECTSC-6.4

❌

Control Gaps

Bypassed / failed

SC-2.2

Risk Metrics

🌡

Risk Score (0-100)

Weighted by criticality

SC-1.3

⏱

MTTD

Mean time to detect

DETECT

⏩

MTTR

Mean time to respond

RESPOND

Remediation

🔧

Prioritised Fix List

CVSS + exploitability

SC-6.1

📈

Trend & Regression

Continuous simulation

SC-6.1

📑

Board / Exec Report

Risk posture narrative

SC-1.2

ASSUME BREACH INFOGRAPHIC · MITRE ATT&CK v14 · SABSA SC-1–6 · MoST/NIST CSF · AWS + AZURE MULTI-CLOUD
BAS Tools: Vectra AI · Cymulate · SafeBreach · AttackIQ · XM Cyber · Mandiant ASM · Picus Security

Author

Saleem Yousaf

LinkedIn saleemyousaf.github.io

MITRE ATT&CK v14SABSA SC-1 → SC-6MoST / NIST CSF

SEVERITY:

LOW

MED

HIGH

CRIT