Resource Development in MITRE ATT&CK — Detailed Explanation

CyberDefender 4 mins0

Resource Development is a tactic in the MITRE ATT&CK framework describing how adversaries acquire, build, or compromise resources that will support their operations. These resources prepare the attacker before carrying out actual malicious actions such as initial access, command and control, data theft, or persistence.

Think of Resource Development as the “setup phase” of an attack.
Adversaries invest time and effort here to establish assets that appear legitimate, make detection harder, and improve the effectiveness of later attack steps.

🔍 Why Resource Development Matters

Security teams often focus on detecting attacks during exploitation.
However, many signals appear before the attack even starts.

Monitoring and detecting Resource Development activities can:

  • Identify attackers during their planning stage
  • Prevent them from obtaining infrastructure used for attacks
  • Reduce attack surface
  • Enable faster threat attribution

🧩 Key Techniques Under Resource Development

Here are the major components of Resource Development (ATT&CK ID: TA0042):

1. Acquire Infrastructure

Adversaries obtain servers, domains, cloud accounts, VPS instances, etc. These are used for:

  • Hosting malicious content
  • Command and control (C2)
  • Delivering malware

Examples:

  • Buying a domain for phishing
  • Renting a VPS for C2
  • Using bulletproof hosting providers

2. Compromise Infrastructure

Instead of buying infrastructure, attackers may take over legitimate systems because they provide:

  • Built-in trust
  • Established reputation
  • Lower suspicion

Examples:

  • Compromising a web server and using it to host malware
  • Using hacked email accounts to send phishing messages

3. Develop Capabilities

Adversaries create malware, exploits, tools, scripts, or modify publicly available ones.

Examples:

  • Building a custom Remote Access Trojan (RAT)
  • Developing zero-day exploits
  • Creating a PowerShell script for lateral movement

4. Obtain Capabilities

Attackers may not want to build things themselves; instead, they acquire them externally.

Examples:

  • Buying malware from dark web markets
  • Using open-source offensive security tools
  • Purchasing stolen credentials

5. Establish Accounts

Adversaries create accounts they control to support attack execution.

Examples:

  • Registering an email account for phishing
  • Creating cloud accounts (AWS/Azure)
  • Creating social media profiles to impersonate legitimate users

6. Stage Capabilities

Attackers prepare malware, payloads, or tools in accessible locations.

Examples:

  • Uploading a payload to GitHub, Pastebin, or cloud storage
  • Storing malware inside an ISO or ZIP file for delivery

Resource Development – Summary Table

📘 In Summary

Resource Development is all about preparation. It includes acquiring or creating everything needed to conduct a cyberattack effectively and stealthily. By monitoring these early-stage behaviors, organizations can detect attackers before they strike.

CyberDefender