Cybercriminal groups continue to refine their tactics, techniques, and procedures (TTPs), many of which align with the MITRE ATT&CK framework—a globally recognised model for understanding adversary behaviour. To counter these evolving threats, organisations need to implement targeted defences like the Essential 8 maturity model.

This blog explores the tactics of leading cybercriminal groups mapped to the MITRE ATT&CK framework and highlights how achieving Essential 8 maturity level 2 disrupts their attacks.

Understanding cybercriminal tactics and the MITRE ATT&CK framework

The MITRE ATT&CK framework catalogues adversary behaviours across all stages of a cyber attack. Cybercriminal groups exploit these tactics to achieve their objectives, such as exfiltrating data, deploying ransomware, or maintaining persistence in networks.

Common tactics used by leading groups include:

• Initial Access (T1190): Exploiting public-facing applications or using phishing campaigns to gain access.
• Privilege Escalation (T1134): Exploiting vulnerabilities to increase privileges and access sensitive data.
• Lateral Movement (T1021): Using tools like Mimikatz or PsExec to navigate the network.
• Exfiltration (T1041): Stealing data via cloud services, email, or encrypted channels.

The ransomware group LockBit relies on spear-phishing emails (T1566) for initial access, combined with credential dumping (T1003) to escalate privileges.

Conti, another notorious group, frequently employs Cobalt Strike (T1219) for command and control, aligning with multiple ATT&CK techniques.

The breadth of tactics underscores the importance of proactive defence mechanisms aligned with frameworks like the Essential 8.

How Essential 8 maturity level 2 disrupts these attacks

The Essential 8 maturity model, developed by the Australian Cyber Security Centre (ACSC), is a practical framework for mitigating common cyber threats. At maturity level 2, organisations adopt advanced controls designed to minimise the impact of adversary tactics.

An Australian small business implemented Essential 8 maturity level 2 and successfully thwarted a ransomware attack. Application whitelisting blocked unauthorised tools, and multi-factor authentication stopped credential-based lateral movement.

Why aligning defence with both frameworks matters

Combining the MITRE ATT&CK framework and Essential 8 maturity level 2 allows organisations to:

• Understand adversary behaviour: Leverage ATT&CK to map and predict likely tactics.

• Disrupt attack chains: Implement Essential 8 controls to neutralise adversary objectives.

• Strengthen cyber resilience: Create a proactive defence posture that minimises operational impact.

Organisations using this dual approach gain a comprehensive view of the threat landscape while employing actionable controls to mitigate risks.

Leading cybercriminal groups rely on sophisticated tactics outlined in the MITRE ATT&CK framework. Implementing Essential 8 maturity level 2 effectively disrupts these attack chains by restricting access, strengthening credentials, and mitigating ransomware impact. By aligning defence strategies with these frameworks, organisations can significantly improve their cyber resilience.

Protect your organisation, your data, and your reputation today.