Mapping attack objectives with a Extract/Disrupt/Influence Model
James Gimbi
Cyber attacks follow surprisingly consistent patterns and existing frameworks describe many patterns. Existing frameworks…
- Focus on attack tactics and milestones (MITRE ATT&CK, Mandiant Attack Lifecycle, Lockheed Kill Chain),
- Categorize threats (Microsoft STRIDE, RAND operational capacities),
- Outline defender objectives (CIA Triad),
- Analyze business impacts (OCTAVE)
Attacks may also be examined through the lens of how the attacker intends to impact the victim. At the highest level, there are three fundamental objectives for an attacker to achieve against their victim: Extract, Disrupt, and Influence (EDI).
- Extract: Collect information assets; typically sensitive like intellectual property, credentials, or regulated material
- Disrupt: Impact operations; including malicious encryption, deletion, or covert modification
- Influence: Cause involuntary behavior; often ransom or operational change
EDI impact objectives are not mutually exclusive. Notice that combining multiple objectives will express familiar attack patterns:
| Extract | Disrupt | Influence | Exemplar attack |
|---|---|---|---|
| ✅ | Classic APT | ||
| ✅ | Cyber-kinetic | ||
| ✅ | Phantom ransom1 | ||
| ✅ | ✅ | Warfare | |
| ✅ | ✅ | Classic ransomware | |
| ✅ | ✅ | Data ransom | |
| ✅ | ✅ | ✅ | Ransomware 2.0 |
| ⠀ |
The EDI impact model may help security teams focus their defensive strategy. When building security roadmaps or justifying investments, understanding an attack’s objectives provides a lens for prioritizing controls and contextualizing risk to senior leadership. This view zooms out to consider the fundamental question: what are we defending against?
I may revisit this topic to:
- Detail examples of EDI attack patterns
- Frame how EDI can support prioritization and contextualization
- Discuss relationships between EDI objectives, including tensions between them and how attackers prioritize their activities
Originally raised January 2024