Scenario R2ATT&CK v19Enterprise ATT&CKScenario-Based Cyber Risk

R2 – Ransomware via Unpatched Software

Baseline ATT&CK-informed attack path supporting Booz Allen Scenario R2. Used for governance discussions, exposure visibility, and remediation prioritization.

Unique Techniques

Selected from ATT&CK

Tactics Covered

Across attack chain

Critical Path Techniques

Score = 5

Domain

enterprise-attack

MITRE ATT&CK

Platforms in Scope

Windows, IaaS, Linux…

Executive Summary

A scenario lens on ransomware exposure

This page translates the R2 cyber risk scenario into a curated attacker progression path. It helps explain how unpatched or exposed systems may lead to ransomware deployment, data exfiltration, business disruption, and recovery impairment. The objective is to identify where controls can break the path and where residual exposure may remain.

Attack Path

Curated ATT&CK techniques mapped to the R2 progression, not the full matrix.

Path Enablers

Operational weaknesses that allow the scenario to materialize.

Path Breakers

Controls and capabilities that interrupt the attack progression.

Attack Path

How the scenario operationally materializes

Left-to-right progression aligned to ATT&CK tactics. Each stage shows the selected technique, its business-readable interpretation, and severity from the layer score.

Stage 1
Initial Access
T1133High
External Remote Services
Alternative entry vector through exposed VPN, RDP, Citrix, or remote access infrastructure.
T1190Critical
Exploit Public-Facing Application
Primary entry point where internet-facing systems have patching gaps, unsupported software, or delayed remediation.
T1078Medium
Valid Accounts
Attackers leverage compromised or reused credentials to expand access after initial compromise.
Stage 2
Execution
T1059Medium
Command and Scripting Interpreter
Common execution method for ransomware payload deployment and attacker tooling.
T1072Medium
Software Deployment Tools
Enterprise deployment tooling may be abused to distribute ransomware payloads at scale.
Stage 3
Persistence
T1133High
External Remote Services
Alternative entry vector through exposed VPN, RDP, Citrix, or remote access infrastructure.
T1078Medium
Valid Accounts
Attackers leverage compromised or reused credentials to expand access after initial compromise.
Stage 4
Privilege Escalation
T1078Medium
Valid Accounts
Attackers leverage compromised or reused credentials to expand access after initial compromise.
Stage 5
Defense Evasion
T1078Medium
Valid Accounts
Attackers leverage compromised or reused credentials to expand access after initial compromise.
Stage 6
Discovery
T1087Low
Account Discovery
Used to identify privileged accounts and lateral movement opportunities.
T1046Low
Network Service Discovery
Supports identification of high-value systems and reachable internal services.
Stage 7
Lateral Movement
T1021High
Remote Services
Enables propagation across enterprise systems and business-critical infrastructure.
T1072Medium
Software Deployment Tools
Enterprise deployment tooling may be abused to distribute ransomware payloads at scale.
Stage 8
Exfiltration
T1567Medium
Exfiltration Over Web Service
Sensitive data may be exfiltrated prior to encryption to increase extortion pressure.
Stage 9
Impact
T1486Critical
Data Encrypted for Impact
Primary ransomware impact event causing operational disruption and potential MTPD breaches.
T1490Critical
Inhibit System Recovery
Attackers disable recovery capabilities to prolong operational disruption and increase business impact.

Attack Path Matrix

Techniques grouped by tactic

Filter by severity or tactic. Each card includes the ATT&CK comment and a placeholder for the responsible mitigating control.

Severity

Tactic

Persistence

2 techniques

T1133

External Remote Services

High

PersistenceInitial Access

Alternative entry vector through exposed VPN, RDP, Citrix, or remote access infrastructure.

Mitigating control / path breaker — see Controls section

T1078

Valid Accounts

Medium

Defense EvasionPersistencePrivilege EscalationInitial Access

Attackers leverage compromised or reused credentials to expand access after initial compromise.

Mitigating control / path breaker — see Controls section

Initial Access

3 techniques

T1133

External Remote Services

High

PersistenceInitial Access

Alternative entry vector through exposed VPN, RDP, Citrix, or remote access infrastructure.

Mitigating control / path breaker — see Controls section

T1190

Exploit Public-Facing Application

Critical

Primary entry point where internet-facing systems have patching gaps, unsupported software, or delayed remediation.

Mitigating control / path breaker — see Controls section

T1078

Valid Accounts

Medium

Defense EvasionPersistencePrivilege EscalationInitial Access

Attackers leverage compromised or reused credentials to expand access after initial compromise.

Mitigating control / path breaker — see Controls section

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

Medium

Sensitive data may be exfiltrated prior to encryption to increase extortion pressure.

Mitigating control / path breaker — see Controls section

Lateral Movement

2 techniques

T1021

Remote Services

High

Enables propagation across enterprise systems and business-critical infrastructure.

Mitigating control / path breaker — see Controls section

T1072

Software Deployment Tools

Medium

ExecutionLateral Movement

Enterprise deployment tooling may be abused to distribute ransomware payloads at scale.

Mitigating control / path breaker — see Controls section

Discovery

2 techniques

T1087

Account Discovery

Low

Used to identify privileged accounts and lateral movement opportunities.

Mitigating control / path breaker — see Controls section

T1046

Network Service Discovery

Low

Supports identification of high-value systems and reachable internal services.

Mitigating control / path breaker — see Controls section

Execution

2 techniques

T1059

Command and Scripting Interpreter

Medium

Common execution method for ransomware payload deployment and attacker tooling.

Mitigating control / path breaker — see Controls section

T1072

Software Deployment Tools

Medium

ExecutionLateral Movement

Enterprise deployment tooling may be abused to distribute ransomware payloads at scale.

Mitigating control / path breaker — see Controls section

Defense Evasion

1 technique

T1078

Valid Accounts

Medium

Defense EvasionPersistencePrivilege EscalationInitial Access

Attackers leverage compromised or reused credentials to expand access after initial compromise.

Mitigating control / path breaker — see Controls section

Privilege Escalation

1 technique

T1078

Valid Accounts

Medium

Defense EvasionPersistencePrivilege EscalationInitial Access

Attackers leverage compromised or reused credentials to expand access after initial compromise.

Mitigating control / path breaker — see Controls section

Impact

2 techniques

T1486

Data Encrypted for Impact

Critical

Primary ransomware impact event causing operational disruption and potential MTPD breaches.

Mitigating control / path breaker — see Controls section

T1490

Inhibit System Recovery

Critical

Attackers disable recovery capabilities to prolong operational disruption and increase business impact.

Mitigating control / path breaker — see Controls section

Mitigating Controls

Path breakers, owners and exposure indicators

Operational mapping between ATT&CK techniques and the controls that interrupt the R2 progression.

Attack Stage	ATT&CK Technique	Path Enabler / Control Weakness	Mitigating Control / Path Breaker	Control Owner	Exposure Indicator	Residual Exposure
Initial Access	T1190 Exploit Public-Facing Application	Internet-facing patch gaps, unsupported software, delayed remediation	Vulnerability management, patch SLA enforcement, external attack surface management	Infrastructure / Security Engineering	Number of internet-facing patch exceptions	Open / To be assessed
Initial Access	T1133 External Remote Services	Exposed VPN, RDP, Citrix, weak remote access hardening	MFA, conditional access, remote access hardening, privileged access controls	IAM / Infrastructure	Number of remote access exceptions or MFA gaps	Open / To be assessed
Execution	T1059 Command and Scripting Interpreter	Unrestricted script execution, weak endpoint controls	EDR, application control, PowerShell hardening, script logging	Cyber Defense / Endpoint Security	EDR coverage and script execution alerts	Open / To be assessed
Execution / Lateral Movement	T1072 Software Deployment Tools	Excessive administrative rights or misuse of enterprise deployment tooling	Admin tiering, restricted deployment rights, change control, monitoring of deployment tools	Infrastructure / Endpoint Management	Number of privileged deployment tool users	Open / To be assessed
Credential Abuse	T1078 Valid Accounts	Compromised, reused, or over-privileged accounts	MFA, PAM, access recertification, privileged account monitoring	IAM / PAM Team	Privileged account exceptions and MFA gaps	Open / To be assessed
Discovery	T1087 Account Discovery	Poor monitoring of account enumeration activity	Detection engineering, SIEM alerting, identity monitoring	Cyber Defense	Account discovery detections / alert coverage	Open / To be assessed
Discovery	T1046 Network Service Discovery	Weak internal visibility, broad network reachability	Network monitoring, segmentation validation, scanning detection	Network Security / Cyber Defense	Internal scan detections and segmentation exceptions	Open / To be assessed
Lateral Movement	T1021 Remote Services	Flat network, excessive remote service access	Network segmentation, privileged access restrictions, remote service hardening	Network Security / Infrastructure	Segmentation exceptions and remote access paths	Open / To be assessed
Exfiltration	T1567 Exfiltration Over Web Service	Weak egress monitoring, weak DLP, unsanctioned cloud channels	DLP, CASB, egress filtering, proxy monitoring	Data Security / Cyber Defense	DLP alerts and unsanctioned cloud upload events	Open / To be assessed
Impact	T1486 Data Encrypted for Impact	Weak ransomware containment and insufficient endpoint protection	EDR prevention, ransomware containment, incident response playbooks	Cyber Defense / Endpoint Security	Ransomware prevention coverage and IR readiness	Open / To be assessed
Impact	T1490 Inhibit System Recovery	Weak backup isolation, poor recovery testing, backup deletion exposure	Immutable backups, backup isolation, recovery testing, DR exercises	IT Operations / BCM / DR	Backup immutability gaps and failed recovery tests	Open / To be assessed

Path Enablers

What lets the scenario materialize

Patching exceptions

Unsupported software

Exposed remote services

Weak MFA coverage

Excessive privileged access

Weak network segmentation

Incomplete EDR coverage

Weak egress monitoring

Weak backup immutability

Incomplete recovery testing

Path Breakers

Controls that interrupt the path

Patch SLA enforcement

External attack surface management

MFA and conditional access

PAM and least privilege

EDR coverage and response

Application control

Network segmentation

DLP / CASB / egress monitoring

Immutable backups

Recovery testing and DR validation

Governance Integration

From exceptions to scenario exposure

This model allows exceptions and control weaknesses to be understood as path enablers within a business risk scenario, rather than as isolated technical issues.

Step 1

Archer Exceptions

Step 2

Security Standards

Step 3

Booz Allen Risk Scenario

Step 4

ATT&CK-Informed Attack Path

Step 5

Exposure Indicators

Step 6

Mitigation Actions

Step 7

Residual Risk

Step 8

Scenario Exposure Dashboard

Operational Use

Artifacts produced from this scenario

Navigator JSON

Portable attack-path model — re-importable into MITRE ATT&CK Navigator.

Excel / CSV

Structured control and exposure mapping for risk and governance teams.

PDF / Web Page

Management-readable governance artifact for steering committees and reviews.

Scope

Platforms in the layer

WindowsIaaSLinuxmacOSSaaSESXiNetwork DevicesPREContainersOffice SuiteIdentity Provider