Continue your mission
How attackers acquire capabilities and infrastructure before the attack begins. Resource development (MITRE ATT&CK TA0042) is the pre-attack tactic that occurs entirely outside the victim environment, covering domain acquisition, infrastructure compromise, malware development, and persona establishment.
# Resource Development (MITRE ATT&CK TA0042)
Resource development is the pre-attack phase of an adversary operation. In MITRE ATT&CK, it is catalogued as Tactic TA0042, and it represents everything an attacker builds, acquires, or compromises before their campaign begins against the primary target. Domains are registered. Servers are provisioned. Malware is compiled. Personas are created. Certificates are obtained. All of this happens entirely outside the victim environment, in digital spaces the victim has no visibility into.
This makes resource development the most defensively challenging tactic in the ATT&CK matrix. The victim organization cannot observe it directly. There are no alerts, no endpoint events, no firewall logs. The attacker operates with complete freedom, limited only by cost, time, and the risk of being detected by external threat intelligence collection.
The intelligence value of resource development detection is enormous precisely because it is pre-attack. An organization that learns an attacker has registered a look-alike domain for their brand, obtained a TLS certificate for a phishing page targeting their employees, or stood up C2 infrastructure that matches the profile of a known threat actor has actionable warning before any attack begins. This is the core proposition of Predictive Defense Intelligence: detect the threat before it arrives.
Understanding resource development forces defenders to think beyond their own environment. The attack does not start when the first phishing email lands. It starts weeks or months earlier, when the attacker begins assembling what they need. Mature threat intelligence programs monitor for adversary preparation activity as a first-line warning system.
Infrastructure acquisition covers every asset the attacker buys, leases, or rents to conduct their operation. The fundamental goal is establishing internet-reachable resources the attacker controls: places to host payloads, receive communications from implants, and route traffic through jurisdictions hostile to law enforcement cooperation.
Domains (T1583.001) are the most frequently acquired infrastructure component. Attackers register domains that impersonate the target organization (typosquatting: adding, removing, or transposing characters in the legitimate domain), impersonate trusted third parties (banks, cloud providers, software vendors, government agencies), or are entirely generic and used purely for C2 infrastructure unrelated to social engineering. A threat actor preparing a spearphishing campaign against a specific company will commonly register domains that combine the company name with plausible-looking suffixes or prefixes: "company-security-alert.com," "company-support-portal.net," or "login-company.io."
Domain registration patterns are one of the most monitored resource development signals. Registrar data, Passive DNS (pDNS) databases, and certificate transparency logs all expose newly registered domains. Threat intelligence providers correlate these against known attacker infrastructure fingerprints, registration behavior patterns (bulk registration, specific registrar combinations, WHOIS privacy service selection), and semantic analysis of the domain name itself.
DNS Server (T1583.002) covers attacker-controlled name servers used to manage resolution for acquired domains. Attackers who control their own authoritative DNS infrastructure can modify records rapidly to redirect traffic, change C2 endpoints, or abandon infrastructure that has been flagged.
Virtual Private Server (T1583.003) is the most common hosting choice for C2 infrastructure. VPS providers offer near-instant provisioning, cryptocurrency payment options (reducing attribution), and bulletproof hosting services that explicitly market their resistance to law enforcement takedown requests and abuse complaints. Bulletproof hosting providers are a critical enabler for persistent threat actors because they maintain infrastructure continuity even after takedown requests from defenders.
Web Services (T1583.006) is a particularly sophisticated infrastructure choice: using legitimate, highly reputable cloud services as command and control channels. AWS S3 buckets, GitHub repositories, OneDrive files, Google Drive documents, and Dropbox folders have all been used as C2 staging points. Traffic to these services blends invisibly with normal organizational traffic. Many organizations do not decrypt TLS to AWS or Google endpoints. Even when they do, blocking these services entirely is operationally impossible. This technique, sometimes called "living off trusted sites" (LOTS), is a direct extension of the living-off-the-land philosophy to infrastructure.
Rather than acquiring new infrastructure, sophisticated attackers compromise existing legitimate infrastructure and use it as a relay or C2 node. This provides geographic diversity, inherited reputation, and reduced cost compared to acquiring dedicated infrastructure.
Domains (T1584.001) obtained through compromise rather than registration include domains hijacked through DNS provider account compromise, domains acquired through expired domain registration (a domain with a history of legitimate traffic retains better reputation with security filtering systems than a newly registered domain), and subdomains of legitimate organizations compromised through subdomain takeover vulnerabilities.
Servers (T1584.004) are compromised legitimate systems used as C2 relay nodes. An attacker who compromises a legitimate web server in a neutral country and routes their C2 traffic through it benefits from the server's existing reputation and geographic location. Network defenders who block traffic to the C2 IP address are blocking a legitimate server, which may trigger review before the block is implemented. This introduces operational friction on the defender side.
Compromised infrastructure is harder to track than acquired infrastructure because threat intelligence fingerprinting relies on patterns in how attackers configure their infrastructure. When the infrastructure is someone else's server, the configuration fingerprint belongs to the legitimate owner, not the attacker.
Developed capabilities are assets the attacker builds themselves, rather than purchasing or stealing. Custom development indicates a higher level of sophistication and resources.
Malware (T1587.001) at the custom development level means purpose-built implants, backdoors, and tooling written specifically for the campaign. Nation-state actors are the primary practitioners: APT29's SUNBURST implant was a custom modification of SolarWinds' own build pipeline. Lazarus Group maintains an extensive portfolio of custom tools. Custom malware does not match signatures for known malware families, reducing the effectiveness of signature-based detection. Behavioral detection becomes the primary countermeasure.
Code Signing Certificates (T1587.002) are among the most valuable assets an attacker can obtain. Code signing is the mechanism by which operating systems and security software establish that an executable was produced by a known entity and has not been modified. A binary signed with a legitimate certificate receives elevated trust from Windows SmartScreen, antivirus products, and application control policies. Attackers obtain signing certificates through fraudulent certificate authority requests (using stolen identity information to pose as a legitimate company), through theft from organizations with existing certificates, or through compromise of the code signing infrastructure of a legitimate software vendor.
Digital Certificates (T1587.003) for TLS are nearly universally obtained through certificate authorities like Let's Encrypt, which provide free, automated certificate issuance. A phishing page with a valid TLS certificate displays the padlock icon in the browser, and many users have been trained to treat this as a trust indicator. It is not: the padlock means the connection is encrypted, not that the site is legitimate. Certificate transparency logs expose every TLS certificate issued, making this one of the most monitored resource development signals in the threat intelligence community.
Where T1587 covers building, T1588 covers buying or stealing.
Malware (T1588.001) covers the commodity end of the market: remote access trojans (RATs), information stealers, and ransomware-as-a-service (RaaS) toolkits available for purchase or rental on criminal marketplaces and forums. The commoditization of malware capability has dramatically lowered the barrier to entry for cybercriminal operations. An actor with no technical sophistication can purchase a fully featured stealer like RedLine or Raccoon, obtain the initial access through a phishing kit, and run an effective credential theft campaign.
Tool (T1588.002) at the high end of the market includes commercial offensive security tools whose licenses or cracked copies are sold to criminal actors. Cobalt Strike, a legitimate penetration testing framework, has been the most widely abused commercial offensive tool for over a decade. Its Beacon implant provides sophisticated C2 capability, malleable profiles to disguise network traffic, and extensive post-exploitation functionality. Brute Ratel C4 emerged as an alternative specifically marketed with detection evasion against leading EDR products.
Digital Certificates (T1588.004) obtained through theft include code signing certificates stolen from legitimate organizations via network intrusion, enabling attackers to sign their malware with a certificate that belongs to a real, trusted company.
Account establishment covers the creation of personas and communication infrastructure the attacker will use for social engineering and operation security.
Social Media (T1585.001) persona creation is standard practice for advanced social engineering campaigns. LinkedIn personas are particularly valuable: a realistic-looking profile with 200 connections, a plausible employment history, and a few months of activity on the platform is sufficient to send connection requests and messages to targets with significantly higher acceptance rates than cold email. APT groups linked to North Korea have used elaborate LinkedIn personas posing as recruiters to deliver malware-laced interview documents to security researchers and cryptocurrency developers.
Email Accounts (T1585.002) established through free providers (Gmail, Outlook, ProtonMail, Tutanota) serve as communication infrastructure for spearphishing campaigns, registration of additional accounts and services, and communication with initial access brokers. Free email accounts are trivially obtained, support anonymous registration, and are accessible from anonymizing infrastructure.
The conventional security model is reactive: detect an attack when it arrives and respond. Resource development intelligence shifts this to a detection model that operates before the attack arrives. The time between resource development and attack launch varies from days to months depending on the threat actor's operational tempo and the complexity of the campaign. Nation-state groups typically spend weeks to months in preparation. Ransomware affiliates may move within days of acquiring initial access broker access. In both cases, the resource development phase represents a detection opportunity that most organizations completely lack the visibility to exploit.
The practical consequence: organizations with no threat intelligence capability will always be reactive. They detect attacks during execution, after the attacker is inside. Organizations with external threat intelligence monitoring detect attacks during preparation, before the attacker arrives.
Resource development leaves fingerprints. Attackers who reuse infrastructure components, registration patterns, certificate configurations, or hosting provider combinations across campaigns can be tracked through those fingerprints even when their malware changes. This is the foundation of threat actor attribution and tracking.
JARM fingerprinting (a method for fingerprinting TLS server configurations), Censys and Shodan scanning for specific service configurations, and Passive DNS correlation are all used to identify when new attacker infrastructure matches the fingerprint of previously known attacker infrastructure. A new domain registered today with the same JARM fingerprint as yesterday's known Cobalt Strike C2 server is immediately suspect, regardless of whether the IP address has appeared in any prior intelligence reporting.
Disrupting resource development is operationally high-leverage because the cost to the attacker is significantly higher than the cost to the defender. Registering a domain costs approximately $10 to $15. Obtaining a TLS certificate is free. Standing up a VPS costs $20 to $50 per month. None of these are significant costs. But the operational cost of being forced to rebuild infrastructure, establish new personas, and replace compromised tools is measured in days to weeks of work. Infrastructure takedowns and pre-attack blocks shift the cost-benefit calculation meaningfully against the attacker, particularly for opportunistic actors.
Every publicly trusted TLS certificate issued since 2018 is logged to certificate transparency (CT) logs under RFC 6962. This creates a real-time, publicly searchable database of every TLS certificate issued, including certificates for phishing domains. Organizations can monitor CT logs for certificates issued to domains that match their brand name, domain variations, or naming patterns associated with spoofed services. Tools including crt.sh, Facebook's CT monitor, and commercial threat intelligence platforms offer CT log monitoring with alerting.
A certificate for "company-login-portal.com" issued 48 hours ago, with a newly registered .com domain and a Let's Encrypt certificate, is a pre-attack signal available in CT logs before the phishing campaign launches.
| Signal | Source | Intelligence Value | |--------|--------|--------------------| | Newly registered domains | Registrar feeds, WhoisXML API | Brand spoofing, campaign preparation | | Passive DNS | Farsight DNSDB, VirusTotal | C2 infrastructure linking, actor tracking | | Certificate transparency | crt.sh, Sectigo, DigiCert CT | Phishing infrastructure detection | | JARM fingerprinting | Censys, Shodan | C2 server fingerprinting | | Autonomous system data | BGP routing tables | Bulletproof hosting identification | | WHOIS history | DomainTools, WhoisXML | Infrastructure pattern matching |
The criminal ecosystem supporting resource development has matured into a structured market. Malware-as-a-Service (MaaS) providers operate subscription businesses with customer support, feature updates, and refund policies. The market segments broadly into:
CDA's Predictive Defense Intelligence (PDI) methodology: "See the threat before it sees you." This is not marketing language. It is a description of an intelligence collection posture that monitors pre-attack activity as its primary detection layer.
CDA TID missions that address resource development operate externally to the client environment. Attack surface reconnaissance (VSD-R01) discovers internet-facing assets. Brand monitoring and lookalike domain detection identifies preparation activity targeting the client's identity. Threat actor profiling identifies which groups have historically targeted the client's industry vertical and what their resource development patterns look like.
The intelligence product from this work is a pre-attack risk picture: here are the domains registered in the last 30 days that spoof your brand, here is infrastructure that matches the fingerprint of the threat actors most likely to target you, here are the credentials from your organization currently being sold on criminal forums. This picture is available before any attack begins.
The Orbital Alliance Framework (OAF) is CDA's cross-domain protocol for supply chain and third-party risk. Resource development targeting the supply chain (T1584, compromising vendor infrastructure) is an OAF threat scenario. An attacker who compromises a software vendor's build infrastructure to insert malicious code in a customer-delivered update (the SolarWinds pattern) exploits trust relationships that extend beyond the victim organization's control plane.
OAF governs how CDA evaluates the security posture of third parties whose infrastructure or access is trusted by client organizations. A vendor with weak build pipeline security, inadequate code signing controls, or poor software supply chain hygiene represents a pre-attack exposure that client-side controls cannot remediate. The only defense is either not trusting the vendor or requiring the vendor to demonstrate adequate controls.
MITRE Corporation. "Resource Development (TA0042)." MITRE ATT&CK, 2024. https://attack.mitre.org/tactics/TA0042/
MITRE Corporation. "Acquire Infrastructure (T1583)." MITRE ATT&CK, 2024. https://attack.mitre.org/techniques/T1583/
Sectigo. "Certificate Transparency: An Overview." Sectigo Resource Library, 2024. https://www.sectigo.com/resource-library/certificate-transparency
Recorded Future. "Adversary Infrastructure Report 2024." Recorded Future Intelligence, 2024. https://www.recordedfuture.com/
Mandiant. "M-Trends 2024 Special Report." Google Cloud, 2024. https://www.mandiant.com/m-trends
CrowdStrike. "2024 Global Threat Report." CrowdStrike, 2024. https://www.crowdstrike.com/global-threat-report/
Palo Alto Networks Unit 42. "Ransomware and Extortion Report 2024." Palo Alto Networks, 2024. https://www.paloaltonetworks.com/unit42/
Antonakakis, M. et al. "Understanding the Mirai Botnet." USENIX Security Symposium, 2017. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
CDA, LLC. "Predictive Defense Intelligence (PDI) Methodology Reference." CDA Canon, 2026.
CDA, LLC. "Orbital Alliance Framework (OAF) Protocol Reference." CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.