tiered persistence is a technique in which the adversary gains or places several forms of persistence on a compromised host or network.
I am not aware of any formalized tier structure for this concept, but an example scenario I have employed and seen used in CTF and red team operations looks something like this:
-
Tier 1: compromised user acounts, compromised keys, easy to exploit software bugs and misconfigurations, etc. These let the operator logon to the system as if they were an authorized user or run arbitrary commands via an exploit tool. If the system owners or user disables the account, changes the password, or removes the key, this access is lost.
-
Tier 2: a somewhat obvious process/implant. This may be something like Cobalt Strike, Meterpreter or Sliver. These are often discovered once analysts or incident response teams take a notion to analyze a system, but sometimes they are missed altogether, offering a mid to long-term form of persistence. Using tier 2 persistence is usually the preferred method of conducting operations as these tools offer robust quality of life features such as multiplayer support, logging and auditing functionality, extensibility via custom or third-party modules, and are generally well-understood by red teams.
-
Tier 3: a custom made or uncommon implant, or a rootkit with backdoor access functionality. Care is taken to hide these well, and they are used sparingly. Their intent is to be used to re-install tier 2 implants if they are removed or to be used if blue teams are aware of the tier 2 implants and are observing the adversaries for intelligence purposes rather than removing the implants. Often, these are only installed on a handful of key systems and only used as a last resort to reduce the chances of discovery.
-
Tier 4: similar concept to tier 3, but reserved for last resort cases where tier 1, 2, and 3 access has been lost. This may be an in-memory/fileless implant on a system with a ridiculously high uptime, or placed into routing/switching hardware, printers, phones, or other such appliances that EDR software and forensics tools cannot run on. Often, tier 4 access is placed in spots that analysts are highly unlikely to look, are unable to analyze, or use techniques that are not well-known or necessarily mapped to the ATT&CK Matrix.