BEAR Framework | Tactical Reference

BEAR

Framework

Break → Expand → Ascend → Rule

What is BEAR?

A practitioner's model for when speed matters

The Problem

MITRE ATT&CK is perfect for building detections. Lockheed Kill Chain is great for campaign analysis. But in the heat of an engagement or incident — they're overhead, not guidance. Too many boxes. Not enough focus.

The Solution

BEAR cuts through the noise with four questions that matter:

B Did they get in?
E How far did they move?
A Did they get real power?
R What can they do now?
When to Use
🔴 Active Incident — Quickly assess where the attacker is and what's at risk
🟡 Red Team Debrief — Structure findings by impact, not just technique
🟢 Control Validation — Test defenses at each phase, find the gaps
🔵 Executive Briefing — Translate technical status into business risk
How to Use This Tool

Select a view mode below based on your role. Click any phase card to expand details. Toggle framework overlays to see mappings to MITRE, NIST, ISO, or CIS.

T Tactical Attacker objectives — what they're trying to do
D Defensive Full picture — objectives + controls + detections
X Executive Business lens — controls + questions to ask
Active View: NONE — Select a mode to see phase details
Overlays:
01
B
BREAK
Outside → Inside

The moment "outside" becomes "inside". No Break = No Penetration.

Key Question
Did we get in?
Attacker Objectives
→ Exploit web/API vulnerabilities
→ Abuse broken auth flows
→ Leverage misconfigured edges
→ Compromise forgotten VPNs
→ Achieve initial execution
Defensive Controls
MFA Everywhere CRITICAL
Patch Management CRITICAL
WAF/API Gateway HIGH
Attack Surface Monitoring HIGH
Auth Anomaly Detection HIGH
Email Security MEDIUM
Detection Opportunities
Failed auth spike by source Impossible travel alerts WAF exploit signatures Anomalous API patterns New external services
Questions to Ask
"Where are you in BEAR right now?"
"What was the entry vector?"
MITRE ATT&CK
Initial Access (TA0001) • Execution (TA0002)
T1190 Exploit Public-Facing App T1133 External Remote Services T1078 Valid Accounts T1566 Phishing
NIST CSF 2.0
ID.AM-1/2 Asset Inventory ID.RA-1 Vuln Scanning PR.AC-7 MFA PR.DS-1 WAF
ISO 27001:2022
A.5.9 Asset Inventory A.8.8 Vuln Management A.8.5 Authentication A.8.20 Network Security
CIS Controls v8
1.1 Asset Inventory 7.1-7.5 Vuln Management 6.3-6.5 MFA 13.10 WAF
02
E
EXPAND
One → Many

Turn one foothold into many options. How far before segmentation stops you?

Key Question
How far can we move?
Attacker Objectives
→ Move to internal apps
→ Access file shares
→ Pivot to cloud (Azure/AWS/GCP)
→ Compromise K8s clusters
→ Access SaaS admin panels
→ Establish persistence
Defensive Controls
Network Segmentation CRITICAL
EDR Deployment CRITICAL
Behavior Drift Detection CRITICAL
Zero Trust / ZTNA HIGH
Cloud Security Posture (CSPM) HIGH
Least Privilege MEDIUM
Detection Opportunities
Lateral movement (SMB/RDP/WinRM) Internal recon (LDAP enum) New persistence mechanisms Unusual cloud API calls Bulk file share access Behavioral baseline deviation
Questions to Ask
"Did you only Break, or also Expand?"
"What systems were reached?"
MITRE ATT&CK
Discovery (TA0007) • Lateral Movement (TA0008) • Persistence (TA0003)
T1021 Remote Services T1018 Remote System Discovery T1083 File Discovery T1053 Scheduled Tasks
NIST CSF 2.0
PR.AC-5 Network Segmentation DE.CM-1 Network Monitoring DE.CM-4 Malicious Code Detection
ISO 27001:2022
A.8.22 Network Segmentation A.8.16 Monitoring A.8.7 Malware Protection
CIS Controls v8
12.2 Segmentation 13.3 Traffic Filtering 10.1 EDR 8.5 Audit Log Management
03
A
ASCEND
User → Admin

Get real power. Controls shift from blocking access to limiting what admin can do.

Key Question
Did we get real power?
Attacker Objectives
→ LPE to root/SYSTEM
→ Domain Admin compromise
→ K8s cluster-admin
→ Cloud IAM escalation
→ CI/CD pipeline control
→ Certificate authority access
Defensive Controls
Privileged Access Management (PAM) CRITICAL
AD Tiering Model CRITICAL
Privileged Behavior Analytics HIGH
Credential Guard / LAPS HIGH
Just-in-Time Access HIGH
Protected Users Group MEDIUM
Detection Opportunities
Privilege escalation attempts Sensitive group modifications Kerberoasting activity DCSync indicators Cloud admin role changes
Questions to Ask
"Did you reach any real Admin positions?"
"Which privileged accounts were compromised?"
MITRE ATT&CK
Privilege Escalation (TA0004) • Credential Access (TA0006)
T1068 Exploitation for PrivEsc T1548 Abuse Elevation T1003 Credential Dumping T1558 Kerberos Tickets
NIST CSF 2.0
PR.AC-4 Access Control PR.DS-5 Data Protection DE.CM-3 Personnel Monitoring
ISO 27001:2022
A.8.2 Privileged Access A.5.17 Auth Info A.5.18 Access Rights
CIS Controls v8
5.4 Restrict Admin Privileges 6.1 Access Control 5.2 Unique Passwords
04
R
RULE
Access → Impact

Use that power to shape reality. The phase that should keep you up at night.

Key Question
What can we actually do?
Attacker Objectives
→ Quiet persistence (survive remediation)
→ Own production environments
→ Stage future extortion
→ Exfiltrate data
→ Deploy ransomware/wiper
→ Supply chain compromise
Defensive Controls
Immutable Backups CRITICAL
Data Loss Prevention (DLP) CRITICAL
Data Access Analytics HIGH
Incident Response Plan HIGH
Egress Filtering HIGH
Tested DR / BCP MEDIUM
Detection Opportunities
Large data transfers external DNS tunneling patterns Shadow admin accounts Backup deletion/modification Unexpected certificate issuance
Questions to Ask
"If you chose to Rule today, what could you change or destroy?"
"What is the demonstrated business impact?"
MITRE ATT&CK
Collection (TA0009) • Exfiltration (TA0010) • Impact (TA0040)
T1486 Data Encrypted for Impact T1490 Inhibit Recovery T1567 Exfil Over Web T1495 Firmware Corruption
NIST CSF 2.0
PR.DS-1/2 Data Protection PR.IP-4 Backups RC.RP-1 Recovery Planning
ISO 27001:2022
A.8.13 Backup A.5.30 Business Continuity A.8.12 Data Leakage Prevention
CIS Controls v8
11.2-11.4 Data Recovery 3.13 DLP 17.1-17.9 Incident Response
Click any phase to expand • Toggle overlays for framework alignment • Switch modes for context
Critical High Medium
B
BREAK
E
EXPAND
A
ASCEND
R
RULE
BEAR Framework concept by Ivan Novikov (Wallarm) Interactive tool built by Christopher Six