Understanding Attack Frameworks
What is an Attack Framework?
Simply put, an attack framework is a playbook or set of strategies that are used in cyberattacks. These frameworks are used to plan and execute attacks on computer systems and networks.
Attack frameworks help dictate and outline various tactics, techniques, and procedures or TTP. The goal of these frameworks is to understand how attackers operate to decrease the impact of future attacks. In this post, I’ve included some popular attack frameworks and terms that are used commonly when discussing threats and threat actors.
What is a Cyber Kill Chain?
A kill chain is a term that is used by the military, and is a concept that helps distinguish a format of an attack. The cyber kill chain idea was brought along mimic this format since they can hold many different similarities.
A kill chain usually starts with:
- Identification of a target
- Dispatching resources to the target
- Someone deciding to attack and give the order
- Ends with the destruction of the target
The cyber kill chain idea was first developed by Lockheed Martin and has a similar order from start to finish:
- Reconnaissance: researching, identifying, and selecting targets
- Weaponization: malware (RAT), is embedded within a deliverable payload, such as a MS Office document
- Delivery: payload is transmitted to the target, malware is often delivered as an attachment within a phishing email
- Exploitation: after the weapon is delivered, it activates and triggers the exploit. Exploits often target an application or operating system vulnerability
- Installation: exploit will often install a RAT or a backdoor on the attacked system. (Allows the attacker to maintain persistence inside the exploited environment)
- Command and Control (C2): Infected systems often send out a beacon to an Internet=facing server. Establishes the C2 channel, giving attackers full access to the infected system
- Actions on Objectives: attackers can begin taking action to achieve their ultimate goals. Could be installing ransomware, or collecting, encrypting, and extracting data form the infected environment
What is the Diamond Model of Intrusion Analysis?
The Diamond Model of Intrusion Analysis is a framework that helps focus on understanding the attacker by analyzing four key components of every intrusion event.
These four components include:
- Adversary: identified by email addresses, handles used in online forums, memberships in advanced persistent threat groups, and other identifiers.
- Capabilities: refer to the malware, exploits, and other hacker tools used in the intrusion.
- Infrastructure: refers to the Internet domain names, email addresses, and IP addresses used by the adversary
- Victim: can be identified by their names, email addresses, or network identifiers
Usually starts with the idea that every intrusion event has an adversary that uses a capability across an infrastructure against a victim.
These core components can be mapped to different phases of a cyber kill chain. The same adversary performs reconnaissance, delivers a weapon, exploits a vulnerability, and so on through the cyber kill chain.
The capabilities, infrastructure, and victim may change within the kill chain, but the adversary remains the same. By analyzing these components in multiple attacks, it reveals similarities.
What is the MITRE ATT&CK
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base of tactics and techniques used in real-world attacks.
Tactics represent the adversary's tactical objective for performing an action or why the adversary is doing what he's doing.
The techniques document how an adversary achieve a tactical objective or what the adversary gains by performing an action.
MITRE ATT&CK is complementary to Lockheed's cyber kill chain, however, it isn't an ordered set of steps like the kill chain.
Instead, it’s a matrix of tactics and techniques used by attackers at different stages of an attack.
The tactics in the matrix are:
- Initial access
- Execution
- Persistence
- Privilege escalation
- Defense evasion
- Credential access
- Discovery
- Lateral movement
- Collection and exfiltration
- Command and Control
The matrix lists these tactics along the top, in each tactic column, it lists techniques used to achieve the tactic
MITRE is a not-for-profit organization that receives federal funding to perform research and development in cybersecurity.
They also maintain the Common Vulnerabilities and Exposures (CVE) system and the Common Weakness Enumeration (CWE) project.
- The CVE has become the standard for naming vulnerabilities and exposures and is used by Security Content Automation Protocol (SCAP) when naming vulnerabilities.
- The CWE project identifies software weaknesses and vulnerabilities in over 600 categories, and cybersecurity professionals have been creating automated tools to identify, fix, and prevent each of the issues listed in the CWE