Keep saying, the data is a greatest asset of any institution. What is data, why is it so important to keep your data away from bad actors? Data is information that can be stored, transferred or transformed to any machine or human readable form. This contains all of information related to company assets, processes and mechanisms, clients and employees, history and finance. Keeping some kinds of data safe, unreachable for a competitor or bad actor is a vital for company to exists and to be functional. Saying about security means protecting information on rest, while stored inside datacenters, and on transit between any location. To do so, it is important to understand the way how an attacker may compromise your information and stole it. Security specialists leverage cyberattack frameworks to protect and eliminate threads.
Looking for comprehensive way to describe and mitigate cyberattack, the three most common frameworks comes to mind.
Kill Chain
First and the most known one is Kill Chain. It’s been around for a long time. A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion:
- Reconnaissance. The attacker determines what methods to use to complete the phases of the attack
- Weaponization. The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system
- Delivery. The attacker identifies a vector by which to transmit the weaponized code to the target environment
- Exploitation. The weaponized code is executed on the target system by this mechanism
- Installation. This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system
- Command & Control (C2). The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack
- Actions on Objectives
- The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
- Kill chain analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage.
The Kill Chain mostly describes an sequence of actions to get into victim’s infrastructure. The approach most likely describes what point of kill chain the attacker is and how far did he actually (might) go. Using the approach it might be possible to qualify what stage the attack is and define the best approach to prevent the thread spreading across the infrastructure.
MITRE ATT&CK Framework
ATT&CK framework is more about specific techniques and methods. A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures. The pre-ATT&CK tactics matrix aligns to the reconnaissance and weaponization phases of the kill chain.
The model presented by ATT&CK contains the following components:
- Tactics and tactical adversary goals during an attack (the columns)
- Techniques describing the means by which adversaries achieve tactical goals (the individual cells)
- Documented adversary procedures and usage of techniques (linked to techniques).
| Tactics | Techniques | Behavior |
| Reconnaissance | Active scanning, phishing, social media, open-source intelligence. | The adversary is trying to gather information they can use to plan future operations. |
| Resource Development | Botnet, web service, malware, tooling, etc. | The adversary is trying to establish resources they can use to support operations. |
| Initial Access | Exploit public-facing apps, default accounts, ports exposed, etc. | The adversary is trying to get into your network. |
| Execution | Payload, command interpreter, PowerShell, python, native api, malicious links, payload, etc. | The adversary is trying to run malicious code. |
| Persistence | Local account, registry and start-up, launch agent, etc. | The adversary is trying to maintain their foothold. |
| Privilege Escalation | Bypass user account, elevated execution, token manipulation and etc. | The adversary is trying to gain higher-level permissions. |
| Defense Evasion | Token impersonation, hijack execution flow and others | The adversary is trying to avoid being detected. |
| Credential Access | Brute force, password cracking and spraying, wed cookies, input capture and etc. | The adversary is trying to steal account names and passwords. |
| Discovery | Locate account, email, database, cloud storage discovery, system owner/user discovery and so on | The adversary is trying to figure out your environment. |
| Lateral Movement | Exploitation, lateral tool transfer, SSH, DRP, remote control, pass and hash | The adversary is trying to move through your environment. |
| Collection | MITM, ARP poisoning, archive collected data, automation, dumps, input capture, api hooking and etc. | The adversary is trying to gather data of interest to their goal. |
| Command $ Control (C2) | App layer protocols, removable media, encoding, ingress tool transfer, proxy, sockets, web services and others | The adversary is trying to communicate with compromised systems to control them. |
| Exfiltration | Automated exfiltration; exfiltration over network, C2, non-C2 protocols, Bluetooth; transfer data to cloud | The adversary is trying to steal data. |
| Impact | Account access removal, data encrypted, data manipulation, disk wipe, endpoint denial, service stop and others | The adversary is trying to manipulate, interrupt, or destroy your systems and data. |
Unlike Kill Chain, MITRE ATT&CK goes into much more depth on how each stage is conducted through ATT&CK tactics and techniques. The framework bases on real tactics and metrics done by hundreds of cybersecurity group all over the world. This is regularly updated with industry input to keep up with the latest techniques so defenders update their own practices and attack modeling regularly.
Diamond Model of Intrusion Analysis
Despite of previous two, The Diamon Model is method of thread intelligence. A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary (criminal), victim, capability (malware, payload, stolen data) and infrastructure (victim’s machine, IP address, DNS). More like manner of forensics of real crime, where the adversary is a criminal and capability is an instrument of crime, infrastructure is place where the action done.
The main goal of intrusion analysis is establishing of relationship between all of components of the model. It makes possible to predict attack vector and prevent the attack from spreading. And finally, locate and isolate the bad actor.
Summarizing
Threat hunting relies on the usage of the tools developed for regular security monitoring and incident response like analyze network traffic, analyze the executable process list and investigation of other infected host, identify how the malicious process was executed.
Threat hunting consumes a lot of resources and time to conduct, but can yield a lot of benefits:
- improve detection capabilities
- integrate intelligence
- reduces attack surface
- block attack vectors
- identify critical assets.
All of these three models described above are incredibly important while mitigating cyber security risks, preventing an attack spreading across workloads, predicting the next steps of an adversary and most likely neutralize a thread.
Be an ethical,
save your privacy!