578.2 Flashcards
Kill Chain phases
1: Reconnaissance and Precursors
2: Weaponization
3: Delivery
4: Exploitation
5: Installation
6: Command and Control (C2)
7: Actions on Objectives
What is the Kill Chain
- Deterministic process
- Describes stages of a single intrusion
- “Compromise” is successful completion
- Seven stages to defend
KC - 1: Recon / Precursors
- Tasking
- Acquisition of tools
- Acquisition of infrastructure
- Identification of targets
- Organizational research
KC - 2: Weaponization
- Configuring (Backdoors, Droppers)
- Packaging (Container, Exploit, First-stage binary)
KC - 3: Delivery
- Mechanism in which payload gets to target
- Protocol-based (smtp, http)
- media-based (usb, cd / dvd)
KC - 4: Exploitation
Disposition / Execution of exploit
KC - 5: Installation
- Associated with persistence and invocation
- Droppers
KC - 6: Command and Control (C2)
Associated with establishing communications
KC - 7: Actions on Objectives
- Commands executed
- Additional tools transferred to the victim to facilitate on-system or on-network objectives
- Files exfiltrated
- Files modified
Four vertices of the Diamond Model
Adversary
Capability / TTP
Victim
Infrastructure
DM - Adversary
Any data related to perpetrators such as:
- Online presence
- Accounts
- Intent
- Human Choices
Individual or group behind an event. Two types:
- Adversary Operator (executing the action)
- Adversary Customer (benefits from the action)
DM - Capability / TTP
Tools employed, techniques demonstrated:
- Exploits
- Backdoors
- Methods for staging data
- Situational awareness
DM - Infrastructure
Any vehicle for delivering capabilities
DM - Victim
The vicitm is the recipient of the capabilities, deployed across infrastructure by the adversary. It can be:
- Networks
- Systems
- People
- Organizations
CoA
Course of Action. It helps answer:
- What is “action” in actionable indicators
- What options are available?
- How resilient am I?
- What capabilities do I lack?
- Where do I focus investment? Research?
The CoA is the complement (of the KC) of actions for network defenders.