(9) Frameworks Of Attack Flashcards
What is the MITRE ATT&CK Framework?
MITRE ATT&CK is Adversarial Tactics, Techniques, and Common Knowledge, knowledge of adversarial tactics and techniques
It is a set of matrices that includes descriptions, definitions, the complete threat life cycle, and more.
It lists techniques and components, allowing threat assessment modeling to leverage common descriptions and info
What do the ATT&CK matrices include?
The ATT&CK matrices include preattack, enterprise matrices focusing on Windows, macOS, Linux, cloud computing, networking, and container usage.
It also includes matrices on mobile devices and industrial control systems
Each matrix includes details of mitigations, threat actor groups, software and a host of other useful details
What is the Diamond Model of Intrusion Analysis?
The Diamond Model of Intrusion Analysis is a sequence where an adversary deploys an ability that targets an infrastructure against a victim.
Activities are called events, and analysts are to label the vertices as events that are found or discovered.
The model is meant to assist analysts to figure out more information by focusing on the relationship between elements by following the edges between events
Within the Diamond Model, describe the Core Features term
Core Features involve an event, which can include adversary, capability, infrastructure, and victim
Within the Diamond Model, describe the Meta-Features
The Meta-Features are start and end timestamps, as well as phase, result, direction, methodology, and resources. These are used to create an activity thread, and for grouping events based on their features
Within the Diamond Model, what is the confidence value?
The confidence value is an undefined value but analysts are able to determine based on their own work
What does the Diamond Model focus on?
The Diamond Model focuses heavily on understanding the bad actor and their motivations, and then uses the relationships between these items to enable security analysts to understand the threat and consider what other data or info may need to obtain or already have at their disposal
What is the Lockheed Martin Cyber Kill Chain?
The cyber kill chain is a seven stage process that includes these steps:
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command-and-Control (C2)
- Actions on Objectives
Within the Cyber Kill Chain, describe stage 1: Reconnaissance
Reconnaissance is about identifying targets. Adversaries plan their attacks and gather info about the target, such as open source intel and direct obtaining of information about the target. This includes open source intel and data that comes from scanning,
The defenses need to be prioritized based on the information that they get
Within the Lockheed Martin Cyber Kill Chain, describe stage 2, weaponization
Weaponization is about putting together or acquiring a weaponizer that involves malware and an exploit into a payload that can be delivered to a target
Defenders need to conduct full analysis of malware to figure out what payload is dropped and how the weaponized exploit is made
Defenders should also put together detections for weaponizers, check for the difference between when malware was created vs when it is used, and collect files and metadata to assist them to see if the tools are widely shared and closely held and also narrowly targeted
Within the Lockheed Martin Cyber Kill Chain, describe the third stage, Delivery
This is about the bad person deploying their tool directly against targets or via release that relies on staff at the target interacting with it such as in an e-mail, USB, or websites.
Defenders have to observe how the attack was delivered and what the target was, and then determine what the adversary meant to get done. Retaining the log is important as defenders need them to track what went on.
Within the Lockheed Martin Cyber Kill Chain, describe the fourth stage, exploitation
Exploitation is about software, hardware, or human culpability to gain access. Zero day exploits can be involved here and could use exploits triggered by the bad people or workers.
Defense is all about making users aware of the threat, secure coding, vulnerability scanning, pentesting, endpoint hardening, etc. to make sure the org has a strong security posture and small attack surface
Within the Lockheed Martin Cyber Kill Chain, describe the 5th stage, installation
Installation is about persistent back door access for bad guys. Defenders need to look for artifacts, persistent remote shell and other remote access methods.
Within the Lockheed Martin Cyber Kill Chain, describe the 6th stage, Command and Control (C2)
Command and Control (C2) is about two way communication and continued control of the system.
Defenders want to detect the C2 infrastructure through hardening of the network, deploying detection abilities, and conducting ongoing research to maintain awareness of new methods
Within the Lockheed Martin Cyber Kill Chain, describe the 7th stage, Actions on Objectives
This is where the bad person succeeds in what they are trying to do. They get credentials, escalate privileges, move laterally through the environment, and take data. They could cause issues with the data.
To defend this, incident response playbooks have to be put together, data has to be captured, alerts have to be responded to, and assess the damage the attackers caused
