Professional Documents
Culture Documents
CHAIN
KELVIN AGAJE
INTRODUCTION
• The cyber kill chain helps understand and predict different stages of a cyberattack. Knowing how
hackers work enables a company to select the right tools and strategies to limit breaches, respond to in-
progress attacks, and minimize risks.
• The cyber kill chain (CKC) is a classic cybersecurity model developed by the computer security incident
response (CSIRT) team at Lockheed Martin. The purpose of the model is to better understand the stages
an attack must go through to conduct an attack, and help security teams stop an attack at each stage.
• The kill chain model describes an attack by an external attacker attempting to gain access to data or
assets inside the security perimeter. The attacker performs reconnaissance, intrusion of the security
perimeter, exploitation of vulnerabilities, gaining and escalating privileges, lateral movement to gain
access to more valuable targets, attempts to obfuscate their activity, and finally exfiltrate data from the
organization.
MITRE ATT&CK®
KILL CHAIN
WHAT IS MITRE ATT&CK® ?
• The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques used by threat
hunters, red teamers, and defenders to better classify attacks and assess an organization's risk.
• The aim of the framework is to improve post-compromise detection of adversaries in enterprises by
illustrating the actions an attacker may have taken. How did the attacker get in? How are they moving
around? The knowledge base is designed to help answer those questions that while contributing to the
awareness of an organization’s security posture at the perimeter and beyond. Organizations can use the
framework to identify holes in defenses, and prioritize them based on risk.
• MITRE ATT&CK was created in 2013 as a result of MITRE's Fort Meade Experiment (FMX) where
researchers emulated both adversary and defender behavior in an effort to improve post-compromise
detection of threats through telemetry sensing and behavioral analysis. The key question for the
researchers was "How well are we doing at detecting documented adversary behavior?" To answer that
question, the researchers developed ATT&CK, which was used as a tool to categorize adversary
behavior.
WHAT IS IN THE MITRE ATT&CK MATRIX?
• The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those
objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the point of
reconnaissance to the final goal of exfiltration or "impact". Looking at the broadest version of ATT&CK for
Enterprise, which includes Windows, MacOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network
environments, the following adversary tactics are categorized:
• The adversary is trying to gather information they can use to plan future operations. Reconnaissance
consists of techniques that involve adversaries actively or passively gathering information that can
be used to support targeting. Such information may include details of the victim organization,
infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other
phases of the adversary lifecycle, such as using gathered information to plan and execute Initial
Access, to scope and prioritize post-compromise objectives, or to drive and lead further
Reconnaissance efforts.
Reconnaissance Techniques
• Active Scanning • Gather Victim Host Information • Gather Victim Identity
Information
• Gather Victim Network • Phishing for Information • Gather Victim Org Information
Information
RESOURCE DEVELOPMENT
• The adversary is trying to establish resources they can use to support operations.
• Resource Development consists of techniques that involve adversaries creating, purchasing, or
compromising/stealing resources that can be used to support targeting. Such resources include
infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in
other phases of the adversary lifecycle, such as using purchased domains to support Command and
Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to
help with Defense Evasion.
Execution Techniques
• Exploitation for Client • Scheduled Task/Job • Command and Scripting
Execution Interpreter
PERSISTENCE
Persistence Techniques
• Browser Extensions • Boot or Logon Autostart • Account Manipulation
Execution
PRIVILEGE ESCALATION
Exfiltration Techniques
• Automated Exfiltration • Transfer Data to Cloud • Data Transfer Size Limits
Account
IMPACT
• The adversary is trying to manipulate, interrupt, or destroy your systems and data.
• Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by
manipulating business and operational processes. Techniques used for impact can include
destroying or tampering with data. In some cases, business processes can look fine, but may have
been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to
follow through on their end goal or to provide cover for a confidentiality breach.