Security Operations
Mister_Security
SecOpsweek5lesson1attackframeworks.pptxCyber Security operations
Learning objectives
Can understand technical details of threats and threat actors
Be familiar with the well-known attack frameworks: the cyber kill chain and Mitre ATT&CK;
Be able to apply the cyber kill chain to analyze threats or incidents.
the Cyber Kill Chain
3
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
4
Steps of the Cyber Kill Chain®
Developed to identify and prevent cyber intrusions.
The steps of the Cyber Kill Chain help analysts understand the techniques, tools, and procedures of threat actors.
The threat actor gains more access to the target as they progress through the steps.
The goal is to stop them as early as possible to lessen the damage done.
5
The Cyber Kill Chain Reconnaissance
Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets.
Organizations may provide information on websites, public-facing network devices, in news articles, conference proceedings, and social media outlets.
6
The Cyber Kill Chain Weaponization
Weaponization uses the vulnerability information gathered in the reconnaissance step to identify and develop a weapon against specific targeted systems in the organization.
7
The Cyber Kill Chain Delivery
Delivery is when the threat actor delivers the developed weapon using either a website, a removable USB media, or an email attachment.
8
The Cyber Kill Chain Exploitation
Exploitation is when the threat actor triggers the weapon and executes it to compromise the vulnerability and gain control of the target.
9
The Cyber Kill Chain Installation
Installation is when the threat actor establishes a back door into the system to allow for continued access to the target.
10
The Cyber Kill Chain Command and Control
Command & Control (CnC or C2) is when an outside server channel is used by the threat actor to manipulate a target by issuing commands to the software that they installed on the target.
11
The Cyber Kill Chain Actions on Objectives
Actions on Objectives is the final step of the kill chain and is when the attacker achieves attack objective.
Can be used for data theft, performing a DDoS attack, or using the compromised network to create and send spam.
Threat actor is deeply rooted in the systems of the organization and may be extremely difficult to remove from the network.
12
More examples
Stuxnet: https://mwi.usma.edu/stuxnet-digital-staff-ride/
Black energy: BlackEnergy.pdf at Canvas
13
https://mwi.usma.edu/stuxnet-digital-staff-ride/
Mitre ATT&CK Framework
14
MITRE ATT&CK
A knowledge base of adversary behavior
Based on real-world observations
Free, open and globally accessible
A common language
Community-driven
Use cases
Determine threats and build defense
Monitor attack trends
Assess and close gaps
Get familiar with hacker groups
15
Pyramid of Pain
16
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
ATT&CK
TTP: Tactics, Techniques, and Procedures
Threat intelligence use cases
Compare behaviours
Compare groups to each other
Compare over time
Communicate in common language
Communicate to defenders
Communicate across organizations
CTI analyst
This is what the adversary is doing. The run key is adobeUpdater
Defender
Oh, we have Registry data, we can detect that
Registry Run Keys/Start up folder (T1547.001)
Company A
APT1337 is using autorun
Company B
FUZZYSNUGGLYDUCK used a Run key
Registry Run Keys/Start up folder (T1547.001)
17
