Discuss attack frameworks or exploitation frameworks that serve as models of the thinking and actions of today’s threat actors. Explain that just as a cybersecurity framework, or a series of documented processes, can be used to define policies and procedures for implementing and managing security controls in an enterprise environment, frameworks of how attacks occur can also be studied. Provide examples in your discussion.
Example: A threat actor's attack might follow a path on the ATT&CK matrix. The initial tactic could be Initial Access, using a technique like Phishing. Once inside, they move to Execution, using a technique like a PowerShell script. They then proceed to Credential Access via OS Credential Dumping to gain higher privileges. The framework helps an organization understand that a phishing email is just one part of a larger, multi-stage attack and that defenses are needed at every step.
Lockheed Martin Cyber Kill Chain
The Lockheed Martin Cyber Kill Chain is another foundational attack framework that models a cyberattack from the attacker's perspective. It breaks down an attack into seven distinct phases, providing a linear, step-by-step model of an intrusion.
Example: An attack on an organization would be described in these phases:
Reconnaissance: The attacker gathers information on the target.
Weaponization: They create a malware payload.
Delivery: They send the malware via email.
Exploitation: The victim opens the email, and the malware exploits a vulnerability.
Installation: The malware installs itself on the system.
Command and Control (C2): The malware communicates with the attacker's server.
Actions on Objectives: The attacker achieves their goal, such as stealing data.
The Unified Kill Chain (UKC)
The Unified Kill Chain (UKC) is an evolution that combines the linear nature of the Cyber Kill Chain with the detailed, tactical view of MITRE ATT&CK. It provides a more comprehensive model, acknowledging that modern attacks are not always strictly linear. The UKC is organized into 18 phases, from reconnaissance to post-compromise activity, incorporating a broader range of attacker behaviors and allowing for more nuanced analysis.
Sample Answer
Attack frameworks, also known as exploitation frameworks, serve as structured models of the thinking and actions of today's threat actors. Just as cybersecurity frameworks provide a roadmap for defense, attack frameworks offer a way to understand and simulate offensive operations. By studying these models, security professionals can better anticipate threats and build more robust defenses.
MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is one of the most widely used and comprehensive attack frameworks. It is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The framework is organized into a matrix of columns, representing different stages of an attack lifecycle, and rows, representing the specific techniques used by attackers.