Attack Frameworks and The Cyber Kill Chain

  • Attack Frameworks describe the attack and the attacker

  • The Cyber Kill Chain

    • Introduced by Lockheed Martin

    • Defines attack phases

    • Mainly related to APTs

    • IoC, TTPs

    • the Cyber Kill Chain®Mitigation methods

  • AT&T Internal Cyber Kill Chain Model insider threats and cyber kill chain

  • exfiltration of insider data

  • Defending at each phase in the cyber kill chain

    • Recon

      • Reduce attack surface

      • Don’t overshare information

    • Weaponization

      • Update, Patch, fix

      • Install technical controls

    • Delivery

      • Mass storage restrictions

      • User training

    • Exploitation

      • Update, patch, fix, again..

    • Installation

      • Endpoint security

      • User awareness

    • Command and Control

      • Endpoint security

      • Filtering outbound traffic

    • Action on Objectives

      • Access control systems

      • Good luck…

  • MITRE ATT&CK framework

    • More detailed than cyber kill chains

  • The Diamond Model of Intrusion Analysis

    • Describes a single intrusion event

    • Relationships between

      • Adversary

      • Capabilities

      • Victim

      • Infrastructure

    • Assumes additional information

    • Meta-features

      • Timestamp

      • Phase

      • Result

      • Direction

      • Method

      • Resources

      • Diagram Description automatically generatedConfidence

      • Threads show how an attacker behaves during an attack

      • Multiple threads possible

        • For multiple attacker

        • For multiple victims

      • Best for describving pivoting

        • Chart, line chart Description automatically generated

        • Moving from one target to next

PreviousThreat Research and Indicators of CompromiseNextDefining Threat Modeling and Threat Hunting

Last updated