# Attack Frameworks and The Cyber Kill Chain

* Attack Frameworks describe the attack and the attacker
* The Cyber Kill Chain
  * Introduced by Lockheed Martin
  * Defines attack phases
  * Mainly related to APTs
  * IoC, TTPs
  * ![the Cyber Kill Chain®](https://668119349-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9XZuLZlYbpZMSIHcIPdL%2Fuploads%2FjSrIR2zGEsaOvQjL6lqS%2F0.png?alt=media)Mitigation methods
* AT\&T Internal Cyber Kill Chain Model\
  ![insider threats and cyber kill chain](https://668119349-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9XZuLZlYbpZMSIHcIPdL%2Fuploads%2FyyAo5AEGg0pBhnRSzR9a%2F1.jpeg?alt=media)
* ![exfiltration of insider data](https://668119349-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9XZuLZlYbpZMSIHcIPdL%2Fuploads%2FN59gYefZPazuAiZDdXcd%2F2.jpeg?alt=media)
* Defending at each phase in the cyber kill chain
  * Recon
    * Reduce attack surface
    * Don’t overshare information
  * Weaponization
    * Update, Patch, fix
    * Install technical controls
  * Delivery
    * Mass storage restrictions
    * User training
  * Exploitation
    * Update, patch, fix, again..
  * Installation
    * Endpoint security
    * User awareness
  * Command and Control
    * Endpoint security
    * Filtering outbound traffic
  * Action on Objectives
    * Access control systems
    * Good luck…
* [MITRE ATT\&CK framework](https://attack.mitre.org/)
  * More detailed than cyber kill chains
* The Diamond Model of Intrusion Analysis
  * Describes a single intrusion event
  * Relationships between
    * Adversary
    * Capabilities
    * Victim
    * Infrastructure
  * Assumes additional information
  * Meta-features
    * Timestamp
    * Phase
    * Result
    * Direction
    * Method
    * Resources
    * !\[Diagram

      Description automatically generated]\(<https://668119349-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9XZuLZlYbpZMSIHcIPdL%2Fuploads%2FyWXWunZrm3XFNZrLdDCa%2F3.png?alt=media)Confidence>
    * Threads show how an attacker behaves during an attack
    * Multiple threads possible
      * For multiple attacker
      * For multiple victims
    * Best for describving pivoting
      * !\[Chart, line chart

        Description automatically generated]\(<https://668119349-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9XZuLZlYbpZMSIHcIPdL%2Fuploads%2FhVnyPwDhhOWMRwfq3Sw0%2F4.png?alt=media>)
      * Moving from one target to next<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cysa.coantech.net/attack-frameworks-and-the-cyber-kill-chain.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.