The Cyber Kill Chain and MITRE ATT&CK Framework
Hi everyone! Today, as part of my learning journey, I wanted to share with you a high-level overview of the Cyber Kill Chain® Framework, and go into a little bit more details about the MITRE ATT&CK® Framework. Note that both frameworks are complementary, but ATT&CK provides a more detailed view of the attacker’s tactics, techniques, and procedures (TTPs). Now, let’s get into it.
CYBER KILL CHAIN® FRAMEWORK OVERVIEW
First, let’s talk about the Cyber Kill Chain® Framework developed by Lockheed Martin. It includes the different stages of a cyberattack from the reconnaissance stage to the end goal stage. Most successful attacks by various APT groups, or the “attack groups”, often adopt the end-to-end process of the Cyber Kill Chain as part of their methodologies. Disrupting attackers at any point in the cycle may help reduce the impacts of the attacks.
The stages are listed below:
1. Reconnaissance — Attacker chooses their target, gathers information, and identifies their vulnerabilities
2. Weaponization — Attacker creates malware weapons to exploit vulnerabilities (e.g. virus, worm, etc.)
3. Delivery — Attacker transmits weapon to selected target, using various methods (e.g. phishing, social engineering, compromised accounts, etc.)
4. Exploitation — Attacker triggers malware to exploit target’s weakness
5. Installation — Attacker performs installation (e.g. malware codes, modify security certificates, time bombs in system, etc.)
6. Command & Control — Attacker remotely controls and manipulates target
7. Actions On Objectives — Attacker performs actions to achieve their goals (e.g. data exfiltration/theft, data encryption for ransom, or data destruction)
MITRE ATT&CK® FRAMEWORK OVERVIEW
Now, let’s visit the ATT&CK® Framework developed by MITRE. ATT&CK stands for Adversarial Tactics, Techniques, & Common Knowledge. This framework takes a deeper dive into the matrix that consists of various cyberattack techniques, categorized by tactics that adversaries/attackers can utilize to infiltrate your network and exfiltrate data.
To put it simply…
· Tactics → WHY and WHAT an adversary is trying to accomplish
· Techniques → HOW an adversary achieves a tactical objective
Below is a list of the tactics, with examples of the techniques and how organizations can mitigate them and disrupt attackers from achieving their goals:
1. Reconnaissance: Attacker gathers information to utilize and plan future operations
Gather Victim Identity Information — Organizations should place more efforts in limiting the amount of sensitive data available to external entities.
2. Resource Development: Attacker tries to establish resources to support operations
Pre-compromise — Unfortunately, this tactic cannot be easily mitigated as it includes actions performed by the attackers outside the scope of the organization’s defenses and controls.
3. Initial Access: Attacker tries to get into your network
Phishing — Organizations should have antivirus/antimalware software to detect and protect against malwares. They can also provide user training for their employees to help them identify malicious emails from phishing campaigns and social engineering techniques.
4. Execution: Attacker tries to run a malicious code
User Execution — Organizations should have network intrusion prevention systems where they perform scans to remove malicious email attachments and links. Again, they should train their employees to identify and raise those potentially malicious events.
5. Persistence: Attacker tries to maintain their access into your system
Account Manipulation — Orgs should have Multi-Factor Authentication (MFA) for their employee accounts to prevent attackers from preserving their access to compromised accounts.
6. Privilege Escalation: Attacker tries to gain higher-level permissions
Valid Accounts — Orgs should ensure that they have strong privileged account management, where they carefully assess the creation, modification, use, and especially the permissions of those accounts.
7. Defense Evasion: Attacker tries to avoid being detected
Impair Defenses — Orgs should restrict file and directory permissions, registry permissions, and have strong user account management to prevent attackers from disabling or interfering with security and logging services.
8. Credential Access: Attacker tries to steal account names and passwords
Brute Force — Orgs should follow the best practices for account use policies, password policies, and user account management to detect and prevent attackers from gaining access to credentials. Again, MFA is also an essential component.
9. Discovery: Attacker tries to figure out your environment
Account Discovery — Orgs should have strong operating system configurations to prevent unauthorized disclosure of account lists the attackers can use to support their attacks.
10. Lateral Movement: Attacker tries to move through your environment
Exploitation of Remote Services — Orgs should follow the best practices for their network segmentation to reduce access to critical systems and services for the attackers to access remotely. Orgs should also perform frequent software updates and vulnerability scans to mitigate remote exploitations.
11. Collection: Attacker tries to inconspicuously gather data of interest based on their goals
Archive Collected Data — Orgs should have strong audit measures to identify potential weaknesses. In this scenario, to identify unauthorized archival activities.
12. Command and Control: Attacker tries to communicate with compromised systems to control them
Web Service — Orgs should restrict web-based content to prevent employees from accessing certain external services. This is crucial since attackers can essentially conceal their activities through popular social media and websites.
13. Exfiltration: Attacker tries to steal gathered data
Exfiltration Over Web Service — Again, orgs should restrict web-based content since popular web services can act as a cover and protection for the attackers while stealing the data
14. Impact: Attacker tries to manipulate, interrupt, destroy your systems and data
Data Destruction — Orgs should have data backup plans to recover and restore data, while ensuring that backups are unavailable and untouchable to the attackers.
If you are interested, take a look at the vast amounts of techniques the attackers can use for each tactic.
In a nutshell, the ATT&CK® Framework is backed up by many real-world observations and findings and is constantly updated to help organizations to “understand their enemies”. Essentially, it provides insights on how attackers can potentially get in, avoid being caught, and manipulate, interrupt, or destroy critical organization assets/resources. More importantly, it helps organizations to develop a more effective cybersecurity.
Thank you for reading this write-up! I hope that it was meaningful in some ways. I have some links below for you to check out if you wish to dig deeper and learn more about the frameworks. With that said, until next time!
Sources & Relevant Links:
· Cyber Kill Chain® Framework
· MITRE ATT&CK® Framework
· Keep up with MITRE ATT&CK’s Medium blog