- Framework for identification and prevention of cyber intrusions activity.
- Developed by Lockheed Martin
- Identifies what the adversaries must complete in order to achieve their objective.
- 🤗 Based on military kill chains, a concept consisting of • target identification • force dispatch to target decision • order to attack the target • the destruction of the target
- 🤗 Critiques states it only defends "perimeter" and isn't suitable model to insider threats.
- E.g. A "Kill Chain" Analysis of the 2013 Target Data Breach
- ❗ Not same in every organization as different organizations have constructed their own kill chains to try to model different threats
- Reconnaissance
- Collecting as much as information about the target.
- E.g. harvesting email addresses, conferece information etc.
- See also footprinting
- Weaponization
- Analyzing collected data to identify and vulnerabilities to exploit to gain access
- E.g. creating a phishing campaign based on collected data
- Delivery
- Weaponized bundle to the victim via email, web, USB, etc.
- Key to measure the effectiveness of the defense strategies implemented by the target.
- E.g. sending phishing emails
- Exploitation
- Execute code on victim's system.
- E.g. arbitrary code execution, authentication and authorization attacks
- Installation
- Installing malware on the asset
- E.g. backdoor to gain remote access and maintain access in the network
- Command and control
- Allows remote manipulation/exploation of victim
- Done by establishing two-way communication between the victim and the attacker.
- Evidence is usually hidden using encryption techniques
- Actions on objectives
- With hands-on access, intruders accomplish their original goals.
- E.g. • distrupting network • gaining access to confidential data
- Detect: determine whether an attacker is poking around
- Deny: prevent information disclosure and unauthorized access
- Disrupt: stop or change outbound traffic (to attacker)
- Degrade: counter-attack command and control
- Deceive: interfere with command and control
- Contain: network segmentation changes
- Concept in terrorism and cyber security studies
- Identifies patterns of behavior of the threat actors (= bad guys)
- Aids in
- counterintelligence for threat prediction and detection
- implementing defenses
- profiling threat actors e.g. APT groups
- E.g. In 2020 United States federal government data breach, used TTP were stealing SAML tokens to attack SSO infrastructure according to TTP analysis from NSA.
- Read more at NIST Special Publication 800-159
- Also called tools in the acronym
- Highest-level description of the behavior
- Describes ways attacker attacks from start to end
- E.g.
- Way of gathering information e.g. open-source intelligence, social engineering.
- Way of initial compromise e.g. tools, zero-day vulnerabilities, obfuscation methods
- Technical methods used by an attacker
- Gives a more detailed description of behavior in the context of a tactic.
- E.g.
- social engineering techniques in early stages
- exploit tools at middle stages
- and software tools to clear logs to cover tracks at later stages.
- Lower-level, highly detailed description in the context of a technique.
- Sequence of actions done by attackers
- E.g. an actor collects business e-mails of target company then launches a spear phishing campaign
- Method or techniques used by attacker to penetrate victim network.
- E.g. using PowerShell, DNS Tunneling, Web Shell etc.
- Artifacts observed that indicates computer intrusion with high confidence.
- 4 categories:
- Email indicators
- E.g. sender's email address, subject, attachment, links.
- Network indicators
- E.g. URLs, domain names, IP addresses, unusual DNS requests
- Host-based indicators
- E.g. filenames, file hashes, registry keys, DDLs, mutex
- Behavioral indicators
- E.g. memory code injection, remote command execution, document execution PowerShell script.
- Email indicators