An attack framework can help prepare, understand, and react to cyber attacks. In this video, you’ll learn about the MITRE ATT&CK framework, the Diamond Model of Intrusion Analysis, and the cyber kill chain.
If you’re an IT security professional and you’re responsible for protecting your network, you may find that the attacks are many and varied. It’s difficult to keep track of exactly what type of attacks may be out there and how you can protect yourself against these many and different varied attacks. And if an attack is occurring, it’s important to know what your response should be and what you can do in the future to mitigate these kinds of attacks. One of the challenges with this is there are so many different methods that can be used by the attackers in so many different ways that they can gain access to information. It’s important to know if your organization may be at risk. And if you are at risk, what are the things you can do to help mitigate that risk?
One place to begin gathering this type of information is through the MITRE ATT&CK framework. This comes from the MITRE corporation. They are based in the Northeast United States, and they primarily support US governmental agencies. Their entire framework is available for you to view online. You can go to attack.mitre.org and view the entire framework from that website. Using this framework, you can identify broad categories of attacks, you can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.
Here is the MITRE ATT&CK framework. It includes reconnaissance, resource, development initial access, and so on. You could see many different categories are available. And let’s look at one of these. We’ll go through the reconnaissance process. Let’s say perhaps we’ve discovered that there is some scanning that’s going on against our network. So I want to click the Active Scanning option here. You can scan IP blocks or do vulnerability’s scanning, and you can learn more about what those could be. We can also learn information about how we may mitigate this. This is a pre-compromise mitigation, because normally, the scanning takes place prior to an actual attack.
The framework also includes detection techniques and references you can use to help understand more about this particular attack type. Let’s go back to our main list and let’s look at a brute force attack. There are four different kinds of brute force attacks. Listed are password guessing, password cracking, password spraying, and credential stuffing. Let’s do credential stuffing, and we can get information about how those credentials are being stuffed by the attacker, ways to mitigate, which would be account use policies, multifactor authentication, password policies, and user account management, how you would detect these particular brute force attacks, and references to help you understand more. This is an extensive amount of information. And if you’re trying to learn more about all of these different attacks and ways that you can prevent them, this framework can give you a wealth of information.
Another useful framework that’s commonly used when an intrusion occurs is the Diamond Model. This is the Diamond Model of intrusion analysis that was designed by the intelligence community of the US federal government. You can get more information on that from this link that’s available at dtic.mil. This guide is focused on helping you understand the intrusions that have occurred in your environment. The Diamond Model uses scientific principles and applies them towards intrusion analysis, and how you can focus on understanding more about these intrusions. So you’ll be doing some measurement, testability, and repeatability. It’s the focus of this Diamond Model, and although it appears very simple from the outside, when you start going through the process of filling in all the blanks around the diamond, you begin to see how complex this process can really be.
As a broad example of how you would apply this model, let’s take a scenario where there has been an adversary that has deployed a capability over some infrastructure against a victim. And you can use the Diamond Model to help understand the relationships between all of those different pieces and gather details and documentation to fill in the blanks regarding this intrusion. This is the Diamond Model, and you can see there are four corners to the diamond, adversary, capability, victim, and infrastructure. The adversary is obviously going to be the attacker. We have capability, which is going to be what the attacker uses. This could be malware or a hacker tool or some other type of exploit that they can use against your systems. The infrastructure is describing what was used to gain access. So this could be IP addresses, domain names, email addresses, or other parts of your infrastructure. And lastly is the victim. This could be a person, it could be an asset that’s on the network, or it could be a series of email addresses that’s used.
There is a relationship between each one of these points on the diamond. So an adversary would use the infrastructure. The adversary also would develop a capability. The victim is exploited by that capability, and the victim, of course, is connecting to the infrastructure. So you can see there are relationships between each point on this diamond. And if you suffer an intrusion, you’ll begin filling in documentation at each one of these points to help understand more about who the adversary was, what part of the infrastructure they used, who was the specific victim, and what capabilities did they use to be able to gain access. So as you begin filling in those blanks you’ll have a much better idea about how this attack occurred, and then you can go back later and try to find ways to prevent this from occurring in the future.
And the last model we’ll look at is one that is often referenced in IT security materials, this is the cyber kill chain. This is a concept that was brought to us by the military, and we’ve applied it into the cybersecurity world. This starts with the first phase of reconnaissance. Reconnaissance is where we’re going to gather intel, so we can use many different sources to get intelligence about what we’re attacking.
We have weaponization as the next phase, so we need to find some way to have a payload that can then take advantage of a vulnerability. You would then deliver that payload. For example, you may send that executable over an email to the intended victim. And the attacker is hoping that the victim is going to run that code in their email to create the exploit and execute the code on the victim’s device. When that code is executing, there will be the installation of software such as malware to create back doors and additional channels, which brings us to the phase of command and control, where the attacker is now creating a channel that they can use to gain access to that system. And lastly, is where the attacker will begin carrying out their objectives in the last phase, which is actions on objectives.
Each one of these models provides us with a different perspective of it security. Some of these models are created so that we can gather information and learn more before an attack occurs, and other frameworks are designed to help us understand the results of an attack. Either way, we can take advantage of these frameworks to help make our network safer, and prepare for the next round of attacks against our systems.