🛡️

Overview of Cybersecurity Attack Frameworks

Feb 6, 2025

View transcript

Lecture Notes: Cybersecurity Frameworks and Models

Introduction to Attack Frameworks

  • Definition: A standardized method to describe the sequence of events in a cyber attack: pre-attack, during, and post-attack.
  • Purpose: Helps in threat modeling by breaking down attacks into stages.
  • Diversity: No single description fits every attack scenario.

The Cyber Kill Chain

  • Origin: Defined by Lockheed Martin for common attack phases, primarily for APT (Advanced Persistent Threat) groups.
  • Phases:
    1. Reconnaissance: Gathering information covertly about the target.
    2. Weaponization: Developing or selecting the exploit.
    3. Delivery: Choosing a method to deliver the exploit (e.g., email, USB).
    4. Exploitation: Executing exploit code, potentially with insider help.
    5. Installation: Installing malware to maintain access.
    6. Command and Control (C2): Establishing a communication channel with the compromised system.
    7. Actions on Objectives: Achieving the attacker’s goals (e.g., data theft).
  • Criticism: Focused on external threats, not insider threats or cloud environments.

Defense Strategies

  • Reconnaissance Phase: Reduce attack surface, train users, limit public information.
  • Weaponization Phase: Scan for vulnerabilities, patch systems, use technical controls.
  • Delivery Phase: Restrict external storage, filter internet traffic, user training.
  • Exploitation and Installation Phases: Patch systems, use endpoint security tools.
  • Command and Control Phase: Monitor outbound connections, use perimeter security.
  • Actions on Objectives Phase: Implement access controls, data loss prevention, and backups.

Alternative Models

MITRE ATT&CK Framework

  • Nature: A database of known TTPs (Tactics, Techniques, and Procedures).
  • Structure: Mapped in a matrix with no specific order.
  • Usage: Allows selection of applicable techniques to analyze specific attacks.

Diamond Model of Intrusion Analysis

  • Focus: Describes relationships between adversary, capability, victim, and infrastructure.
  • Meta Features: Includes event timestamp, phase, result, direction, method, and resources.
  • Usage: For automatic threat modeling and processing.

Conclusion

  • Exam Focus: Understand phases in the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK Framework.
  • Additional Tools: Explore ThreatConnect app from Splunk for practical modeling.

Note: This session also humorously referenced movies like "The Matrix" and "Star Wars" to explain concepts.

Full transcript