Overview of Cybersecurity Attack Frameworks

Attack Framework, the cyber killchain, the single most awesome movie you've ever seen, The Matrix, The Avengers, Last and the Furious ain't got nothing on us. Now before going deeper, let's spend just a minute describing what exactly is an attack framework. Well, an attack framework is just a standardized way of describing what's happening before, during, and after an attack. Starting with who is the attacker, what kind of resources are being attacked, and how is the attack actually being conducted. So, how does this help us? Well, it helps us with threat modeling, because basically, at the end of the day, an attack framework is a way of describing... an attack. And because there's just so much diversity in cyber attacks, there's no one single description that fits every scenario. We're gonna have to take one attack and try to split it into specific stages, which are going to match more or less to pretty much all the attacks out there. Well, newsflash, we're not the first ones who thought about describing attacks this way. So we can learn from what Lockheed Martin defined as the cyber kill chain, or the intrusion kill chain, in this white paper right here. This kill chain defines the phases for common attacks, but applies mainly to those conducted by APT groups. The same document also talks in detail about IOCs, mitigation methods, ways to reconstruct an attack after it has already happened, and campaign analysis in order to determine those TTPs that we already covered in a previous video. Now, I honestly believe that this right here is a much better visual representation of the attack phases. And this one actually looks so good that I'm going to use this instead of a slide. All right, so we should be able to identify in this cyberkill chain for the exam exactly what is going on in each of these phases, starting with reconnaissance, right? This is where the attacker gets to know you as a target. They won't ask you out. They won't buy you dinner. They will stalk you and they will be the creepiest stalker you've ever encountered. They're going to look for what defenses you have in place. what security weaknesses you might have. Not only in technology, but also in things like business processes and people. Ideally, this is going to be done in a stealthy manner. You know, it's not called stalking unless you get caught doing it, right? So if the attacker doesn't want you to discover that reconnaissance is taking place, at least not until he really knows what he's up against. So in this phase, the attacker actually decides how he is going to ruin your day. Second step. is weaponization, if the reconnaissance phase was successful, from the attacker's perspective, which means that a weakness has been discovered. If this weakness can be exploited, this is where the attacker chooses the exploit, or even starts developing his own tools, crafted requests, compiling malicious codes, whatever, injecting apples with poison, spitting in your coffee, stuff like that. Then comes the delivery phase. After selecting the exploit, the attacker chooses and prepares a delivery method. So this is where the hacker thinks about how can that weakness actually be exploited. How can they reach you or your systems and how can they deliver that malicious code. Now it might be possible to do it directly over the internet, but it also might require some inside help. Like sending a malicious email attachment or a link with cat videos to an employee who thinks that Cat videos should come with the EXE extension. It also works with forgotten USB sticks left in a meeting room or in a parking lot, just waiting for someone to plug it into a company computer. You would be amazed how often people are happy to consider themselves lucky for finding a USB stick, so happy that they plug it into the first computer they see, just to check how big is the price, how much capacity, or what interesting files it has. Now, the exploitation phase means actually executing the exploit code. Depending also on the delivery method, this might happen automatically or remotely controlled by the attacker, or it, again, might require some inside human intervention. Remember that the execution of some malicious code can be done by some unaware employee, but also by an insider threat, right, like an employee who works with the attacker, or even an employee who is the actual attacker. Nevertheless, attackers rely on someone on the inside. During the installation phase, we need to remember that the purpose of exploitation is to gain access to a system. Usually with the intent of installing an additional piece of software on it that gives the hacker direct access to that system. So the installation phase covers any backdoor along with any configuration changes that might be required like creating a new user for the attacker and new firewall rules to allow the attacker to reconnect to the compromised host anytime in the future. Think of the installation phase just like you would get installed into a new home. You arrange the furniture You leave some personal things behind so that the next time you come back, you feel, well, at home. The C2 phase, or the command and control phase, is relevant because, of course, for the attacker to gain access to his newly compromised system, a data channel has to be established to some of the attacker's central control software. Basically, this means that the malware calls back home. right to the attacker and lets him know that the system is all good healthy and still perfectly compromised this channel is called command and control because it allows the attacker to send commands and remotely control the compromise systems usually command control connections are initiated from the inside of the company so from the compromised host because connections initiated from inside of the company network are in most cases allowed by the firewalls and any proxies you might have, but not vice versa. You cannot connect from the outside so easily. So in many documented attacks, identifying the command and control channel in firewall or DNS logs was actually the first proof that indicated the presence of compromised systems. And it's still one of the first methods of detecting APTs in your network. For the actions on objectives phase. Finally, with persistent access to the desired system, the attacker can complete his original goal. Well, it might be any number of goals, actually. It might be the intention to exfiltrate, to steal data, to corrupt some data, to destroy a database, some files, some important files, to alter some records, to change something, cover a desk with toilet paper, I don't know, simply snoop on some users, for example, or activities of interest. Well, does this sound right? Believable? Well, yeah, but myself and others like me don't really like this model because it's... too focused on securing against outside threats and kind of ignores insider threats in cloud environments too. Also, it would be hard to determine in which phase of the attack you're currently in if you're facing an attacker who erases his or her tracks, right? What if the entire exploitation and action on objectives takes less than one minute and then the attacker immediately erases all traces? So it's not one solution fits all, but it's still a pretty good abstraction. of most APD attacks out there. But just in case this doesn't satisfy you, there are other models out there. One example would be the Cyber Kill Chain model from AlienVault that has a slightly different approach, addressing and paying close attention to insider threats too. Now, AlienVault's model does this first by distinctly separating a classic kill chain, this one here, from an internally initiated one, this one right here. Secondly, it defines steps that apply to external attacks and steps that apply to both external and internal attacks. Well, let's also talk about defense for just a minute. Now, these models tell a nice story, but their main purpose is to allow you to prepare your defenses. So you can counter attacks before, during, and we'll even gather some information after the attack has happened to allow you to understand what happened and how you can avoid a similar attack in the future. So let's see how you can use these models to defend yourself. Well, the main method for defense is the installation of security controls. So we have some controls and actions that we can implement to help us on every step. For example, during the reconnaissance phase, well, we should always aim to reduce our attack surface, to give as little information as possible to anyone, attacker or no attacker. So we try to communicate only what is strictly necessary on the company's website. or on job postings, right? Some outside penetration testing services would be recommended as well to get a better image of how you look like from the attacker's point of view. Also, educate your users, train your users against sharing too much of their personal and professional lives on social media and teach them how to identify and reject phishing attempts. Now, against weaponization, this is where you should scan for vulnerabilities. Now... patch known vulnerabilities scan for new ones from time to time install some technical controls in there that could detect and even prevent attacks before they happen for the delivery phase Well, it depends on the delivery method. We could think about restricting the use of external storage devices like USB drives. And we can filter internet traffic, for example. But mostly, we should think about training those users that constantly send funny links to each other or click random links without a second thought. Against exploitation, well, again, we have the same solution. Patch, patch, and then... update some more and try to minimize the attack surface by disabling any unnecessary services, especially if they are accessible from the outside. Against the installation of malware, endpoint security tools can detect any abnormal activity, foreign files, especially executable ones, processes, network connections. This is also where you can rely on signature scanning. But don't forget that a well-educated user can also help. by noticing and reporting unfamiliar behavior on their workstation, right? So try to motivate users to work alongside the security team and help out when they can. At the command and control phase, again, endpoint security solutions would be able to scan, look for, monitor for outbound connections from unexpected processes. Perimeter security can help as well, as you can block those outbound connections at the perimeter firewall, or you can detect when they try to resolve suspiciously looking domain names to reach those command and control servers, like randomly generated DNS names. Finally, for the actions on objectives phase, well, if the attacker has reached this phase, unfortunately, chances are there is not so much you can do because most likely you failed to detect the attack, unless you happen to have some security solution in place that matches precisely the attacker's intent. For example, you might have a strong... Access control system to allow access to confidential files on a central file server or a DLP That's data loss prevention or data leak prevention solution against exfiltrating internal documents You know read only access to data files read only access to databases against tampering corruption deletion Generally against data loss you can protect yourself using off-site backup So backups that are not stored in the same location as your main data But generally, if an attacker has already reached this phase, there isn't much you can do against a data breach. It has already happened, unfortunately. Now, remember we mentioned that the Lockheed Martin model isn't the only one out there, and it kind of has some downsides. One of them being the fact that it's too simple. An alternative of this Lockheed Martin model is the ATT&CK framework from... MITRE. Now, this framework is a database of known TDPs, which are mapped in a matrix, right, to a larger number of attack phases. Now, of course, not all these phases are going to apply to each attack, just like not all the techniques described within a phase will be found in a specific attack. But with this attack framework, you get to pick and choose. So the purpose of this framework is to analyze the attack and then check what applies to your specific case, right, from each column. Notice there is no specific order in which these TTPs must, should or are expected to happen, which is much more like real-life scenarios. Treat this model as something like a restaurant menu rather than an instruction manual. Okay, so let's pretend for a minute that we want to know more about a specific type of attack. Let's say an attack that performs... What's the first thing that comes into your mind? Let's see. Let's say pivoting. Right? Lateral movement. Right here. You did think about pivoting, right? My mental skills are out of this world. So, pivoting, or attacks that try to infect additional systems. We can see that under lateral movement here, we can find techniques like exploitation of remote services, or internal spear phishing, attacking shared content, or transmission through removable media. Under such an example, we can see multiple malware versions that rely on this technique. and also some ways to mitigate them, right? To fight against these techniques. And as we can probably guess, against USB malware, we can disable Autorun or limit access to unnecessary external USB devices. And again, I would add here, train your users to be suspicious of random USB devices found around the office. My recommendation is to have a look over the ATT&CK framework. Don't learn it by heart, of course, but try to understand the different types of techniques presented here. It is truly probably the single most comprehensive collection of cyber attacks and information about cyber attacks. It's a great learning tool for... covering, understanding how cyber attacks look nowadays. And also, this entire database is based on real observations. So everything in here was observed, documented, and used as an attack technique at some point in time in real life. Finally, one last model is the jewel. No, wait, the diamond of intrusion analysis. Not exactly my favorite one, because it can prove to be a bit difficult to follow. even though at first sight it actually looks kind of simple. And well, this model is focused on a single intrusion event by describing the relationships between four core features. And those features are an adversary, a capability, a victim, and the infrastructure. Now, the lines in this model are the relationships between these concepts, and they tell us that it is possible for an analyst to reach the other connected points. given enough information. For example, if we analyze a victim, we can see the capabilities used by the attacker against that victim. So we can see how the victim was attacked. If we have infrastructure visibility over the network or the logs, then we draw even more conclusions about how the capability used the infrastructure to compromise the victim. Well, coming from the attack framework and even the cyber kill chain, this sounds terribly oversimplified. right well it is but that's not all each event actually has additional meta features as well like an event timestamp when did the event happen a phase was this during reconnaissance weaponization and so on a result was it successful or not did compromise any part of the cia triad or was it just a failed attempt direction was it initiated by the victim or from the outside or even bi-directional. A method, what exactly was the attack? Was it phishing? Was it an exploit? Was it a denial of service? And finally, the resources required to complete the event, you know, like reconnaissance information that might be required, any password hashes that the attacker might need to have access to, the presence of a vulnerability, anything that the attacker needs to assume or gather before conducting the attack. And each of these features is then assigned. a confidence level, which of course is based on an assumption. So remember we said that one such diamond focuses on a single event. So if you think about it, we're going to need at least two events for a malicious outcome. We need at least an initial reconnaissance phase and then we need an actual attack or exploit phase. So the diamond model is actually used to describe so-called activity threads during an attack, which are made up of multiple such phases or diamonds. And as you can probably see, this is becoming very similar to the cyber kill chain that we saw at the beginning of the video. Now, these events can be linked and they can tell you how an attacker could behave when an attack is in progress. So how exactly is the attacker progressing from one phase to the next, right? What information it needs in between and so on. An attack might have multiple threads, but also might address multiple targets. So describing phases, like in this example, can also show when an attacker pivots within the network and tries to compromise additional targets in the same environment. All right, so we kind of went from oversimplification to overcomplication, right? Seems a bit hard to follow now? It kind of is. And that's because this model was actually designed for automatic processing. So this kind of a description of an attack that somehow resembles a state machine is actually used by machines. or by appliances security appliances software security solutions designed for threat modeling one such solution is this threat connect app from splunk which is actually designed to model threats using this diamond model they actually give you a very nice example here about how the destruction of the death star in star wars would look like if we were to model this threat using the diamond model so have fun with this one told you we're talking about movies in this video Alright, so for the exam, make sure you remember that Attack Framework, the Cyber Kill Chain, is the single most awesome expression from this training. I'm kidding. Make sure you understand the phases of an attack, both in the Kill Chain from Lockheed Martin and in the MITRE Attack Framework. Don't forget to subscribe to Certified Breakfast. Thanks for watching and see you on the next video.

Starting with who is the attacker, what kind of resources are being attacked, and how is the attack actually being conducted. So, how does this help us? Well, it helps us with threat modeling, because basically, at the end of the day, an attack framework is a way of describing... an attack.

And because there's just so much diversity in cyber attacks, there's no one single description that fits every scenario. We're gonna have to take one attack and try to split it into specific stages, which are going to match more or less to pretty much all the attacks out there. Well, newsflash, we're not the first ones who thought about describing attacks this way. So we can learn from what Lockheed Martin defined as the cyber kill chain, or the intrusion kill chain, in this white paper right here.

This kill chain defines the phases for common attacks, but applies mainly to those conducted by APT groups. The same document also talks in detail about IOCs, mitigation methods, ways to reconstruct an attack after it has already happened, and campaign analysis in order to determine those TTPs that we already covered in a previous video. Now, I honestly believe that this right here is a much better visual representation of the attack phases.

And this one actually looks so good that I'm going to use this instead of a slide. All right, so we should be able to identify in this cyberkill chain for the exam exactly what is going on in each of these phases, starting with reconnaissance, right? This is where the attacker gets to know you as a target. They won't ask you out. They won't buy you dinner.

They will stalk you and they will be the creepiest stalker you've ever encountered. They're going to look for what defenses you have in place. what security weaknesses you might have.

Not only in technology, but also in things like business processes and people. Ideally, this is going to be done in a stealthy manner. You know, it's not called stalking unless you get caught doing it, right?

So if the attacker doesn't want you to discover that reconnaissance is taking place, at least not until he really knows what he's up against. So in this phase, the attacker actually decides how he is going to ruin your day. Second step. is weaponization, if the reconnaissance phase was successful, from the attacker's perspective, which means that a weakness has been discovered. If this weakness can be exploited, this is where the attacker chooses the exploit, or even starts developing his own tools, crafted requests, compiling malicious codes, whatever, injecting apples with poison, spitting in your coffee, stuff like that.

Then comes the delivery phase. After selecting the exploit, the attacker chooses and prepares a delivery method. So this is where the hacker thinks about how can that weakness actually be exploited. How can they reach you or your systems and how can they deliver that malicious code.

Now it might be possible to do it directly over the internet, but it also might require some inside help. Like sending a malicious email attachment or a link with cat videos to an employee who thinks that Cat videos should come with the EXE extension. It also works with forgotten USB sticks left in a meeting room or in a parking lot, just waiting for someone to plug it into a company computer.

You would be amazed how often people are happy to consider themselves lucky for finding a USB stick, so happy that they plug it into the first computer they see, just to check how big is the price, how much capacity, or what interesting files it has. Now, the exploitation phase means actually executing the exploit code. Depending also on the delivery method, this might happen automatically or remotely controlled by the attacker, or it, again, might require some inside human intervention.

Remember that the execution of some malicious code can be done by some unaware employee, but also by an insider threat, right, like an employee who works with the attacker, or even an employee who is the actual attacker. Nevertheless, attackers rely on someone on the inside. During the installation phase, we need to remember that the purpose of exploitation is to gain access to a system. Usually with the intent of installing an additional piece of software on it that gives the hacker direct access to that system. So the installation phase covers any backdoor along with any configuration changes that might be required like creating a new user for the attacker and new firewall rules to allow the attacker to reconnect to the compromised host anytime in the future.

Think of the installation phase just like you would get installed into a new home. You arrange the furniture You leave some personal things behind so that the next time you come back, you feel, well, at home. The C2 phase, or the command and control phase, is relevant because, of course, for the attacker to gain access to his newly compromised system, a data channel has to be established to some of the attacker's central control software. Basically, this means that the malware calls back home.

right to the attacker and lets him know that the system is all good healthy and still perfectly compromised this channel is called command and control because it allows the attacker to send commands and remotely control the compromise systems usually command control connections are initiated from the inside of the company so from the compromised host because connections initiated from inside of the company network are in most cases allowed by the firewalls and any proxies you might have, but not vice versa. You cannot connect from the outside so easily. So in many documented attacks, identifying the command and control channel in firewall or DNS logs was actually the first proof that indicated the presence of compromised systems. And it's still one of the first methods of detecting APTs in your network. For the actions on objectives phase.

Finally, with persistent access to the desired system, the attacker can complete his original goal. Well, it might be any number of goals, actually. It might be the intention to exfiltrate, to steal data, to corrupt some data, to destroy a database, some files, some important files, to alter some records, to change something, cover a desk with toilet paper, I don't know, simply snoop on some users, for example, or activities of interest. Well, does this sound right?

Believable? Well, yeah, but myself and others like me don't really like this model because it's... too focused on securing against outside threats and kind of ignores insider threats in cloud environments too.

Also, it would be hard to determine in which phase of the attack you're currently in if you're facing an attacker who erases his or her tracks, right? What if the entire exploitation and action on objectives takes less than one minute and then the attacker immediately erases all traces? So it's not one solution fits all, but it's still a pretty good abstraction.

of most APD attacks out there. But just in case this doesn't satisfy you, there are other models out there. One example would be the Cyber Kill Chain model from AlienVault that has a slightly different approach, addressing and paying close attention to insider threats too.

Now, AlienVault's model does this first by distinctly separating a classic kill chain, this one here, from an internally initiated one, this one right here. Secondly, it defines steps that apply to external attacks and steps that apply to both external and internal attacks. Well, let's also talk about defense for just a minute. Now, these models tell a nice story, but their main purpose is to allow you to prepare your defenses.

So you can counter attacks before, during, and we'll even gather some information after the attack has happened to allow you to understand what happened and how you can avoid a similar attack in the future. So let's see how you can use these models to defend yourself. Well, the main method for defense is the installation of security controls.

So we have some controls and actions that we can implement to help us on every step. For example, during the reconnaissance phase, well, we should always aim to reduce our attack surface, to give as little information as possible to anyone, attacker or no attacker. So we try to communicate only what is strictly necessary on the company's website.

or on job postings, right? Some outside penetration testing services would be recommended as well to get a better image of how you look like from the attacker's point of view. Also, educate your users, train your users against sharing too much of their personal and professional lives on social media and teach them how to identify and reject phishing attempts.

Now, against weaponization, this is where you should scan for vulnerabilities. Now... patch known vulnerabilities scan for new ones from time to time install some technical controls in there that could detect and even prevent attacks before they happen for the delivery phase Well, it depends on the delivery method. We could think about restricting the use of external storage devices like USB drives. And we can filter internet traffic, for example.

But mostly, we should think about training those users that constantly send funny links to each other or click random links without a second thought. Against exploitation, well, again, we have the same solution. Patch, patch, and then...

update some more and try to minimize the attack surface by disabling any unnecessary services, especially if they are accessible from the outside. Against the installation of malware, endpoint security tools can detect any abnormal activity, foreign files, especially executable ones, processes, network connections. This is also where you can rely on signature scanning.

But don't forget that a well-educated user can also help. by noticing and reporting unfamiliar behavior on their workstation, right? So try to motivate users to work alongside the security team and help out when they can. At the command and control phase, again, endpoint security solutions would be able to scan, look for, monitor for outbound connections from unexpected processes. Perimeter security can help as well, as you can block those outbound connections at the perimeter firewall, or you can detect when they try to resolve suspiciously looking domain names to reach those command and control servers, like randomly generated DNS names.

Finally, for the actions on objectives phase, well, if the attacker has reached this phase, unfortunately, chances are there is not so much you can do because most likely you failed to detect the attack, unless you happen to have some security solution in place that matches precisely the attacker's intent. For example, you might have a strong... Access control system to allow access to confidential files on a central file server or a DLP That's data loss prevention or data leak prevention solution against exfiltrating internal documents You know read only access to data files read only access to databases against tampering corruption deletion Generally against data loss you can protect yourself using off-site backup So backups that are not stored in the same location as your main data But generally, if an attacker has already reached this phase, there isn't much you can do against a data breach.

It has already happened, unfortunately. Now, remember we mentioned that the Lockheed Martin model isn't the only one out there, and it kind of has some downsides. One of them being the fact that it's too simple. An alternative of this Lockheed Martin model is the ATT&CK framework from... MITRE.

Now, this framework is a database of known TDPs, which are mapped in a matrix, right, to a larger number of attack phases. Now, of course, not all these phases are going to apply to each attack, just like not all the techniques described within a phase will be found in a specific attack. But with this attack framework, you get to pick and choose.

So the purpose of this framework is to analyze the attack and then check what applies to your specific case, right, from each column. Notice there is no specific order in which these TTPs must, should or are expected to happen, which is much more like real-life scenarios. Treat this model as something like a restaurant menu rather than an instruction manual. Okay, so let's pretend for a minute that we want to know more about a specific type of attack. Let's say an attack that performs...

What's the first thing that comes into your mind? Let's see. Let's say pivoting.

Right? Lateral movement. Right here. You did think about pivoting, right?

My mental skills are out of this world. So, pivoting, or attacks that try to infect additional systems. We can see that under lateral movement here, we can find techniques like exploitation of remote services, or internal spear phishing, attacking shared content, or transmission through removable media. Under such an example, we can see multiple malware versions that rely on this technique.

and also some ways to mitigate them, right? To fight against these techniques. And as we can probably guess, against USB malware, we can disable Autorun or limit access to unnecessary external USB devices. And again, I would add here, train your users to be suspicious of random USB devices found around the office. My recommendation is to have a look over the ATT&CK framework.

Don't learn it by heart, of course, but try to understand the different types of techniques presented here. It is truly probably the single most comprehensive collection of cyber attacks and information about cyber attacks. It's a great learning tool for... covering, understanding how cyber attacks look nowadays. And also, this entire database is based on real observations.

So everything in here was observed, documented, and used as an attack technique at some point in time in real life. Finally, one last model is the jewel. No, wait, the diamond of intrusion analysis.

Not exactly my favorite one, because it can prove to be a bit difficult to follow. even though at first sight it actually looks kind of simple. And well, this model is focused on a single intrusion event by describing the relationships between four core features. And those features are an adversary, a capability, a victim, and the infrastructure.

Now, the lines in this model are the relationships between these concepts, and they tell us that it is possible for an analyst to reach the other connected points. given enough information. For example, if we analyze a victim, we can see the capabilities used by the attacker against that victim. So we can see how the victim was attacked. If we have infrastructure visibility over the network or the logs, then we draw even more conclusions about how the capability used the infrastructure to compromise the victim.

Well, coming from the attack framework and even the cyber kill chain, this sounds terribly oversimplified. right well it is but that's not all each event actually has additional meta features as well like an event timestamp when did the event happen a phase was this during reconnaissance weaponization and so on a result was it successful or not did compromise any part of the cia triad or was it just a failed attempt direction was it initiated by the victim or from the outside or even bi-directional. A method, what exactly was the attack?

Was it phishing? Was it an exploit? Was it a denial of service? And finally, the resources required to complete the event, you know, like reconnaissance information that might be required, any password hashes that the attacker might need to have access to, the presence of a vulnerability, anything that the attacker needs to assume or gather before conducting the attack. And each of these features is then assigned.

a confidence level, which of course is based on an assumption. So remember we said that one such diamond focuses on a single event. So if you think about it, we're going to need at least two events for a malicious outcome. We need at least an initial reconnaissance phase and then we need an actual attack or exploit phase.

So the diamond model is actually used to describe so-called activity threads during an attack, which are made up of multiple such phases or diamonds. And as you can probably see, this is becoming very similar to the cyber kill chain that we saw at the beginning of the video. Now, these events can be linked and they can tell you how an attacker could behave when an attack is in progress.

So how exactly is the attacker progressing from one phase to the next, right? What information it needs in between and so on. An attack might have multiple threads, but also might address multiple targets.

So describing phases, like in this example, can also show when an attacker pivots within the network and tries to compromise additional targets in the same environment. All right, so we kind of went from oversimplification to overcomplication, right? Seems a bit hard to follow now?

It kind of is. And that's because this model was actually designed for automatic processing. So this kind of a description of an attack that somehow resembles a state machine is actually used by machines. or by appliances security appliances software security solutions designed for threat modeling one such solution is this threat connect app from splunk which is actually designed to model threats using this diamond model they actually give you a very nice example here about how the destruction of the death star in star wars would look like if we were to model this threat using the diamond model so have fun with this one told you we're talking about movies in this video Alright, so for the exam, make sure you remember that Attack Framework, the Cyber Kill Chain, is the single most awesome expression from this training.

I'm kidding. Make sure you understand the phases of an attack, both in the Kill Chain from Lockheed Martin and in the MITRE Attack Framework. Don't forget to subscribe to Certified Breakfast. Thanks for watching and see you on the next video.

Transcript for:Overview of Cybersecurity Attack Frameworks

Transcript for:
Overview of Cybersecurity Attack Frameworks