introduction Threat intelligence and forensics Version: 1.0.2 On this page
Threat intelligence and forensics Cyber kill chain Framework for identification and prevention of cyber intrusions activity. Developed by Lockheed Martin Identifies what the adversaries must complete in order to achieve their objective. 🤗 Based on military kill chains, a concept consisting of • target identification • force dispatch to target decision • order to attack the target • the destruction of the target 🤗 Critiques states it only defends "perimeter" and isn't suitable model to insider threats. E.g. A "Kill Chain" Analysis of the 2013 Target Data Breach Cyber kill chain steps ❗ Not same in every organization as different organizations have constructed their own kill chains to try to model different threats Reconnaissance Collecting as much as information about the target. E.g. harvesting email addresses, conferece information etc. See also footprinting Weaponization Analyzing collected data to identify and vulnerabilities to exploit to gain access E.g. creating a phishing campaign based on collected data Delivery Weaponized bundle to the victim via email, web, USB, etc. Key to measure the effectiveness of the defense strategies implemented by the target. E.g. sending phishing emails Exploitation Execute code on victim's system. E.g. arbitrary code execution, authentication and authorization attacks Installation Installing malware on the asset E.g. backdoor to gain remote access and maintain access in the network Command and control Allows remote manipulation/exploation of victim Done by establishing two-way communication between the victim and the attacker. Evidence is usually hidden using encryption techniques Actions on objectives With hands-on access, intruders accomplish their original goals. E.g. • distrupting network • gaining access to confidential data Defensive courses of action Detect : determine whether an attacker is poking aroundDeny : prevent information disclosure and unauthorized accessDisrupt : stop or change outbound traffic (to attacker)Degrade : counter-attack command and controlDeceive : interfere with command and controlContain : network segmentation changesThreat identification Tactics, Techniques, and Procedures (TTPs) Tactics Also called tools in the acronym Highest-level description of the behavior Describes ways attacker attacks from start to end E.g. Techniques Technical methods used by an attacker Gives a more detailed description of behavior in the context of a tactic . E.g. Procedures Lower-level, highly detailed description in the context of a technique . Sequence of actions done by attackers E.g. an actor collects business e-mails of target company then launches a spear phishing campaign Adversary behaviors Method or techniques used by attacker to penetrate victim network. E.g. using PowerShell, DNS Tunneling , Web Shell etc. Indicators of Compromise (IoCs) Artifacts observed that indicates computer intrusion with high confidence. 4 categories:Email indicators E.g. sender's email address, subject, attachment, links. Network indicators E.g. URLs, domain names, IP addresses, unusual DNS requests Host-based indicators E.g. filenames, file hashes, registry keys, DDLs, mutex Behavioral indicators E.g. memory code injection, remote command execution, document execution PowerShell script.