Skip to main content
Version: 1.0.2

Threat intelligence and forensics

Cyber kill chain

  • Framework for identification and prevention of cyber intrusions activity.
  • Developed by Lockheed Martin
  • Identifies what the adversaries must complete in order to achieve their objective.
  • 🤗 Based on military kill chains, a concept consisting of • target identification • force dispatch to target decision • order to attack the target • the destruction of the target
  • 🤗 Critiques states it only defends "perimeter" and isn't suitable model to insider threats.
  • E.g. A "Kill Chain" Analysis of the 2013 Target Data Breach

Cyber kill chain steps

  • ❗ Not same in every organization as different organizations have constructed their own kill chains to try to model different threats
  1. Reconnaissance
    • Collecting as much as information about the target.
    • E.g. harvesting email addresses, conferece information etc.
    • See also footprinting
  2. Weaponization
    • Analyzing collected data to identify and vulnerabilities to exploit to gain access
    • E.g. creating a phishing campaign based on collected data
  3. Delivery
    • Weaponized bundle to the victim via email, web, USB, etc.
    • Key to measure the effectiveness of the defense strategies implemented by the target.
    • E.g. sending phishing emails
  4. Exploitation
    • Execute code on victim's system.
    • E.g. arbitrary code execution, authentication and authorization attacks
  5. Installation
    • Installing malware on the asset
    • E.g. backdoor to gain remote access and maintain access in the network
  6. Command and control
    • Allows remote manipulation/exploation of victim
    • Done by establishing two-way communication between the victim and the attacker.
    • Evidence is usually hidden using encryption techniques
  7. Actions on objectives
    • With hands-on access, intruders accomplish their original goals.
    • E.g. • distrupting network • gaining access to confidential data

Defensive courses of action

  1. Detect: determine whether an attacker is poking around
  2. Deny: prevent information disclosure and unauthorized access
  3. Disrupt: stop or change outbound traffic (to attacker)
  4. Degrade: counter-attack command and control
  5. Deceive: interfere with command and control
  6. Contain: network segmentation changes

Threat identification

Tactics, Techniques, and Procedures (TTPs)

Tactics

  • Also called tools in the acronym
  • Highest-level description of the behavior
  • Describes ways attacker attacks from start to end
  • E.g.

Techniques

  • Technical methods used by an attacker
  • Gives a more detailed description of behavior in the context of a tactic.
  • E.g.

Procedures

  • Lower-level, highly detailed description in the context of a technique.
  • Sequence of actions done by attackers
  • E.g. an actor collects business e-mails of target company then launches a spear phishing campaign

Adversary behaviors

  • Method or techniques used by attacker to penetrate victim network.
  • E.g. using PowerShell, DNS Tunneling, Web Shell etc.

Indicators of Compromise (IoCs)

  • Artifacts observed that indicates computer intrusion with high confidence.
  • 4 categories:
    • Email indicators
      • E.g. sender's email address, subject, attachment, links.
    • Network indicators
      • E.g. URLs, domain names, IP addresses, unusual DNS requests
    • Host-based indicators
      • E.g. filenames, file hashes, registry keys, DDLs, mutex
    • Behavioral indicators
      • E.g. memory code injection, remote command execution, document execution PowerShell script.