Version: Next

Threat intelligence and forensics

Cyber kill chain

Framework for identification and prevention of cyber intrusions activity.
Developed by Lockheed Martin
Identifies what the adversaries must complete in order to achieve their objective.
🤗 Based on military kill chains, a concept consisting of • target identification • force dispatch to target decision • order to attack the target • the destruction of the target
🤗 Critiques states it only defends "perimeter" and isn't suitable model to insider threats.
E.g. A "Kill Chain" Analysis of the 2013 Target Data Breach

❗ Not same in every organization as different organizations have constructed their own kill chains to try to model different threats

Reconnaissance
- Collecting as much as information about the target.
- E.g. harvesting email addresses, conferece information etc.
- See also footprinting
Weaponization
- Analyzing collected data to identify and vulnerabilities to exploit to gain access
- E.g. creating a phishing campaign based on collected data
Delivery
- Weaponized bundle to the victim via email, web, USB, etc.
- Key to measure the effectiveness of the defense strategies implemented by the target.
- E.g. sending phishing emails
Exploitation
- Execute code on victim's system.
- E.g. arbitrary code execution, authentication and authorization attacks
Installation
- Installing malware on the asset
- E.g. backdoor to gain remote access and maintain access in the network
Command and control
- Allows remote manipulation/exploation of victim
- Done by establishing two-way communication between the victim and the attacker.
- Evidence is usually hidden using encryption techniques
Actions on objectives
- With hands-on access, intruders accomplish their original goals.
- E.g. • distrupting network • gaining access to confidential data

Concept in terrorism and cyber security studies
Identifies patterns of behavior of the threat actors (= bad guys)
Aids in
- counterintelligence for threat prediction and detection
- implementing defenses
- profiling threat actors e.g. APT groups
E.g. In 2020 United States federal government data breach, used TTP were stealing SAML tokens to attack SSO infrastructure according to TTP analysis from NSA.
Read more at NIST Special Publication 800-159

Also called tools in the acronym
Highest-level description of the behavior
Describes ways attacker attacks from start to end
E.g.
- Way of gathering information e.g. open-source intelligence, social engineering.
- Way of initial compromise e.g. tools, zero-day vulnerabilities, obfuscation methods

Technical methods used by an attacker
Gives a more detailed description of behavior in the context of a tactic.
E.g.
- social engineering techniques in early stages
- exploit tools at middle stages
- and software tools to clear logs to cover tracks at later stages.

Lower-level, highly detailed description in the context of a technique.
Sequence of actions done by attackers
E.g. an actor collects business e-mails of target company then launches a spear phishing campaign