CySA+ Lesson 2B: Attack Frameworks & Indicators
Document Details
Uploaded by NiftyConcreteArt6078
Tags
Related
- Lecture 6 - Web Security & Front-end Frameworks PDF
- Certified Cybersecurity Technician Information Security Attacks Exam 212-82 PDF
- Chapter 2 - 02 - Describe Hacking Methodologies and Frameworks - 04_ocred.pdf
- Metasploit Framework Important Questions PDF
- CISSP All-in-One Exam Guide, Chapter 9 PDF
- L2 - Tactics, Techniques and Procedures PDF
Summary
This document details cybersecurity concepts, focusing on attack frameworks and indicators of compromise (IOCs). It discusses threat actor types, indicators of compromise, threat research, and the kill chain. The document presents a conceptual overview of cybersecurity threats and methodologies for threat identification.
Full Transcript
CySA+ 2B: Utilize attack Frameworks and Indicator Management Classifying threat actor types will provide you basic insight into adversary motivations and capabilities. However more sophisticated tools are needed to provide additional intelligence due to the the diversity of threat actors. Framework...
CySA+ 2B: Utilize attack Frameworks and Indicator Management Classifying threat actor types will provide you basic insight into adversary motivations and capabilities. However more sophisticated tools are needed to provide additional intelligence due to the the diversity of threat actors. Frameworks can be used as a basis for identifying and analyzing indicators of compromise (IoC) that provide evidence of attack or intrusion events. Indicators of Compromise (IoC) IoC refers to a residual sign that an asset or network has been successfully attacked. An IoC can be something specific and clearly identifiable like a malware signature, or may require the interpretation of an analyst looking at a set of data (For example a SOC analyst may notice a significantly large file being downloaded from the organization's servers during a time that is unusual or suspicious.) These interpretations are based on the subjective viewpoint of the analyst that is looking at the incoming reports. The analyst must then make a judgement call. Indicators of Compromise (IoC) (Cont.) It is important to correlate multiple IoCs to produce a more complete and accurate portrayal of events. This is because IoCs are often identified through anomalous activity rather than plainly seen occurrences. IoCs may include: Unauthorized software and files Suspicious emails Suspicious Registry and file system changes Unknown port and protocol usage Excessive bandwidth usage Rogue Hardware Service disruption Suspicious or unauthorized account usage Threat Research Signature based detection may not work against sophisticated adversary tactics because the tools used by the attacker are less likely to be identifiable from a database of known file-based malware. As a whole threat research has moved beyond just using static malware signatures to identify and correlate IoCs Multiple IoCs can be linked to identify a pattern in an adversaries behavior. Analyzing this behavior can be helpful in performing proactive threat hunting in the future. Behavioral threat research Behavioral threat research correlates IoCs into attack patterns. For example, analysis of previous hacks and intrusions produce definitions of the tactics, techniques, and procedures (TTP) used to perform attacks. Some TTPs are as follows: DDoS: A sudden spike of network traffic might be an indicator of this type of attack. Viruses/worms: An increase of CPU or memory usage that causes a noticeable slowdown in device productivity could be a sign of malware. Network Reconnaissance: You may notice scans occurring against ports or a range of IP addresses. This could indicate an attacker is looking for any opening that can be exploited. Data exfiltration: Spikes in network transfers at time when there is usually no/low network traffic could be an indication of someone removing valuable data from the network Kill chain The Kill chain refers to the steps that are usually taken in order for an attacker to reach their objectives. The lockheed martin Kill Chain is broken into 7 steps: Reconnaissance Weaponization Delivery Exploitation Installation Command and control Actions on objectives Kill chain: Reconnaissance In this phase an attacker will attempt to stealthily discover which method is best to attack your system, and which tools to utilize to accomplish the job They will attempt to discover whatever they can about the security systems that a target has in place This phase may involve an attacker using passive information gathering or more active techniques like port scanning and host discovery Of course during this phase they want to evade detection. They will likely make use of a botnet or zombie hosts to scan systems if they opt for active scanning. With this method even if the scan is detected, it will trace back to the zombie host rather than the actual attacker Kill chain: Weaponization The attacker creates the payload code and the exploit code designed for the targets system The payload code will be used to drop the exploit onto the system while the exploit code is what performs the actions/attack against the vulnerability that was discovered in the previous phase. Kill chain: Delivery The attacker identifies the best way to get the weaponized code to the target. Methods include: Email attachments or links USB Text Kill chain: Exploitation If the delivery phase is successful then the weaponized code is executed on the targets system. Kill chain: Installation The weaponized code runs a remote access tool on the system allowing the attacker to maintain persistence within the system. Kill chain: Command and Control (C2/ C&C) The code establishes an outbound connection to a C2 server A C2 server is the server that the attacker is using to control the remote access tool. It can also be used to download additional tools onto the system to help in performing further attacks Kill chain: Actions on objectives The attacker uses the access that they have achieved to collect information from the targets system and transfer it to a remote system. (Data exfiltration) Data exfiltration is not the only type of attack that can be performed in this phase though. Since the attacker now has remote access they can perform a number of attacks that would target any aspect of the CIA triad. MITRE ATT&CK Framework Due to the Kill chains focus on perimeter security some organization's feel as if it is too basic to accurately represent modern threat events. Alternatively there is the MITRE Adversarial Tactics, Techniques, And Common Knowledge (ATT&CK) framework. This tags each technique with a unique ID and places it in one or more tactic categories, such as target selection, initial access, persistence, lateral movement, or command and control. The framework can be viewed at attack.mitre.org attack.mitre.org MITRE ATT&CK Framework (cont.) https://attack.mitre.org/ Diamond Model of Intrusion Analysis Created by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz This model provides a framework to analyze an intrusion event (E) by exploring the relationships between four core features: Adversary Capability Infrastructure Victim The four features are represented by the four vertices of a diamond shaped graph. https://teamt5.org/en/posts/what-is-diamond-model-of-intrusion-analysis/
