Chapter 2 - 02 - Describe Hacking Methodologies and Frameworks - 04_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Information Security Attacks Exam 212-82 MITRE Attack Framework Q MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations O The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community O The 14 tactic categories within ATT&CK for Enterprise are derived from the later stages (exploit, control, maintain, and execute) of the seven stages of the Cyber Kill Chain Exploit PRE-ATT&CK Control Execute Maintain Enterprise ATT&CK https.//attock.mitre.org Copyright © by | L All Rights Reserved. Reproduction is Strictly Prohibited MITRE Attack Framework Source: https://attack.mitre.org MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. MITRE ATT&CK comprises three collections of tactics and techniques, called Enterprise, Mobile, and PRE-ATT&CK matrices, as each collection is represented in a matrix form. ATT&CK for Enterprise contains 14 categories of tactics, which are derived from the later stages (exploit, control, maintain, and execute) of the seven-stage Cyber Kill Chain. This provides a deeper level of granularity in describing what can occur during an intrusion. Recon Weaponize PRE-ATT&CK Deliver Exploit Control Execute Maintain Enterprise ATT&CK Figure 2.3: MITRE Attack Framework Module 02 Page 167 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 The following are the tactics in ATT&CK for Enterprise = Reconnaissance = Credential Access = Resource Development = Discovery = |nitial Access = lLateral Movement = Execution = (Collection = Persistence = Command and Control = Privilege Escalation = Exfiltration = Defense Evasion ®= |mpact Some MITRE ATT&CK for Enterprise Use Cases: = Prioritize development capabilities. = Conduct analyses of alternatives between CND capabilities. = Determine “coverage” of a set of CND capabilities. = Describe an intrusion chain of events based on the technique used from start to finish with a common reference. = |dentify commonalities characteristics. = Connect mitigations, weaknesses, and adversaries. Module 02 Page 168 and acquisition between efforts for computer adversary tradecraft, as network well as defense(CND) distinguishing Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Diamond Model of Intrusion Analysis The Diamond Model offers a framework for systems in an organization It can control the that are correlated on any of the occurring in any intrusion activity, which is referred to as the Diamond event Using this model, can be developed, and analytic efficiency can be increased Meta Features of Diamond Model Adversary Victim An opponent “who” was behind the attack The attack strategies or was performed “how”., @/o "-._;Qp i Infiasuucmre Capability ".'. 0,_ 090 9 o _".. The target that has been exploited or “where” the attack was performed Deployed via.............................. cap ability the attack o. %, O@%N, “what” the adversary used to reach the o Q}.Q\O o ™ Copyright © by L Al Rights Reserved. Reproductionis Strictly Prohibited. Diamond Model of Intrusion Analysis (Cont’d) Meta-Features of the Extended Diamond Model Extended Diamond Model of Intrusion Analysis Adversary Social-Political Meta-Feature O e Describes the relationship between the adversary and victim and used to determine “why” the attackwas performed f /. O i. \Social-Political T P Infrastructure Capability...................................... Technology Q Connects the infrastructure and capability for better communication and operation """"" Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited Diamond Model of Intrusion Analysis The Diamond Model, developed by expert analysts, introduces state-of-the-art technology for intrusion analysis. This model offers a framework and a set of procedures for recognizing clusters of events that are correlated on any of the systems in an organization. The model determines the vital atomic element that occurs in any intrusion activity and is referred to as the Diamond event. Analysts can identify the events and connect them as activity threads for obtaining information regarding how and what transpired during an attack. Analysts can also Module 02 Page 169 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 easily identify whether any data are required by examining the missing features. It also offers a method or route map for analyzing incidents related to any malicious activity and predict the possibility of an attack and its origin. With the Diamond Model, more advanced and efficient mitigation approaches can be developed, and analytic efficiency can be increased. This also results in cost savings for the defender and rising cost for the adversary. The Diamond event consists of four basic features: adversary, capability, infrastructure, and victim. This model is named so because when all the features are arranged according to the relationship between them, it forms as a diamondshaped structure. Although it appears to be a simple approach, it is rather complex and requires high expertise and skill to traceroute the flow of attack. N )& % "‘ P 4 K......’. o.. Gb 6 V.., ?o..’ % - Victim F : SR \O Figure 2.4: Meta features of the Diamond Model The following are the essential features of the Diamond Intrusion Analysis. = event in the Diamond Model of Adversary: An adversary often refers to an opponent or hacker responsible for the attack event. An adversary takes advantage of a capability against the victim to perform a malicious activity for financial benefit or to damage the reputation of the victim. An adversary can be individuals such as insiders or a competitor organization. Adversaries can use many techniques to gain information such as email addresses and network assets and attempt to attack any applications used in smartphones to gain sensitive information. = Victim: The victim is the target that has been exploited or the environment where the attack was performed. The adversary exploits the vulnerabilities or security loopholes in the victim’s infrastructure by using their resources. The victim can be any person, organization, institution, or even network information such as IP addresses, names, email addresses, and sensitive personal information of an individual. = domain Capability: Capability refers to all the strategies, methods, and procedures associated with an attack. It can also be a malware or tool used by an adversary against the target. Capability includes simple and complex attack techniques such as brute forcing and ransomware attacks. Module 02 Page 170 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks = Exam 212-82 Infrastructure: Infrastructure refers to the hardware or software used in the network by the target that has a connection with the adversary. It refers to “what” the adversary has used to reach the victim. Consider an organization having an email server in which all the data regarding employee email IDs and other personal details are stored. The adversary can use the server as infrastructure to perform any type of attack by targeting a single employee. Exploiting infrastructure leads to data leakage and data exfiltration. Additional Event Meta-Features In the Diamond Model, an event contains some of the basic meta-features that provide additional information such as the time and source of the event. These meta-features help in linking related events, making it easier and faster for analysts to trace an attack. The following are the features that help in connecting related events. * Timestamp: This feature can reveal the time and date of an event. It is important as it can indicate the beginning and end of the event. It also helps in analysis and determining the periodicity of the event. = Phase: The phase helps in determining the progress of an attack or any malicious activity. The different phases of an attack include the phases used in the cyber kill chain framework: reconnaissance, weaponization, delivery, exploitation etc. = Result: The result is the outcome of any event. For example, the result of an attack can be success, failure, or unknown. It can also be segregated using security fundamentals such as confidentiality(C) compromised, compromised. CIA Compromised. integrity(l) compromised, and availability(A) = Direction: This feature refers to the direction of the attack. For instance, the direction can indicate how the adversary was routed to the victim. This feature can be immensely helpful when describing network-based and host-based events. The possible values for this feature include victim to infrastructure, adversary to infrastructure, infrastructure to infrastructure, and bidirectional. = Methodology: The methodology refers to any technique that is used by the adversary to perform an attack. This feature allows the analyst to define the overall class of action performed. Some attack techniques are spear-phishing emails, distributed denial-ofservice (DDoS) attacks, content delivery attacks, and drive-by-compromise. = Resource: Resource feature entails the use of external resources like tools or technology used to perform the attack. It includes hardware, software, access, knowledge, data etc. Extended Diamond Model The extended Diamond Model also includes necessary features such as socio-political metafeatures to determine the relationship between the adversary and victim as well as technology meta-features for infrastructure and capabilities. Module 02 Page 171 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Information Security Attacks Adversary Social-Political Infrastructure Capability Figure 2.5: Extended Diamond Model of Intrusion Analysis = Socio-political meta-feature: The socio-political meta-feature describes the relationship between the adversary and victim. This feature is used to determine the goal or motivation of the attacker; espionage, and hacktivism. = common motivations include financial benefit, corporate Technology meta-feature: The technology meta-feature describes the relationship between the infrastructure and capability. This meta-feature describes how technology can enable both infrastructure and capability for communication and operation. It can also be used to analyze the technology used in an organization to identify any malicious activity. Module 02 Page 172 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.