L2 - Tactics, Techniques and Procedures PDF

Tactics, Techniques and Procedures TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT Topics to cover Anatomy of An Attack Lockheed Martin’s Cyber Kill Chain MITRE ATT&CK Framework TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Anatomy of An Attack Normally an attack is made known when: A security alert is raised by a security control, OR The damage of the attack has been done to the organisation Defender’s Dilemma Fear of The Unknown (FoTU) – 0-days, new attacks, etc Strength of an organisation’s implemented security controls validated by attacks: “Punch my face then I tell you if my face can take it or not” TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Anatomy of An Attack Motivation defines the intent/outcome of an attack, but tactics, techniques and procedures can possibly identify who the individual or group threat actor is. Tactics Techniques Procedures TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Lockheed Martin’s Cyber Kill Chain TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Lockheed Martin’s Cyber Kill Chain Developed for identification and prevention of cyber intrusion activities. All well-known cyberattacks have these 7 phases. Efficient way of TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS documenting (T62) Lockheed Martin’s Cyber Kill Chain TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Lockheed Martin’s Cyber Kill Chain The Cyber Kill Chain also helps to guide actions to take for both red and blue teams. For example, in Exploitation phase: More examples can be found in the Reference PPT slide (check the notes) TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) Lockheed Martin’s Cyber Kill Chain Problems/Issues Difficulty in documenting cybersecurity incidents E.g SQL Injection attack – Do I put it in Weaponization phase or Exploitation phase? Not all cybersecurity incidents would have all 7 phases. Writeup for each phase is dependent on analyst’s technical proficiency. TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) MITRE ATT&CK Framework TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) MITRE ATT&CK Framework MITRE Adversarial Tactics, Techniques & Common Knowledge Framework For Threat Defense and Attack Attribution 14 tactics, 200+ individual techniques TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) MITRE ATT&CK Framework Attack Attribution Act of identifying individual, organisation or nation responsible based on the TTPs. Helps to guide analysts on the following: Identify other tactics and techniques that might have been used; Refer to implemented defense strategies for similar attacks. TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62) MITRE ATT&CK Framework Attack Attribution (example) During in-depth analysis of a cyber security incident, it was found that the targeted systems were vulnerable to CVE-2012- 0158 and CVE-2010-3333.Check if there’s any known APT using these exploits. Possible APT determined. Look at other techniques used to identify other compromised https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F areas. %2Fattack.mitre.org%2Fgroups%2FG1007%2FG1007-enterprise-layer.json TEMASEK POLYTECHNIC SCHOOL OF INFORMATICS & IT | Diploma in CYBERSECURITY & DIGITAL FORENSICS (T62)

L2 - Tactics, Techniques and Procedures PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue