Introduction
This article provides information about Cyber Kill Chain and MITRE frameworks for Threat Lifecycle.
Threat Lifecycle
Let's examine the management of threats from the Mitre and Cyber Kill Chain frameworks.
MITRE ATT&CK Framework
The MITRE ATT&CK Framework is a curated knowledge base that tracks tactics and techniques used by cyber threat actors throughout the attack lifecycle.
MITRE's ATT&CK consists of research on new techniques, along with public threat intelligence and incident reporting, contributed by cybersecurity analysts and threat hunters.
MITRE ATT&CK Matrix: Tactics and Techniques
Specific threat actors often use specific techniques. The MITRE ATT&CK Framework catalogs information that associates attacker groups with campaigns, so security teams can better understand the attackers they face, assess their defenses, and strengthen security at critical points.
Tactics
Enemy tactics are specific technical objectives that an attacker aims to achieve, such as lateral movement, defense evasion, or data exfiltration. Tactics are categorized according to these objectives.
Logsign has its own ready-made library of alarms for the categories of tactics that it contains. There are 14 tactics cataloged in the corporate matrix:
Reconnaissance
Resource development
Initial access
Execution
Persistence
Privilege escalation
Defense evasion
Credential access
Discovery
Lateral movement
Collection
Command and Control
Exfiltration
Impact
What are Techniques?
A technique is defined as a specific way an attacker could try to achieve a specific objective. Many techniques are documented under each "tactic" category. This is because attackers may use different techniques depending on factors such as their skill set, target system configuration, and availability of appropriate tools.
Each technique includes a description of the method, which systems and platforms it relates to, which attacker groups use it (if known), ways to mitigate the activity, and references to real-world use.
Mitre Dictionary
MITRE ATT&CK is a knowledge base of attacker tactics and techniques based on observed real-world events.
Mitre TTP provides comprehensive classification to better understand an attacker's behavior after an exploitation.
MITRE ATT&CK Navigator provides a matrix view of all techniques, so security analysts can see which techniques a competitor may use to infiltrate their own organizations.
Attack Framework: The ATT&CK Framework (Adversarial Tactics, Techniques, and Common Knowledge), which models adversary behaviors in almost all known cyberattacks, is a knowledge base that MITRE began offering for free use in 2013.
Cyber Kill Chain
Cyber Kill Chain is a model developed by Lockheed Martin that describes the life cycle of cyber security threats. This model ranks different stages of a cyber attack, stating that each stage can be blocked by defense mechanisms. Therefore, it is important to understand and prevent all these stages for defense mechanisms to be effective against cyber attacks.
The Cyber Kill Chain is a popular cybersecurity framework that is used to help prevent cyber attacks by identifying and blocking them at every stage of the attack. It consists of six main stages:
- Reconnaissance: Attackers gather information about their target.
For the techniques at this stage, logsign (version 6.3.25) contains 36 alarms in the image below in its ready library.
2. Weaponization: Attackers develop their attack weapons using the information they have collected.
For this stage, there are alarms in different categories in the logsign ready libraries.
3. Delivery: Attackers deliver their weapons to the target system, often using email, websites, or social engineering techniques. These could include sending malware files via email, forcing downloads of malware via websites, or using social engineering techniques.
4. Exploitation: Attackers exploit vulnerabilities in the target system to gain access.
For the techniques at this stage, logsign (version 6.3.25) contains 20 alarms in the image below in its ready library.
5. Installation: Attackers install a persistent threat in the system to maintain control.
Following the exploitation of the target, it becomes a permanent threat, downloading the actual malware to the target so that the system can be successfully controlled beyond the security system, is the stage that aims to increase the time that the malware will stay in the system as much as possible.
6. Command and Control: Attackers use command and control mechanisms to control the target system.
The stage where attackers begin to use command and control mechanisms to gain control over the target system.
For the techniques at this stage, logsign (version 6.3.25) contains 6 alarms in the image below in its ready library.
7. Action: The attacker, who has performed all the steps, has gained access to the institution and at this stage, he can perform actions such as data stealing, data modification, data deletion, data encryption, damage to the system.
You can examine many alarms in this regard from the logsign library.
The Cyber Kill Chain is used for defense mechanisms to take preventative steps against cyber attacks and protect the system by blocking attacks at every stage.
Cyber Kill Chain and Mitre
Another popular cybersecurity framework used for threat detection and hunting is the Cyber Kill Chain. Unlike MITRE ATT&CK's technique matrix, the Cyber Kill Chain describes a series of events. Developed by Lockheed Martin, the Cyber Kill Chain is based on a military chain concept that defines the structure of an attack.