Threat Lifecycle Management

Introduction

This article provides information about Cyber Kill Chain and MITRE frameworks for Threat Lifecycle.

Threat Lifecycle

Let's examine the management of threats from the Mitre and Cyber Kill Chain frameworks.

MITRE ATT&CK Framework

The MITRE ATT&CK Framework is a curated knowledge base that tracks tactics and techniques used by cyber threat actors throughout the attack lifecycle.

MITRE's ATT&CK consists of research on new techniques, along with public threat intelligence and incident reporting, contributed by cybersecurity analysts and threat hunters.

MITRE ATT&CK Matrix: Tactics and Techniques

Specific threat actors often use specific techniques. The MITRE ATT&CK Framework catalogs information that associates attacker groups with campaigns, so security teams can better understand the attackers they face, assess their defenses, and strengthen security at critical points.

1.png

Tactics

Enemy tactics are specific technical objectives that an attacker aims to achieve, such as lateral movement, defense evasion, or data exfiltration. Tactics are categorized according to these objectives.

Logsign has its own ready-made library of alarms for the categories of tactics that it contains. There are 14 tactics cataloged in the corporate matrix:

Reconnaissance

Resource development

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and Control

Exfiltration

Impact

 

What are Techniques?

A technique is defined as a specific way an attacker could try to achieve a specific objective. Many techniques are documented under each "tactic" category. This is because attackers may use different techniques depending on factors such as their skill set, target system configuration, and availability of appropriate tools.

Each technique includes a description of the method, which systems and platforms it relates to, which attacker groups use it (if known), ways to mitigate the activity, and references to real-world use.

Mitre Dictionary

MITRE ATT&CK is a knowledge base of attacker tactics and techniques based on observed real-world events.

Mitre TTP provides comprehensive classification to better understand an attacker's behavior after an exploitation.

MITRE ATT&CK Navigator provides a matrix view of all techniques, so security analysts can see which techniques a competitor may use to infiltrate their own organizations.

Attack Framework: The ATT&CK Framework (Adversarial Tactics, Techniques, and Common Knowledge), which models adversary behaviors in almost all known cyberattacks, is a knowledge base that MITRE began offering for free use in 2013.

 

Cyber Kill Chain

Cyber Kill Chain is a model developed by Lockheed Martin that describes the life cycle of cyber security threats. This model ranks different stages of a cyber attack, stating that each stage can be blocked by defense mechanisms. Therefore, it is important to understand and prevent all these stages for defense mechanisms to be effective against cyber attacks.

The Cyber Kill Chain is a popular cybersecurity framework that is used to help prevent cyber attacks by identifying and blocking them at every stage of the attack. It consists of six main stages:

  1. Reconnaissance: Attackers gather information about their target.

For the techniques at this stage, logsign (version 6.3.25) contains 36 alarms in the image below in its ready library.

2.png

3.png

4.png

 

 

2. Weaponization: Attackers develop their attack weapons using the information they have collected.

For this stage, there are alarms in different categories in the logsign ready libraries.

5.png

6.png

3. Delivery: Attackers deliver their weapons to the target system, often using email, websites, or social engineering techniques. These could include sending malware files via email, forcing downloads of malware via websites, or using social engineering techniques.

 

4. Exploitation: Attackers exploit vulnerabilities in the target system to gain access.

For the techniques at this stage, logsign (version 6.3.25) contains 20 alarms in the image below in its ready library.

7.png

8.png

 

5. Installation: Attackers install a persistent threat in the system to maintain control.

Following the exploitation of the target, it becomes a permanent threat, downloading the actual malware to the target so that the system can be successfully controlled beyond the security system, is the stage that aims to increase the time that the malware will stay in the system as much as possible.

9.png

 

6. Command and Control: Attackers use command and control mechanisms to control the target system.

The stage where attackers begin to use command and control mechanisms to gain control over the target system.

For the techniques at this stage, logsign (version 6.3.25) contains 6 alarms in the image below in its ready library.

10.png

7. Action: The attacker, who has performed all the steps, has gained access to the institution and at this stage, he can perform actions such as data stealing, data modification, data deletion, data encryption, damage to the system.

You can examine many alarms in this regard from the logsign library.

11.png

12.png

The Cyber Kill Chain is used for defense mechanisms to take preventative steps against cyber attacks and protect the system by blocking attacks at every stage.

Cyber Kill Chain and Mitre

Another popular cybersecurity framework used for threat detection and hunting is the Cyber Kill Chain. Unlike MITRE ATT&CK's technique matrix, the Cyber Kill Chain describes a series of events. Developed by Lockheed Martin, the Cyber Kill Chain is based on a military chain concept that defines the structure of an attack.

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.