Kill Chain phases
1: Reconnaissance and Precursors
2: Weaponization
3: Delivery
4: Exploitation
5: Installation
6: Command and Control (C2)
7: Actions on Objectives
What is the Kill Chain
- Deterministic process
- Describes stages of a single intrusion
- “Compromise” is successful completion
- Seven stages to defend
KC - 1: Recon / Precursors
- Tasking
- Acquisition of tools
- Acquisition of infrastructure
- Identification of targets
- Organizational research
KC - 2: Weaponization
- Configuring (Backdoors, Droppers)
- Packaging (Container, Exploit, First-stage binary)
KC - 3: Delivery
- Mechanism in which payload gets to target
- Protocol-based (smtp, http)
- media-based (usb, cd / dvd)
KC - 4: Exploitation
Disposition / Execution of exploit
KC - 5: Installation
- Associated with persistence and invocation
- Droppers
KC - 6: Command and Control (C2)
Associated with establishing communications
KC - 7: Actions on Objectives
- Commands executed
- Additional tools transferred to the victim to facilitate on-system or on-network objectives
- Files exfiltrated
- Files modified
Four vertices of the Diamond Model
Adversary
Capability / TTP
Victim
Infrastructure
DM - Adversary
Any data related to perpetrators such as:
- Online presence
- Accounts
- Intent
- Human Choices
Individual or group behind an event. Two types:
- Adversary Operator (executing the action)
- Adversary Customer (benefits from the action)
DM - Capability / TTP
Tools employed, techniques demonstrated:
- Exploits
- Backdoors
- Methods for staging data
- Situational awareness
DM - Infrastructure
Any vehicle for delivering capabilities
DM - Victim
The vicitm is the recipient of the capabilities, deployed across infrastructure by the adversary. It can be:
- Networks
- Systems
- People
- Organizations
CoA
Course of Action. It helps answer:
- What is “action” in actionable indicators
- What options are available?
- How resilient am I?
- What capabilities do I lack?
- Where do I focus investment? Research?
The CoA is the complement (of the KC) of actions for network defenders.
The 7 D’s of Action Matrix
Discover Detect Deny Disrupt Degrade Deceive Destroy
CoA: Discover
Log searching
Post-hoc signature use
Heuristic searching
CoA: Detect
Identification of known-bad activity Future complement of discover Triggers race condition to end of the kill chain Robust instrumentation is key enabler Pairs with other CoAs
Detection refers to identifying intrusion activity that may occur in the future and is one of the most basic actions one can take.
CoA: Deny
Prevent occurrence outright
CoA: Disrupt
Interfere so as to cause failure
CoA: Degrade
Interfere to reduce efficacy. Slows down potentially malicious actions.
CoA: Deceive
Provide misinformation to adversary or code.
CoA: Destroy
Offensive action that reduces capacity to operate. Not legal for most entities. Examples:
- Hacking back
- Denial of service
- Arrest
- Physically destructive actions
MITRE ATT&CK
Documentation of tactics and techniques (for intrusions)
Tactics
Techniques
Sub-techniques
Procedures
