Comodo MITRE Kill Chain
Table of Contents
Cyber Intrusion Kill Chain, also known as Kill Chain, was adapted from military concepts. It was first adapted to cyber security by Locked Martin’s engineers. The structure of attack is the basis of the core of the framework. It is the end-to-end process, or the entire sequence of events required to execute a successful attack.
“First identify the target, locate the target, monitor its movement, select the appropriate weapon, engage the target and evaluate the impact of the attack. ”
The Kill Chain can be used to conduct an attack or detect, defend an attack. Defense is when an opponent’s kill chains are broken, making an attack fail. Lockheed Martin’s CKC model is the first and most important tool for analyzing APT and malware attacks. According to Lockheed Martin researchers, full Kill-chain is when an attacker must create a payload to breach a trusted boundary and establish a presence within a trusted environment. Then, they must take actions towards their goals.
The CKC tactically defines the chain of events or kill chain that an external attacker must follow.
The Cyber Kill Chain is the most popular model for protecting against APTs. It can be used to detect APTs in one phase and also to allocate defensive and preventive countermeasures. The term APT was first used by the United States intelligence to describe Asia-Pacific Threats (mainly China). APT has been renamed Advanced Persistent Threat (APT) to refer to advanced attackers who use different attack techniques to target victim’s systems in order to achieve their ultimate goal. NIST defines APT as:
MITRE created the ATT&CK framework in 2013. They are not Cyber Kill Chains. Instead, they focus on adversary behavior other than traditional indicators like domains, IP addresses, hashes, etc. MITRE studies how adversaries interact and behave with systems. MITRE ATT&CK framework uses tactics and techniques to help understand defenses. Tactics, techniques and procedures (TTPs), are a foundation store that creates a common taxonomy that is applicable to real environments and comparable among different platforms.
MITRE ATT&CK’s Tactics are the “why”, while Techniques are the “how”. Tactics are useful contextual categories that cover individual techniques. They also cover standard, higher-level notations of things adversaries do during operations like persist, discover information and move laterally. It is possible to do this by using techniques such as “Exfiltration Over C2 Channel”, which entails stealing data and exfiltrating it through an existing command-and-control channel.
Kill Chains show a course of action and stages of attack. This information is crucial in detecting active breaches that are hidden behind curtains. C&C, Privilege Eescalation, and Lateral Movement are all key to achieving the final objective from the attacker perspective. We have combined both taxonomy with map-appropriate MITRE ATT&CK techniques and tactics.
APT 29 is mitigated by Dragon Platform, tested with MITRE Caldera
Click here to view the Video on YouTube. Preparation Phase:
We have mapped Kill Chain Reconnaissance phase to mainly Mitre Pre–Attack Phase. This phase is where attackers mostly act in passive mode, such as TA0017 Organization Information Gathering or TA0019 People Weakness Identification.
Kill Chain: Weaponization is also mapped directly into Mitre Pre-Attack Phase. This phase basically defines activities regarding exploit development, embedding it into a deliverable paymentload.
For defensive countermeasures
Comodo MITRE Kill Chain