AoC 2022 Day 1: Cyber Security Frameworks
To stop data breaches, organizations must modify and enhance their cybersecurity operations. Security frameworks are used to direct the implementation of security initiatives and strengthen the organization’s security posture.
Security frameworks are formally defined processes that specify the rules and practices that businesses should adhere to when establishing and maintaining security measures. They provide as a guide for identifying and addressing potential risks and structural vulnerabilities that could allow for an attack.
By creating procedures and organizational structures in a strategic plan, frameworks assist firms in taking the guessing out of protecting their infrastructure and data. Additionally, doing so will assist them in meeting legal and commercial standards.
Let’s get started by taking a quick look at the most popular frameworks.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF), which offers enterprises specific instructions for managing and lowering cybersecurity risk. The framework focuses on the following five crucial tasks: Identity -> Protect -> Detect -> Respond -> Recover. With the help of these features, the framework enables businesses to prioritize their cybersecurity spending and work continuously toward a desired cybersecurity profile.
ISO 27000 Series
For many businesses and areas, the International Organization of Standardization (ISO) creates a number of frameworks. The ISO 27001 and 27002 standards, which are well-known in the field of cybersecurity, provide the prerequisites and steps for developing, putting into practice, and maintaining an information security management system (ISMS). These requirements can be used to gauge an institution’s capacity to adhere to information security standards via the application of risk management.
MITRE ATT&CK Framework
It can be difficult to begin an investigation of an opponent’s attack strategy blindly. The tactics, techniques, and procedures—commonly referred to as tactics, techniques, and procedures—that have been devised for an attack can be used to understand them (TTP). To help security teams recognize attack patterns, the MITRE ATT&CK framework provides a knowledge source of TTP that has been meticulously collected and detailed. The framework is organized like a periodic table, with references to system platforms that have been exploited and approaches mapped against stages of the attack chain.
This framework emphasizes the thorough method it offers when examining an attack. It combines cybersecurity data relevant to an environment to offer insights into cyber threats that aid teams in creating efficient security measures for their organizations.
Cyber Kill Chain
The term “kill chain,” which represents the structure of an attack and includes target identification, decision and order to attack the target, and finally target destruction, was borrowed as a core idea of this framework from the military. The cyber kill chain, created by Lockheed Martin, outlines the steps that are often taken in a cyberattack. Security defenders can use this framework as part of an intelligence-driven response.
The Cyber Kill Chain has seven stages that increase awareness of and comprehension of an adversary’s tactics, techniques, and procedures.
Unified Kill Chain (UKC)
The Unified Kill Chain can be described as the unification of the MITRE ATT&CK and Cyber Kill Chain frameworks. Published by Paul Pols in 2017 (and reviewed in 2022), the UKC provides a model to defend against cyber attacks from the adversary’s perspective. The UKC offers security teams a blueprint for analyzing and comparing threat intelligence concerning the adversarial mode of working.
The Unified Kill Chain describes 18 phases of attack based on Tactics, Techniques, and Procedures TTPs). The individual phases can be combined to form overarching goals, such as gaining an initial foothold in a targeted network, navigating through the network to expand access, and performing actions on critical assets. Santa’s security team would need to understand how these phases are put together from the attacker’s perspective.
CYCLE 1: In
The main focus of this series of phases is for an attacker to gain access to a system or networked environment. Typically, cyber-attacks are initiated by an external attacker. The critical steps they would follow are:
- Reconnaissance: The attacker performs research on the target using publicly available information.
- Weaponization: Setting up the needed infrastructure to host the command and control center (C2) is crucial in executing attacks.
- Delivery: Payloads are malicious instruments delivered to the target through numerous means, such as email phishing and supply chain attacks.
- Social Engineering: The attacker will trick their target into performing untrusted and unsafe action against the payload they just delivered, often making their message appear to come from a trusted in-house source.
- Exploitation: If the attacker finds an existing vulnerability, a software or hardware weakness, in the network assets, they may use this to trigger their payload.
- Persistence: The attacker will leave behind a fallback presence on the network or asset to make sure they have a point of access to their target.
- Defence Evasion: The attacker must remain anonymous throughout their exploits by disabling and avoiding any security defense mechanisms enabled, including deleting evidence of their presence.
- Command & Control: Remember the infrastructure that the attacker prepared? A communication channel between the compromised system and the attacker’s infrastructure is established across the internet.
This phase may be considered a loop as the attacker may be forced to change tactics or modify techniques if one fails to provide an entrance into the network.
CYCLE 2: Through
Under this phase, attackers will be interested in gaining more access and privileges to assets within the network.
The attacker may repeat this phase until the desired access is obtained.
- Pivoting: Remember the system that the attacker may use for persistence? This system will become the attack launchpad for other systems in the network.
- Discovery: The attacker will gather as much information about the compromised system as possible, such as available users and data. Alternatively, they may remotely discover vulnerabilities and assets within the network. This opens the way for the next phase.
- Privilege Escalation: Restricted access prevents the attacker from executing their mission. Therefore, they will seek higher privileges on the compromised systems by exploiting identified vulnerabilities or misconfigurations.
- Execution: With elevated privileges, malicious code may be downloaded and executed to extract sensitive information or cause further havoc on the system.
- Credential Access: Part of the extracted sensitive information would include login credentials stored in the hard disk or memory. This provides the attacker with more firepower for their attacks.
- Lateral Movement: Using the extracted credentials, the attacker may move around different systems or data storages within the network, for example, within a single department.
NOTE: A key element that one may think is missing is Access. This is not formally covered as a phase of the UKC, as it overlaps with other phases across the different levels, leading to the adversary achieving their goals for an attack.
CYCLE 3: Out
The Confidentiality, Integrity, and Availability (CIA) of assets or services are compromised during this phase. Money, fame, or sabotage will drive attackers to undertake their reasons for executing their attacks, cause as much damage as possible and disappear without being detected.
- Collection: After finding the jackpot of data and information, the attacker will seek to aggregate all they need. By doing so, the assets’ confidentiality would be compromised entirely, especially when dealing with trade secrets and financial or personally identifiable information (PII) that is to be secured.
- Exfiltration: The attacker must get his loot out of the network. Various techniques may be used to ensure they have achieved their objectives without triggering suspicion.
- Impact: When compromising the availability or integrity of an asset or information, the attacker will use all the acquired privileges to manipulate, interrupt and sabotage. Imagine the reputation, financial and social damage an organization would have to recover from.
- Objectives: Attackers may have other goals to achieve that may affect the social or technical landscape that their targets operate within. Defining and understanding these objectives tends to help security teams familiarize themselves with adversarial attack tools and conduct risk assessments to defend their assets.
~ Source: Tryhackme.
Day 1: Challenge Solution