Unified Kill Chain
The Unified Kill Chain is a framework which establishes the phases of an attack, and a means of identifying and mitigating risk to IT assets.
Threat Modelling
Threat modelling is a series of steps to improve the security of a system by identifying risk. This is done by the following:
Identifying the systems or applications needing to be secured and their function in the environment
Assessing what vulnerabilities and weaknesses could be exploited
Developing a plan of action to secure the highlighted vulnerabilities
Establishing policies to prevent the vulnerabilities from reoccurring where possible
Threat modelling reduces risk by creating high-level overview of IT assets (a piece of hardware or software) and procedures to resolve vulnerabilities. Frameworks specifically used in threat modelling include STRIDE, DREAD and CVSS.
The Unified Kill Chain
Some benefits to the Unified Kill Chain are its modernization, detailed 18 phases, entire attack coverage, and more realistic attack scenarios such as reoccurring phases.
In what year was the Unified Kill Chain framework released?
2017
According to the Unified Kill Chain, how many phases are there to an attack?
18
What is the name of the attack phase where an attacker employs techniques to evade detection?
Defense Evasion
What is the name of the attack phase where an attacker employs techniques to remove data from a network?
Exfiltration
What is the name of the attack phase where an attacker achieves their objectives?
Objectives
Phase: In (Initial Foothold)
An attacker will use multiple tactics during this phase to investigate a system for exploitable vulnerabilities to gain access to a system or networked environment and sometimes creating a form of persistence.
Reconnaissance (MITRE Tactic TA0043)
Passive or active techniques employed to gather information relating to target such as:
Discovering systems and services running
Finding contact lists or employees that can be impersonated for social-engineering and phishing attacks
Looking for potential credentials for later stages
Understating the network topology and other networked systems to pivot
Weaponization (MITRE Tactic TA0001)
Adversary setting up necessary infrastructure to perform attacks ( C2 server or a system able to catch reverse shells and deliver payloads).
Social Engineering (MITRE Tactic TA0001)
Techniques an used to manipulate employees to perform aiding actions in the attack such as:
Getting a user to open a malicious attachment
Impersonating a web page to capture credentials
Calling or visiting the target while impersonating a user for privileged access or behaviors
Exploitation (MITRE Tactic TA0002)
Weaknesses or vulnerabilities present in a system an attacker takes advantage such as:
Uploading and executing a reverse shell to a web application
Interfering with an automated script on a system to execute code
Abusing a web application vulnerability to execute code on the system it is running on
Persistence (MITRE Tactic TA0003)
Techniques used to maintain access to a system after initial foothold such as:
Creating a service on a target system to allow regained access
Adding the target system to a C2 server to execute commands remotely
Leaving backdoors that execute when certain actions occur
Defense Evasion (MITRE Tactic TA0005)
Used to evade defensive measures put in place in a system or network such as:
Web application firewalls
Network firewalls
Anti-virus systems on the target machine
Intrusion detection systems
This phase gives the defensive team information to improve their defense systems and to form a response.
Command & Control (MITRE Tactic TA0011)
This phase combines the adversary's efforts from the Weaponization stage to establish communications to and from the target system. Establishing command and control assists in achieving actions on objectives such as:
Executing commands
Steal data and credentials
Pivot to other systems in network
Pivoting (MITRE Tactic TA0008)
Used to reach other systems within a network which are not otherwise accessible. Systems not directly reachable often contain valuable data or have weaker security.
What is an example of a tactic to gain a foothold using emails?
Phishing
Impersonating an employee to request a password reset is a form of what?
Social Engineering
An adversary setting up the Command & Control server infrastructure is what phase of the Unified Kill Chain?
Weaponization
Exploiting a vulnerability present on a system is what phase of the Unified Kill Chain?
Exploitation
Moving from one system to another is an example of?
Pivoting
Leaving behind a malicious service that allows the adversary to log back into the target is what?
Persistence
Phase: Through (Network Propagation)
After establishing a successful foothold on a target network, and attacker would seek additional access and privileges by setting up a base on of the systems as a pivot point.
Pivoting (MITRE Tactic TA0008)
Once an attacker has system access, it would be used as the staging site and tunnel between their command operations and the victim's network. This would also be used to distribute malware and backdoors at later stages.
Discovery (MITRE Tactic TA0007)
A knowledge base would be built from the active users, granted permissions, applications and software in use, web browser activity, files, directories/network shares, and system configurations.
Privilege Escalation (MITRE Tactic TA0004)
To gain more prominent permissions in the pivot system, the adversary would leverage information on the present accounts with vulnerabilities and misconfigurations to elevate access to the following superior levels:
SYSTEM/ ROOT
Local Administrator
A user account with Admin-like access
A user account with specific access or functions
Execution (MITRE Tactic TA0002)
To facilitate a recurring presence on the system and uphold their persistence, the adversary would deploy malicious code using the pivot system as their host such as:
Remote trojans
C2 scripts
Malicious links
Scheduled tasks
Credential Access (MITRE Tactic TA0006)
Alongside the Privilege Escalation stage, the adversary would attempt to steal account names and passwords to lessen the possibility of detection by using legitimate credentials.
Lateral Movement (MITRE Tactic TA0008)
To achieve their primary objective, the adversary can now attempt to move through the network and jump to other targeted systems with the credentials and elevated privileges.
As a SOC analyst, you pick up numerous alerts pointing to failed login attempts from an administrator account. What stage of the kill chain would an attacker be seeking to achieve?
Privilege escalation
Mimikatz, a known attack tool, was detected running on the IT Manager's computer. What is the mission of the tool?
Credential dumping
Phase: Out (Action on Objectives)
Collection MITRE Tactic (TA0009)
By gathering all data of interest, the adversary compromises the confidentiality of the data.
Exfiltration (MITRE Tactic TA0010)
By stealing data packaged using encryption and compression to avoid detection, the adversary elevates compromise. The C2 channel and tunnel established in earlier phases will be used in this process.
Impact (MITRE Tactic TA0040)
To compromise integrity and availability, the adversary may interrupt or destroy data assets by:
Removing account access
Disk wipes
Data encryption (ransomware)
Defacement
Denial of Service (DoS)
Objectives
From gained power and access, the adversary can achieve their primary goal with the attack
While monitoring the network as a SOC analyst, you realize that there is a spike in the network activity, and all the traffic is outbound to an unknown IP address. What stage could describe this activity?
Exfiltration
Personally identifiable information (PII) has been released to the public by an adversary, and your organization is facing scrutiny for the breach. What part of the CIA triad would be affected by this action?
Confidentiality
Last updated