Understanding the Anatomy of a Cyber Attack by Tobias Faiss

Understanding the Anatomy of a Cyber Attack

Tobias Faiss
3 min readMar 14, 2024

--

Concepts of Cyber Kill Chain and MITRE ATT&CK Framework

In today’s digital world, cyber threats are becoming more sophisticated, making it important for organizations to be aware of how these attacks work. Understanding the anatomy of a cyber attack can help security professionals identify vulnerabilities and prevent them from being exploited. In this article, we will explore two concepts that can help us understand the anatomy of a cyber attack: the Cyber Kill Chain and the MITRE ATT&CK Framework.

The Cyber Kill Chain is a model that describes the stages of a typical cyber attack. It was developed by Lockheed Martin to help security professionals identify and prevent threats. The model consists of seven stages, each representing a different phase of the attack:

1. Reconnaissance — In this stage, the attacker gathers information about the target, such as its network infrastructure and security measures.

2. Weaponization — The attacker creates an exploit or payload that can be used to compromise the target system.

3. Delivery — The attacker delivers the payload to the target system using a method such as email phishing or a web-based exploit kit.

4. Exploitation — The payload is executed on the target system, allowing the attacker to gain access and take control of it.

5. Installation — The attacker installs additional software on the target system to maintain persistence and carry out further activities.

6. Command & Control — The attacker establishes a communication channel with the compromised system to issue commands and receive data.

7. Actualization — The attacker carries out their objectives, such as stealing sensitive information or disrupting operations.

The MITRE ATT&CK Framework is another concept that can help us understand the anatomy of a cyber attack. Developed by the Mitre Corporation, this framework provides a comprehensive list of tactics, techniques, and procedures (TTPs) used by attackers to carry out their objectives. It is designed to help security professionals identify and prevent threats by providing a common language for describing them.

The MITRE ATT&CK Framework consists of several categories that describe the different types of tactics, techniques, and procedures used by attackers:

1. Initial Access — The attacker gains access to the target system.

2. Execution — The attacker executes their payload on the target system.

3. Persistence — The attacker maintains a presence on the target system to carry out further activities.

4. Privilege Escalation — The attacker gains higher-level access to the target system.

5. Defense Evasion — The attacker takes steps to evade detection by security measures.

6. Credential Access — The attacker steals sensitive credentials from the target system.

7. Discovery — The attacker gathers information about the target system’s network and security measures.

8. Lateral Movement — The attacker moves laterally within the target network to compromise additional systems.

9. Collection — The attacker collects data from the compromised system.

10. Exfiltration — The attacker transfers stolen data out of the target system.

By understanding these concepts, security professionals can better identify and prevent cyber threats. The Cyber Kill Chain provides a high-level overview of the stages of a typical cyber attack, while the MITRE ATT&CK Framework provides more detailed information on the tactics, techniques, and procedures used by attackers. It is not a question which framework is the more sophisticated one. Both have their unique strengths and their meaning increases significantly once their are used together.

By using these frameworks, organizations can improve their security posture and prevent costly breaches.

--

--