Lesson 4 of 4
In Progress

Sample Attack Scenario Framework

What is an Attack Scenario Framework

<<add details here>>

How Kill Chain Analysis Helps?

Kill Chain is a model used to identify the different phases a successful intrusion goes through. The phases of the Kill Chain are the following:

  • Reconnaissance: Threat Actor (TA) profiles the target and defines the tactics of the attack
  • Weaponization: TA develops the malware and puts it into a delivery mechanism as well as builds their command and control (C2) infrastructure
  • Delivery: TA delivers the payload to the target
  • Exploitation: TA compromises target host such that it will behave according to his intention
  • Install: TA installs and activate malware on target host
  • C2: TA remotely controls the compromised host
  • Actions on target / Exfiltration: TA steals the intended data or performs other actions on target

Breaking the kill-chain is the end goal of defenders and represents the ability to interrupt and stop the attack before actions on target or exfiltration occur.

Lets do Attack Scenario Modelling

One way to model attack scenarios require the following two elements to be identified and mapped on to the Kill Chain in a matrix:

  • Actions (aka Observables) – Any actions or indicators of a Threat Actor (TA)
  • Countermeasures –  Tools and techniques to allow detection, disruption, degradation, deceiving and destroying the attack.