Cyber Security Detection Frameworks

If you spend enough time in or around the cyber security industry, you will often hear the term “cyber security framework” mentioned. In this article, I will be briefly covering several common cyber security detection frameworks used by organizations to help understand adversary behavior during a cyber-attack.

What is a Cyber Security Framework?

A cyber security framework is a collection of standards, guidelines, procedures and best practices intended to help an organization defend itself from cyber attacks or data breaches. They are used by organizations to achieve security objectives and are often mandatory, or at least strongly encouraged, for companies that want to comply with state, industry, and international cybersecurity regulations.

List of Cybersecurity Frameworks.

There are many different types of frameworks that exist within the cybersecurity industry today, which aim to achieve different security objectives. For example, in order to handle credit card transactions, a business must pass an audit attesting to its compliance with the Payment Card Industry Data Security Standards (PCI DSS) framework. Another example would be an organization using the NIST Special Publication 800–53 Revision 5 to implement security and privacy controls. It is also common to see organizations implement more than one framework to achieve their objectives.

Cyber Security Detection Frameworks

There are multiple frameworks available within the cyber security industry that help organizations understand adversary behavior during a cyber-attack. This article highlights several common frameworks used by organizations to to guide their approach to and understanding of attack and defense strategies.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is a popular framework used to improve an organizations cybersecurity standards and manage the risk of cyber threats. The framework provides guidelines on security controls & benchmarks for success for organizations from critical infrastructure (power plants, etc.) all through to commercial. There is also a limited section on a standard guideline for the methodology a penetration tester should take.

The NIST Framework is comprised of five functions:

• Identify: Gain a complete understanding of your people, physical and digital assets, risks and vulnerabilities, and defense systems.
• Protect: Establish a layered and diverse approach to defending the business, while also being ready to respond to any attack.
• Detect: Implement technologies and practices for quickly detecting true positive events across all security data.
• Respond: React appropriately to an incident and keep it from becoming a serious breach.
• Recover: Return the organization to its original state by planning for resilience, and implement new preventative measures to safeguard against a repeat attack.

NIST CSF Framework Core’s Functions and Categories.

Mitre ATT&CK

The Mitre ATT&CK framework is a living, growing framework of common tactics, techniques, and procedures (TTP) used by advanced persistent threats (APTs) and other cybercriminals. The tactics are defined as the objective of the actor, and techniques are the method of getting there. The MITRE framework uses evidence from past attacks to get inside the head of the attacker with a detailed understanding of how these tactics manifest, techniques used, potential response steps, and useful data sources for in-depth analysis.

Mitre ATT&CK framework

The 14 tactics addressed by MITRE ATT&CK Framework include:

• Reconnaissance: the adversary is trying to gather information they can use to plan future operations.
• Resource Development: the adversary is trying to establish resources they can use to support operations.
• Initial Access: the act of bypassing the network’s defenses to get a foothold in the environment, using techniques such as phishing.
• Execution: execution of malicious code enables actors to penetrate deeper into the network and move towards their objective.
• Persistence: enables an actor to linger in a system or network, buying time to execute their plan despite potential interruptions.
• Privilege Escalation: provides the attacker with a greater range of motion and control in the network through admin level access. Stealing a user’s credentials is a prime example of privilege escalation.
• Defense Evasion: tactics, like masquerading, are an attempt to go undetected in the network.
• Credential Access: allows bad actors to gain the access and control they need to achieve their objectives.
• Discovery: involves gaining an understanding of the operating system and network to inform the attack plan.
• Lateral Movement: the method of snaking through a system or network to get to the critical data or target objective.
• Collection: refers to the identification and collection of prized data, to then exfiltrate it.
• Command & Control: the actor takes remote control of a network through an already-compromised system.
• Exfiltration: the ultimate goal of removing sensitive, highly-coveted data from a target network or system for malicious purposes, like re-sale on the black market.
• Impact: impact on the business is another key objective, disrupting the integrity and availability of data, services, and systems.

Cyber Kill Chain

The Cyber Kill Chain was created by computer scientists at Lockheed Martin. The model describes a phased approach to end-to-end cyber attack detection and prevention based on the choreographed movements of a standard threat actor.

The Cyber Kill Chain.

The Cyber Kill Chain has seven steps:

1. Reconnaissance: refers to the step where the attacker tries to learn as much as possible about the target (e.g. servers, operating system, IP addresses, names of users, and email addresses, etc.)
2. Weaponization: refers to preparing a file with a malicious component, for example, to provide the attacker with remote access.
3. Delivery: refers to delivering the “weaponized” file to the target via any feasible method, such as email or USB flash memory.
4. Exploitation: the user opens the malicious file, their system executes the malicious component.
5. Installation: the previous exploitation step should install the malware on the target system.
6. Command & Control (C2): the successful installation of the malware provides the attacker with a command and control ability over the target system.
7. Actions on Objectives: after gaining control over one target system, the attacker has achieved their objectives. One example objective is Data Exfiltration (stealing target’s data).

Diamond Model

The Diamond Model emphasizes the relationships and characteristics of an intrusion’s four core features: adversary, infrastructure, capability, and victim. It further defines additional meta-features to support higher-level constructs and applies measurement, testability, and repeatability to provide a more comprehensive scientific method of analysis.

The Diamond Model’s value for organizations is in identifying relationships between events, and in analyzing events to learn about adversary behavior.

Diamond Model.

The Diamond Model is so named because of the shape formed by the relationships between the 4 core features of an intrusion event:

• Adversary: intruder/attacker
• Capabilities: adversary’s tools and/or techniques
• Infrastructure: physical and/or logical resources used by adversary
• Victim: organization or system hit by adversary

Event meta-features provide more info about the event:

• Timestamp: date and time intrusion event occurred.
• Phase: which event, in the chain of events, is represented by this particular model.
• Result: outcome of intrusion event (e.g., success, failure, or unknown)
• Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure)
• Methodology: category of event (e.g., spear phishing, port scan)
• Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access)
• Social-political: relationship between adversary and victim, based on victim’s needs and aspirations
• Technology: tech involved in adversary’s capabilities and use of infrastructure

Frameworks Summary

Each framework is designed to achieve the objective of detecting attacks and understanding defenses via different means. The table below summarizes each framework based on how it functions.

Frameworks Summary.

Conclusion

Hopefully this short article has provided a basic overview on some common cyber security detection frameworks utilized in the industry today. Cyber security detection frameworks are a powerful tool that can be used by organizations to understand attacker strategies, defend against cyber attacks and manger their cyber risk. Cyber security frameworks are a massive topic and are worth knowing more about. Thank you for reading till the end and keep hacking! 😄

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!