Information security refers to the protection or safeguarding of information and information

systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction.

Classification of Attacks

According to IATF, security attacks are classified into five categories:

• Passive attacks; involve intercepting and monitoring network traffic and data flow on the target network and
do not tamper with the data. Attackers perform reconnaissance on network activities using sniffers. These
attacks are very difficult to detect as the attacker has no active interaction with the target system or
network. Examples:
o Footprinting
o Sniffing
o Network traffic analysis
o Decryption of weakly encrypted traffic
• Active attacks; tamper with the data in transit or disrupt communication or services between the systems to
bypass or break into secured systems. Attackers launch attacks on the target system or network by sending
traffic actively that can be detected. Examples:
o Denial of service DoS
o Malware attacks
o Modification of information
o MiTM attacks
o DNS and ARP poisoning
o Privilege escalation
o Sql injection
• Close-in Attacks; are performed when the attacker is in close physical proximity with the target system or
network. The main goal of performing this type of attack is to gather or modify information or disrupt its
access. An example could all types of social engineering.
• Insider attacks; performed by trusted persons who have physical access to the critical assets of the target. An
insider attack involves using privileged access to violate rules or intentionally cause a threat to the
organization’s information or information systems. Examples:
o Theft of physical devices
o Data theft
 o Planting malware
• Distribution Attacks; occur when attackers tamper with hardware or software prior to installation. Attackers
tamper the hardware or software at its source or when it is in transit. Examples
o Modification of software or hardware during production
o Modification of software or hardware during distribution

What is Hacking?

Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security
controls to gain unauthorized or inappropriate access to system resources. It involves a modifying system or
application features to achieve a goal outside its creator’s original purpose. According to EC-Council’s - hacking
methodology, there are five phases of hacking:
Cyber Kill Chain Methodology

The cyber kill chain is a framework developed for securing cyberspace based on the concept of military kill chains.
This method aims to actively enhance intrusion detection and response. The cyber kill chain is equipped with a
seven-phase protection mechanism to mitigate and reduce cyber threats.

According to Lockheed Martin, cyberattacks might occur in seven different phases, from reconnaissance to the final
accomplishment of the objective. An understanding of cyber kill chain methodology helps security professionals to
leverage security controls at different stages of an attack and helps them to prevent the attack before it succeeds. It
also provides greater insight into the attack phases, which helps in understanding the adversary’s TTPs beforehand.

• Reconnaissance; collect as much information about the target as possible to probe for weak points before
actually attacking. They look for information such as publicly available information on the Internet, network
information, system information, and the organizational information of the target. By conducting
 reconnaissance across different network levels, the adversary can gain information such as network blocks,
specific IP addresses, and employee details. The adversary may use automated tools such as open ports and
services, vulnerabilities in applications, and login credentials, to obtain information. Such information can
help the adversary in gaining backdoor access to the target network.

• Weaponization; The adversary analyzes the data collected in the previous stage to identify the vulnerabilities
and techniques that can exploit and gain unauthorized access to the target organization. Based on the
vulnerabilities identified during analysis, the adversary selects or creates a tailored deliverable malicious
payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim. An
adversary may target specific network devices, operating systems, endpoint devices, or even individuals
within the organization to carry out their attack.

• Delivery; The previous stage included creating a weapon. Its payload is transmitted to the intended victim(s)
as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB
drive. Delivery is a key stage that measures the effectiveness of the defense strategies implemented by the
target organization based on whether the intrusion attempt of the adversary is blocked or not.

• Exploitation; After the weapon is transmitted to the intended victim, exploitation triggers the adversary’s
malicious code to exploit a vulnerability in the operating system, application, or server on a target system. At
this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code
execution, physical security threats, and security misconfiguration.

• Installation; The adversary downloads and installs more malicious software on the target system to maintain
access to the target network for an extended period. They may use the weapon to install a backdoor to gain
remote access. After the injection of the malicious code on one target system, the adversary gains the
capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the
presence of malicious activities from security controls like firewalls using various techniques such as
encryption.

• Command and control; The adversary creates a command and control channel, which establishes two-way
communication between the victim’s system and adversary-controlled server to communicate and pass data
back and forth. The adversaries implement techniques such as encryption to hide the presence of such
channels. Using this channel, the adversary performs remote exploitation on the target system or network.

• Actions on Objectives; The adversary controls the victim’s system from a remote location and finally
accomplishes their intended goals. The adversary gains access to confidential data, disrupts the services or
network, or destroys the operational capability of the target by gaining access to its network and
compromising more systems.
The following are the tactics in ATT&CK for Enterprise:

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
 • Exfiltration
• Impact

Some MITRE ATT&CK for Enterprise Use Cases:

▪ Prioritize development and acquisition efforts for computer network defense(CND) capabilities.
▪ Conduct analyses of alternatives between CND capabilities.
▪ Determine “coverage” of a set of CND capabilities.
▪ Describe an intrusion chain of events based on the technique used from start to finish with a common
reference.
▪ Identify commonalities between adversary tradecraft, as well as distinguishing characteristics.
▪ Connect mitigations, weaknesses, and adversaries.
 • Adversary: An adversary often refers to an opponent or hacker responsible for the attack event.
• Victim: The victim is the target that has been exploited or the environment where the attack was performed.
• Capability: Capability refers to all the strategies, methods, and procedures associated with an attack.
• Infrastructure: Infrastructure refers to the hardware or software used in the network by the target that has a
connection with the adversary.

Additional Event Meta-Features

In the Diamond Model, an event contains some of the basic meta-features that provide additional information such
as the time and source of the event. These meta-features help in linking related events, making it easier and faster
for analysts to trace an attack. The following are the features that help in connecting related events.

• Timestamp: This feature can reveal the time and date of an event. It is important as it can indicate the
beginning and end of the event. It also helps in analysis and determining the periodicity of the event.
 • Phase: The phase helps in determining the progress of an attack or any malicious activity. The different
phases of an attack include the phases used in the cyber kill chain framework: reconnaissance,
weaponization, delivery, exploitation etc.
• Result: The result is the outcome of any event.
• Direction: This feature refers to the direction of the attack. For instance, the direction can indicate how the
adversary was routed to the victim. This feature can be immensely helpful when describing network-based
and host-based events. The possible values for this feature include victim to infrastructure, adversary to
infrastructure, infrastructure to infrastructure, and bidirectional.
• Methodology: The methodology refers to any technique that is used by the adversary to perform an attack.
• Resource: Resource feature entails the use of external resources like tools or technology used to perform the
attack.

Extended Diamond Model

The extended Diamond Model also includes necessary features such as socio-political meta-features to determine
the relationship between the adversary and victim as well as technology meta-features for infrastructure and
capabilities.

• Socio-political meta-feature: The socio-political meta-feature describes the relationship between the
adversary and victim. This feature is used to determine the goal or motivation of the attacker; common
motivations include financial benefit, corporate espionage, and hacktivism.
• Technology meta-feature: The technology meta-feature describes the relationship between the
infrastructure and capability. This meta-feature describes how technology can enable both infrastructure
and capability for communication and operation. It can also be used to analyze the technology used in an
organization to identify any malicious activity.