Module 2: Attacker Methodology Introduction

The Network as a Whole

The DMZ

Most ingress attacks pass through the DMZ due to it facing the internet.

Some security professionals suggest implementing front-end and back-end firewalls from different vendors since one vulnerability will rarely affect both firewalls. However, this may increase the initial cost and complicate maintenance.

Deployment Environments

Deployment Environments separate the development and production environments.

The development (dev) server allows for safely writing and testing code before moving it to production. If there is a catastrophic failure, no impact on users or business will occur. If compromised, no real information is leaked.

The staging server is a near-perfect replication of the production server to ensure production will behave as expected. It can be used to emulate potential updates with additional testing prior to being pushed to production.

The production (prod) server is the live system that user's interact with. There is no guarantee of being invulnerable, but this entire process helps mitigate issues.

Core and Edge Network Devices

Edge devices provide connectivity between networks. Core devices pass network traffic through to intended destinations.

Virtual Private Networks and Remote Sites

A VPN provides the means to securely access a private network while being geographically removed from it. As with anything else, it must be properly configured and maintained to ensure safe and secure business operations.

VPN connectivity also enables the geographic distribution of remote sites. This allows enterprises to expand their operations.

Remote sites are just as critical as main offices due to the connection they have via the VPN.

The Lockheed-Martin Cyber Kill-Chain

The Importance of the Kill-Chain

The inclusion of the word "chain" means that each phase depends on the next. If interrupted, the APT cannot complete their objective.

The phases of the Lockheed Martin Kill-Chain:

Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control (C2)
Actions on Objectives

Case Study 1: Monero Cryptomining

XMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine Monerowww.f5.com

Jenkins Miner: One of the Biggest Mining Operations Ever Discovered - Check Point ResearchCheck Point Research

Case Study 2: Petya, Mischa, and GoldenEye

Petya - Taking Ransomware To The Low Level | Malwarebytes LabsMalwarebytes

Petya and Mischa - Ransomware Duet (Part 1) | Malwarebytes LabsMalwarebytes

Goldeneye Ransomware - the Petya/Mischa combo rebranded | Malwarebytes LabsMalwarebytes

MITRE ATT&CK Framework

MITRE ATT&CK®attack.mitre.org

Tactics, Techniques, and Sub-Techniques

The fourteen enterprise-specific tactics:

Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Each tactic has techniques and sub-techniques.

Note that security professionals often refer to APT behavior as TTPs: Tactics, Techniques, and Procedures. While tactics and techniques align with the MITRE ATT&CK Framework, sub-techniques are a generalized form of procedures.

Last updated 1 year ago

hashtagThe Network as a Whole

hashtagThe DMZ

hashtagDeployment Environments

hashtagCore and Edge Network Devices

hashtagVirtual Private Networks and Remote Sites

hashtagThe Lockheed-Martin Cyber Kill-Chain

hashtagThe Importance of the Kill-Chain

hashtagCase Study 1: Monero Cryptomining

hashtagCase Study 2: Petya, Mischa, and GoldenEye

hashtagMITRE ATT&CK Framework

hashtagTactics, Techniques, and Sub-Techniques

hashtagCase Study 1: OilRig

hashtagCase Study 2: APT3

hashtagCase Study 3: APT28