Module 2: Attacker Methodology Introduction

The Network as a Whole

The DMZ

Most ingress attacks pass through the DMZ due to it facing the internet.

Simplified Enterprise DMZ

Some security professionals suggest implementing front-end and back-end firewalls from different vendors since one vulnerability will rarely affect both firewalls. However, this may increase the initial cost and complicate maintenance.

Deployment Environments

Deployment Environments separate the development and production environments.

Simplified Enterprise with Deployment

The development (dev) server allows for safely writing and testing code before moving it to production. If there is a catastrophic failure, no impact on users or business will occur. If compromised, no real information is leaked.

The staging server is a near-perfect replication of the production server to ensure production will behave as expected. It can be used to emulate potential updates with additional testing prior to being pushed to production.

The production (prod) server is the live system that user's interact with. There is no guarantee of being invulnerable, but this entire process helps mitigate issues.

Core and Edge Network Devices

Edge devices provide connectivity between networks. Core devices pass network traffic through to intended destinations.

Simplified Enterprise with Core/Edge Devices

Virtual Private Networks and Remote Sites

A VPN provides the means to securely access a private network while being geographically removed from it. As with anything else, it must be properly configured and maintained to ensure safe and secure business operations.

VPN connectivity also enables the geographic distribution of remote sites. This allows enterprises to expand their operations.

Simplified Enterprise with Remote Sites via VPN

Remote sites are just as critical as main offices due to the connection they have via the VPN.

The Lockheed-Martin Cyber Kill-Chain

The Importance of the Kill-Chain

The inclusion of the word "chain" means that each phase depends on the next. If interrupted, the APT cannot complete their objective.

The phases of the Lockheed Martin Kill-Chain:

  • Reconnaissance

  • Weaponization

  • Delivery

  • Exploitation

  • Installation

  • Command & Control (C2)

  • Actions on Objectives

Case Study 1: Monero Cryptomining

LogoXMRig Miner Now Targeting Oracle WebLogic and Jenkins Servers to Mine MoneroF5 Labs
LogoJenkins Miner: One of the Biggest Mining Operations Ever Discovered - Check Point ResearchCheck Point Research

Case Study 2: Petya, Mischa, and GoldenEye

LogoPetya - Taking Ransomware To The Low Level | Malwarebytes LabsMalwarebytes
LogoPetya and Mischa - Ransomware Duet (Part 1) | Malwarebytes LabsMalwarebytes
LogoGoldeneye Ransomware - the Petya/Mischa combo rebranded | Malwarebytes LabsMalwarebytes

MITRE ATT&CK Framework

LogoMITRE ATT&CK®

Tactics, Techniques, and Sub-Techniques

The fourteen enterprise-specific tactics:

  • Reconnaissance

  • Resource Development

  • Initial Access

  • Execution

  • Persistence

  • Privilege Escalation

  • Defense Evasion

  • Credential Access

  • Discovery

  • Lateral Movement

  • Collection

  • Command and Control

  • Exfiltration

  • Impact

Each tactic has techniques and sub-techniques.

Note that security professionals often refer to APT behavior as TTPs: Tactics, Techniques, and Procedures. While tactics and techniques align with the MITRE ATT&CK Framework, sub-techniques are a generalized form of procedures.

Case Study 1: OilRig

LogoOilRig, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Group G0049 | MITRE ATT&CK®

Case Study 2: APT3

LogoAPT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110, Group G0022 | MITRE ATT&CK®

Case Study 3: APT28

LogoAPT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Group G0007 | MITRE ATT&CK®
PreviousModule 1: Introduction to SOC-200NextModule 3: Windows Endpoint Introduction

Last updated