Threat Analysis Methodologies
Introduction
Understanding different threat analysis methodologies is crucial for effective cyber threat intelligence. This module covers the most important frameworks used in the industry.
What You'll Learn
- The Diamond Model of Intrusion Analysis
- Lockheed Martin's Cyber Kill Chain
- MITRE ATT&CK Framework
- When to use each methodology
Diamond Model
The Diamond Model is a framework for analyzing cyber incidents and intrusions through four core features: adversary, capability, infrastructure, and victim.
Adversary
The threat actor conducting the operation
Capability
Tools and techniques used by the adversary
Infrastructure
Physical and logical communication structures
Victim
Target of the adversary's operations
Figure 1: The Diamond Model of Intrusion Analysis
Kill Chain Analysis
The Cyber Kill Chain is a model for describing the stages of a cyber attack, from initial reconnaissance to achieving objectives.
1. Reconnaissance
Research, identification and selection of targets
2. Weaponization
Coupling exploit with backdoor into deliverable payload
3. Delivery
Transmission of weapon to target (e.g., email attachments)
4. Exploitation
Exploiting a vulnerability to execute code on victim's system
5. Installation
Installing malware on the asset
6. Command & Control
Command channel for remote manipulation
7. Actions on Objectives
Attacker accomplishes their goals
MITRE ATT&CK Framework
A comprehensive matrix of adversary tactics and techniques based on real-world observations.
Framework Components
- Tactics (the why)
- Techniques (the how)
- Procedures (the specific implementation)
- Mitigations
Enterprise ATT&CK
Covers techniques used against enterprise networks
Mobile ATT&CK
Focuses on mobile-specific attack patterns
ICS ATT&CK
Addresses industrial control systems