***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-operations-and-incident-response/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Attack Frameworks``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Attack Frameworks](#a) <br/><br/>

- [Attacks and Responses](#b) <br/><br/>
- [MITRE ATT&CK Framework](#c) <br/><br/>
- [Diamond Model of Intrusion Analysis](#d) <br/><br/>
- [Cyber Kill Chain](#e) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Attack Frameworks
***

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Attacks and Responses
***

If you’re an IT security professional and you’re responsible for protecting your network, you may find that the attacks are many and varied. 

It’s difficult to keep track of exactly what type of attacks may be out there and how you can protect yourself against these many and different varied attacks.

If an attack is occurring, it’s important to know what your response should be and what you can do in the future to mitigate these kinds of attacks. 

One of the challenges with this is there are so many different methods that can be used by the attackers in so many different ways that they can gain access to information. It’s important to know if your organization may be at risk and if you are at risk, what are the things you can do to help mitigate that risk?

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### MITRE ATT&CK Framework
***

One place to begin gathering this type of information is through the MITRE ATT&CK Framework - this comes from the MITRE corporation - they are based in the Northeast United States, and they primarily support US governmental agencies. Their entire framework is available for you to view online - can go to [ [mitre](https://attack.mitre.org) ] and view the entire framework from that website. 

Using this framework, you can identify broad categories of attacks, you can find exact intrusions that could be occurring, understand how those intrusions are occurring and how attackers move around after the attack, and then identify security techniques that can help you block any future attacks.

Here is the MITRE ATT&CK framework:

![image.png](attachment:image.png)

Going through the ``Reconnaissance`` process - let’s say perhaps we’ve discovered that there is some scanning that’s going on against our network, so want to click the Active Scanning option. 

Can scan IP blocks or do vulnerability’s scanning, and you can learn more about what those could be - can also learn information about how we may mitigate this - this is a pre-compromise mitigation, because normally, the scanning takes place prior to an actual attack.

The framework also includes detection techniques and references you can use to help understand more about this particular attack type.

![image.png](attachment:image.png)

Looking at a ``Brute Force`` attack - there are four different kinds of brute force attacks. Listed are ``Password Guessing``, ``Password Cracking``, ``Password Spraying``, and ``Credential Stuffing``:

![image.png](attachment:image.png)

Let’s do ``Credential Stuffing``, and we can get information about how those credentials are being stuffed by the attacker:

![image.png](attachment:image.png)

Ways to mitigate, which would be account use policies, multifactor authentication, password policies, and user account management:

![image.png](attachment:image.png)

How you would detect these particular brute force attacks, and references to help you understand more:

![image.png](attachment:image.png)

This is an extensive amount of information and if you’re trying to learn more about all of these different attacks and ways that you can prevent them, this framework can give you a wealth of information.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Diamond Model of Intrusion Analysis
***

Another useful framework that’s commonly used when an intrusion occurs is the Diamond Model - this is the Diamond Model of Intrusion Analysis that was designed by the intelligence community of the US federal government. 

Can get more information on that from [ [dtic.mil](https://apps.dtic.mil/docs/citations/ADA586960) ] - this guide is focused on helping you understand the intrusions that have occurred in your environment. 

The Diamond Model uses scientific principles and applies them towards intrusion analysis, and how you can focus on understanding more about these intrusions, so you’ll be doing some measurement, testability, and repeatability - it’s the focus of this Diamond Model, and although it appears very simple from the outside, when you start going through the process of filling in all the blanks around the diamond, you begin to see how complex this process can really be.

As a broad example of how you would apply this model, let’s take a scenario where there has been an adversary that has deployed a capability over some infrastructure against a victim and you can use the Diamond Model to help understand the relationships between all of those different pieces and gather details and documentation to fill in the blanks regarding this intrusion.
 
This is the Diamond Model, and you can see there are four corners to the diamond:

> ``Adversary``

> ``Capability``

> ``Victim``

> ``Infrastructure``

![image.png](attachment:image.png)

- ``Adversary`` is obviously going to be the attacker. 


- ``Capability`` is going to be what the attacker uses - this could be malware or a hacker tool or some other type of exploit that they can use against your systems. 


- ``Infrastructure`` is describing what was used to gain access, so this could be IP addresses, domain names, email addresses, or other parts of your infrastructure.


- ``Victim`` could be a person, it could be an asset that’s on the network, or it could be a series of email addresses that’s used.

There is a relationship between each one of these points on the diamond, so an adversary would use the infrastructure - the adversary also would develop a capability - the victim is exploited by that capability, and the victim, of course, is connecting to the infrastructure. 

Can see there are relationships between each point on this diamond and if you suffer an intrusion, you’ll begin filling in documentation at each one of these points to help understand more about who the adversary was, what part of the infrastructure they used, who was the specific victim, and what capabilities did they use to be able to gain access, so as you begin filling in those blanks you’ll have a much better idea about how this attack occurred, and then you can go back later and try to find ways to prevent this from occurring in the future.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Cyber Kill Chain
***

Often referenced in IT security materials, is the Cyber Kill Chain - this is a concept that was brought to us by the military, and we’ve applied it into the cybersecurity world - this starts with the first phase of reconnaissance. 

> ``Reconnaissance``

- Going to gather intel, so we can use many different sources to get intelligence about what we’re attacking.

> ``Weaponization``

- The next phase, so we need to find some way to have a payload that can then take advantage of a vulnerability. 

> ``Delivery``

- Would then deliver that payload, for example, you may send that executable over an email to the intended victim.

> ``Exploit``

- The attacker is hoping that the victim is going to run that code in their email to create the exploit and execute the code on the victim’s device. 

> ``Installation``

- When that code is executing, there will be the installation of software such as malware to create back doors and additional channels.

> ``Command and Control``

- Brings us to the phase of command and control, where the attacker is now creating a channel that they can use to gain access to that system.

> ``Actions on Objectives``

- The attacker will begin carrying out their objectives in the last phase, which is actions on objectives.

![image.png](attachment:image.png)

Each one of these models provides us with a different perspective of it security, some of these models are created so that we can gather information and learn more before an attack occurs, and other frameworks are designed to help us understand the results of an attack. 

Either way, we can take advantage of these frameworks to help make our network safer, and prepare for the next round of attacks against our systems.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK