This repository provides a comprehensive mapping of the Cyber Kill Chain and MITRE ATT&CK frameworks to various tools and techniques commonly used in malware analysis, reverse engineering, and software exploitation analysis. By understanding how these frameworks align with specific tools and techniques, security professionals can effectively investigate, analyze, and mitigate cyber threats.
Krasznay,C.(2024).The Role of Civilian Cybersecurity Companies in Military Cyber Operations. Land Forces Academy Review,29(1) 1-10. https://doi.org/10.2478/raft-2024-0001.
Balani, Z. ., & Mustafa, N. I. . (2023). Enhancing Cybersecurity Against Emerging Threats in the Future of Cyber Warfare. International Journal of Intelligent Systems and Applications in Engineering, 12(2s), 204–209. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/3572.
Bermejo Higuera J, Abad Aramburu C, Bermejo Higuera J-R, Sicilia Urban MA, Sicilia Montalvo JA. Systematic Approach to Malware Analysis (SAMA). Applied Sciences. 2020; 10(4):1360. https://doi.org/10.3390/app10041360
The Cyber Kill Chain https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
MITRE ATT&CK https://attack.mitre.org/
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
Diamond Model https://www.recordedfuture.com/blog/diamond-model-intrusion-analysis
The Diamond Model can work in tandem with other frameworks such as MITRE ATT&CK and the Cyber Kill Chain. Each framework focuses on different components or elements of a cyberattack, helping analysts obtain a holistic picture of the incident.
STIX https://oasis-open.github.io/cti-documentation/stix/intro.html
Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX is open source and free allowing those interested to contribute and ask questions freely.
Cory Q. Nguyen and James E. Goldman. 2010. Malware analysis reverse engineering (MARE) methodology & malware defense (M.D.) timeline. In 2010 Information Security Curriculum Development Conference (InfoSecCD '10). Association for Computing Machinery, New York, NY, USA, 8–14. https://doi.org/10.1145/1940941.1940944
https://ir0nstone.gitbook.io/notes/types/stack/introduction
https://github.com/alexandreborges/malwoverview
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering
https://malware-traffic-analysis.net/
https://github.com/Crypto-Cat/CTF
Mapping the Cyber Kill Chain and MITRE ATT&CK frameworks to tools and techniques offers several benefits:
-
Targeted Analysis: By identifying the appropriate tools and techniques for each stage of the attack lifecycle, analysts can focus their efforts on the most relevant data points and efficiently investigate malicious activities.
-
Enhanced Understanding: Mapping frameworks to tools and techniques helps in understanding the attacker's perspective, tactics, and procedures, enabling security professionals to develop effective defense strategies.
-
Skill Development: Familiarizing oneself with the tools and techniques associated with each stage of the attack lifecycle enhances the skills and knowledge required for malware analysis, reverse engineering, and software exploitation analysis.
-
Proactive Defense: Understanding the mapping allows security professionals to proactively identify potential attack vectors, implement appropriate security controls, and strengthen their overall security posture.
This repository contains the following:
Table 1. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Analysis Techniques
Table 2. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Artifacts and Network Activity
Table 3. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Analysis Platforms
Table 4. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Anti-Analysis Techniques
Table 5. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Sandbox Analysis
Table 6. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Offense and Defense Examples
Table 7. Cyber Kill Chain and MITRE ATT&CK Frameworks vs. Representative Malware Families
Contributions to this repository are welcome. If you have any suggestions, additional tools or techniques to include, or improvements to the mapping, please open an issue or submit a pull request.
The information provided in this repository is for educational purposes only. The authors and contributors are not responsible for any misuse or damage caused by the information or tools mentioned here. Always use these tools and techniques responsibly and in compliance with applicable laws and regulations.
Copyright 2024 Eric Yocam
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.