Introducing the Common Attack Process Framework for Incident Mapping

Introduction

Various attack frameworks and methodologies exist which attempt to capture the process of how adversaries conduct different types of attacks. The purpose of capturing adversarial activity is dependent upon the user of the information captured. For example, capturing how a specific malware variant operates can lead to the development of signatures for security devices. In addition, depending on the attack, whether cyber or physical, the methodology can be captured for a variety of reasons ranging from tactical solutions to policy implementations. Furthermore, within these various frameworks and methodologies, there are often redundancies that do not necessarily allow for any distinction between the frameworks themselves and their defined stages as they are either too specific or more likely, sub steps of already identified stages. As such, the authors have conducted research into several attacks and propose that attacks undergo sequentially ordered steps which are often referred to as ‘stages’. In addition, these stages occur regardless of whether the attack is physical or cyber. As a result of identifying these five main stages, both operational personnel and academics are better positioned to understand and thus defend against potential adversary actions. Finally, regardless of the skillset or motivation of the adversary, all adversaries must undergo some sort of ‘thought’ process prior to carrying out their actions. Obviously, the more advanced the adversary, the more likely that they are going to be more methodical in how they conduct each step.

Two of the more common frameworks in place today are the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) and the Lockheed Martin Cyber Kill Chain. MITRE describes their framework as “a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle” (Strom et al., 2018, p. 1). First created in 2013, the MITRE ATT&CK model is designed to focus more on specific environments, capturing adversary actions and dynamically updating the model with regularity (Strom et al., 2018). While there are overarching steps, e.g. initial access, execution, persistence, etc., the model quickly morphs into a large matrix specifically focused on cyber-attacks. Again, while comprehensive, it lacks the simplicity of being able to explain at a strategic level how an attack progresses. Table 1 shows the first stage, Reconnaissance, and the ten corresponding techniques as identified in the MITRE ATT&CK model.