将安全战略提升到一个新的水平:网络杀伤链vs. 斜接丙氨酸&CK

在一个勒索软件和其他恶意网络攻击猖獗的时代, it has never been more important to double down on cybersecurity analysis and strategy. There are 2 models that can help security professionals harden network resources and protect against modern-day threats and attacks: the cyber kill chain (CKC)¹ 和斜接丙氨酸&CK框架.²

的纯种犬, 由洛克希德·马丁公司在十多年前开发, provides a high-level view of the sequence of a cyberattack from initial reconnaissance through weaponization and action. 虽然它被安全团队广泛使用，但它也有其局限性. 例如, 主机攻击行为不包括在模型中, 攻击者可能会绕过或组合多个步骤.³

较新的斜接丙氨酸&CK框架 maps closely to the CKC but focuses more on cyberresilience to withstand emergent threats. This open-source project also provides substantial support for tracing host attack behaviors. The differences between the 2 models can have an outsized impact on the efficacy and resilience of the resulting security analysis and strategies.

The differences between the 2 models can have an outsized impact on the efficacy and resilience of the resulting security analysis and strategies.

网络杀伤链

CKC将攻击分为7个阶段:

1. 侦察-识别漏洞、电子邮件地址和其他详细信息
2. 武器化—A payload, such as a phishing email or other exploit, is constructed
3. 交付—The payload is delivered to targets identified during reconnaissance
4. 利用-易受攻击的设备或用户无意中执行负载
5. 安装—Malicious software is installed to continue the 执行 of the attack
6. 指挥控制(C&C)-恶意软件发送秘密通信到C&C服务器，允许攻击者控制被破坏的资产
7. 行动-恶意软件通过C&C服务器按照攻击者的指令运行

这7个阶段抽象并简化了攻击行为, which allows security teams to categorize them by stages rather than analyzing and defending against individual attack behaviors. A typical process for analyzing and mitigating attacks under the CKC model might include:

• Mapping attack behaviors into kill chain stages and understanding the behaviors based on descriptions of the stages
• Initiating detection and mitigation strategy for the attack behaviors as suggested by the corresponding kill chain stages
• 通过检测和缓解任务确定执行的优先级. Prioritizing is crucial because security team resources are often limited.

预防和网络弹性的价值

执行安全任务时, it is important to keep in mind that prevention is better than detection. A prevention strategy aims to completely nullify an attack so that no residual damage is done to the systems and no cleanup is required. 然而, prevention is only possible under certain scenarios at early stages, 比如在侦察时, 交付, 并利用. 在安装和C&C阶段, 恶意软件已经对系统造成了永久性的破坏, 所以预防是不可能的.

Cyberprofessionals should also keep in mind the truism “Fix earlier, cost less.” A cyberresilient infrastructure is more agile and flexible in its response protocol. 在网络弹性环境中, waves of threats can be endured and mitigated early so that the overall cost of a breach is minimized.

One might ask, “How can multiple attack behaviors quickly be mapped to the correct kill chain stages?这一点至关重要，但并不容易做到. 幸运的是, 许多安全产品支持CKC模型, so detected attack behaviors tend to carry a kill chain stage label. This allows security teams to bypass the cumbersome task of mapping attack behaviors and quickly move to the mitigation and cleanup strategies.

CKC的局限性

当今的攻击利用网络上的加密, making it very difficult to detect attack behaviors via the network itself. 为了克服这个限制, enterprises typically deploy host security products alongside their network security products. Host security products might include traditional antivirus programs, endpoint detection and response (EDR) solutions or endpoint protection platforms (EPPs). Many organizations also deploy extended detection and response (XDR) solutions, which collect various endpoint/network behaviors and application/services logs from other security products to be examined comprehensively.

正如前面提到的, a shortcoming of the CKC model is that it focuses on network attack behaviors, 但不包括主机攻击行为. 斜接丙氨酸&CK框架有助于克服这一限制.

斜接丙氨酸&CK框架

斜接丙氨酸&CK框架 has gained a significant amount of attention in recent years. 与CKC模型相比，它提供了3个主要的改进领域:

1. 主机攻击行为的实质性覆盖
2. 攻击行为的粒度描述
3. 针对攻击行为的检测和缓解策略

斜接丙氨酸&CK introduces the concept of tactics and techniques that describe attack behaviors more granularly than the CKC model. 的攻击力&CK级包括侦察, 资源开发, 首次访问, 执行, 持久性, 和C&C.

斜接丙氨酸&CK扩大了CKC的行动阶段，包括7个新战术:

1. 特权升级
2. 国防逃税
3. 凭据访问
4. 发现
5. 横向运动
6. 漏出
7. 影响

斜接丙氨酸&CK框架 not only describes attack behaviors, but also suggests detections and mitigations.⁴ 与CKC相比，斜接丙氨酸&CK以更有组织的方式描述攻击方面. Mitigation strategies are individually tagged and can be cross-referenced with 斜接丙氨酸&CK战术技术.

A typical process for analyzing and mitigating attacks under the 斜接丙氨酸&CK框架与CKC模型类似，包括:

• 将攻击行为映射到斜接丙氨酸&CK战术技术 and understanding the behaviors based on descriptions
• Adopting a detection and mitigation strategy for attack behaviors suggested by the 斜接丙氨酸&CK框架
• 通过检测和缓解任务确定执行的优先级

大多数安全产品支持斜接丙氨酸&CKC框架和CKC模型. 检测到的攻击行为被标记为斜接丙氨酸&CK框架技术标签.

使用斜接丙氨酸时的注意事项&CK

而斜接丙氨酸&CK框架提供了对CKC模型的改进, initially it can be challenging to implement due to its comprehensive and growing coverage of adversary tactics and techniques. 有几个开源工具可用⁵ 以帮助与斜接丙氨酸抗衡&CK的复杂性，使框架更容易接近, 特别是对于经验不足的安全分析师. 除了, a variety of security technologies offer automation that can offload certain aspects of the more labor-intensive processes and procedures for security personnel.

结论

斜接丙氨酸&CK框架 extends and expands upon the capabilities of the CKC model. It provides substantial coverage of host attack behaviors and offers more comprehensive descriptions of and suggestions for detection and mitigation. 而受人尊敬的CKC为后来的方法论铺平了道路, 安全从业人员应考虑利用斜接丙氨酸&CK将安全策略提升到一个新的水平.

尾注

¹  Dholakiya P.; “什么是网络杀伤链 and How it Can Protect Against Attacks， IEEE计算机协会
²  主教法冠。”澳门赌场官方下载应对".
³  Korolov, M.; L. Myers; “什么是网络杀伤链? 追踪网络攻击的模型,” 方案2022年4月14日
⁴  同前.
⁵  洛辛,P.; 使用Mitre ATT的挑战和好处&CK框架, TechTarget 搜索Security2019年4月

编者按

Hear more about what the author has to say on this topic by listening to the “将安全战略提升到一个新的水平:网络杀伤链vs. 斜接丙氨酸&CKISACA的一集^® 播客.

蒂莫西·刘

他是Hillstone Networks的联合创始人兼首席技术官吗, 领先的基础设施保护解决方案提供商. He has more than 25 years of experience in the technology and security industries, working with Fortune 500 enterprises and data centers to proactively defend against cyberattacks on a global level.