From Cyber Kill Chain to TTP Pyramid: A Journey Through Cybersecurity Frameworks
In the ever-evolving landscape of cybersecurity, understanding the mechanisms of cyber attacks is not just beneficial but essential. This understanding forms the bedrock of effective defense strategies. This article emphasizes the symbiotic relationship between offense and defense, reinforcing the idea that one informs and refines the other.
In 2011, Lockheed Martin pioneered the Cyber Kill Chain concept, a model that delineates the steps an adversary takes during an attack. This model has been instrumental in communicating the intricacies of cyber attacks to high-level managers and CISOs. It has found particular resonance with individuals from a military background, who are already familiar with the concept of a ‘kill chain’. However, it’s important to note that the Cyber Kill Chain primarily encapsulates high-level tactics or phases of an attack. While it doesn’t delve into the granular details, it serves as an excellent framework for explaining the trajectory of a specific attack to non-practitioners.
Fast forward to 2013, David Bianco proposed the Pyramid of Pain. This model grouped Tactics, Techniques, and Procedures (TTPs) together and placed them at the apex of the pyramid. The significance of this model lies in its focus on adversary behaviors rather than their tools. For instance, it advocates for detecting Pass-the-Hash attacks by inspecting Windows logs rather than concentrating on the tools used to execute these attacks. This level of response compels adversaries to adopt new behaviors, a process that is inherently time-consuming and disruptive to their operations.
In 2015, MITRE released the ATT&CK framework, a comprehensive and continuously evolving matrix that categorizes and describes unique adversary behaviors observed across millions of attacks on enterprise networks. The ATT&CK framework has seen significant growth and industry adoption since its inception. Today, it can map techniques to groups, software, and data sources, providing a more detailed and nuanced understanding of adversary tactics.
In 2017, Paul Pols introduced the Unified Cyber Kill Chain, a model that distills the stages of an attack into three high-level steps: Initial Foothold, Network Propagation, and Action on Objectives. This model, with its simplified structure, is even more accessible to non-practitioners, making it easier to communicate the progression of an attack to those outside the cybersecurity field.
Most recently, in 2022, Christopher Peacock presented the TTP Pyramid. For Red Team and Purple Team Exercises, the procedures represent the highest level of intelligence we can obtain on adversary behaviors. While we can still use the Cyber Kill Chain to explain high-level goals to non-practitioners and MITRE ATT&CK to map technique IDs to groups, software, and data sources, the detailed procedures in the TTP Pyramid provide the most technical level of information. This allows us to emulate and determine our detection and response capabilities while still leveraging frameworks that enable us to speak a common language.
Conclusion
Understanding the mechanics of cyber attacks and the various frameworks that describe these mechanisms is crucial for effective cybersecurity. By leveraging these frameworks, cybersecurity professionals can better understand, communicate, and defend against cyber threats.
