Though journalists might not report directly about how an entity monitors threats, understanding the greater context of how analysts identify and prevent a threat actor from reaching its goal gives journalists a better ability to judge the attribution claims they receive.
This is not an exhaustive list, but the frameworks described here — the Cyber Kill Chain, the Diamond model and the MITRE ATT&CK framework — demonstrate different understandings of staged processes that threat actors use to complete their operations.
Not every analyst who monitors a threat or uses a defensive model will end up with an attribution judgment. But an understanding of how analysts work will allow journalists to know what questions to ask and what information might be missing.
Cyber Kill Chain
The phase-based framework of the Kill Chain originated in the military to describe the stages of an attack. The Cyber Kill Chain, developed by Lockheed Martin in 2009, outlines the stages an Advanced Persistent Threat (APT) might undertake in a cyber operation to achieve a network intrusion. The “chain” highlights that an intrusion is not a singular event but a progressing operation: if one phase is interrupted, the adversary’s entire process will fall apart.
- The linear process can sometimes provide a false sense of success: if another malicious activity doesn’t occur, you assume the defensive measures worked.
- The model is perimeter- and malware-focused and therefore doesn’t address all kinds of attacks, including an internal threat.
- Because the model primarily presents technical evidence and doesn’t explain how to communicate that evidence, an attribution based on this model can be difficult to understand and report on if you don’t have a technical background.
Journalists should think about these limitations when reporting on an attribution that may have been based on this threat modeling model.
The Diamond Model
Created in 2013, the Diamond Model of Intrusion Analysis focuses on relationships between features of an attack. In its most basic form, the model maps out the four core features of an event, or one stage of the intrusion: “an adversary deploys a capability over some infrastructure against a victim.”
Each event can link to other events that attack the same target; this builds an activity thread that describes a multi-stage intrusion campaign, similar to the Kill Chain. From this, an analyst can determine a threat actor’s tradecraft or TTPs across several campaigns.
The Diamond Model is a useful tool for testing a hypothesis and ruling out other possible explanations, which is especially important for making tight attribution judgments.
Journalists can use the concept of the Diamond Model to question organizations that are making attribution judgments: how has an actor’s tradecraft informed their attribution, and have they tested their hypothesis?
The MITRE ATT&CK framework was developed by the MITRE Corporation, a non-profit that works across U.S. government agencies. It assesses and aggregates adversaries’ patterns on a granular level, specifically their adversarial tactics, techniques and common knowledge, giving it the name ATT&CK. The tactics, techniques and procedures (TTPs) described in the ATT&CK framework come from observed patterns and real-world campaigns led by Advanced Persistent Threat actors. ATT&CK offers a centralized repository of knowledge on known APTs, combining their TTPs into different categories of behavior and at different stages of the attack.
The MITRE ATT&K’s matrix is a resource for journalists to become familiar with different APTs, compare what’s in an attribution report to known ATPs, and learn who has written about them before.
Usefulness and Limitations:
- The model is useful in creating a common language across organizations to talk about threat actor behaviors.
- The model doesn’t include all aspects of counter-intelligence or all techniques and focuses primarily on tactics.