Attack Attribution Models
There are three attack attribution models. These are the Cyber Kill Chain, MITRE ATT&CK Matrix, and the Diamond Model. The Cyber Kill Chain is Lockheed Martin’s seven steps of a cyber-attack model. The MITRE ATT&CK Matrix is a knowledge base designed to categorize adversary tactics, techniques and procedures. The TTP’s are a way to categorize the type of attack, the attack patterns and how malicious actors use them to commit crimes.
Along with the Cyber Kill Chain and the MITRE ATT&CK Matrix the Diamond Model is a way to analyze events according to the relationship between the adversary, capability, infrastructure, and victim. These are the main three attack attribution models. The CCST Cybersecurity exam covers these and other cybersecurity concepts. In the Diamond Model, there are some individual events that happen in an attack which are analyzed by the relationships between events and attributing them to certain adversaries.
Cyber Kill Chain
The Cyber Kill Chain has seven steps in the process. These are Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Reconnaissance is where the attacker gets information about a target network and looks for vulnerabilities. The Weaponization step is where the attacker makes an exploit for the Delivery step which is next.
The trigger is used in the Exploitation step to trigger the exploit and move into the Installation step that includes planting the backdoor. The Command-and-Control step is next that allows for a way to exfiltrate data and remotely control the device. The last step is the Actions on Objectives step which is where there are objectives being met.
MITRE ATT&CK Matrix and Diamond Model
The MITRE ATT&CK Matrix is something that is tested on the CCST Cybersecurity exam by application. This is essentially the identifying organizational defense and weaknesses in addition to attack attribution and understanding how a red team or a blue team interprets the attacks. The Diamond Model goes over the adversary, the how, the what, and the target of the attack.
Conclusion
These attack attribution models are something that the CCST Cybersecurity goes over in the Incident Handling domain. The three models are covered in some detail, but the exam covers the basics of these models. Further study is needed if you want to go for additional certifications or job skills. I do have the CCST Cybersecurity certification and will be doing the CCNA Cybersecurity exam later this year.