Introduction: Thinking Like an Attacker
"If you know the enemy and know yourself, you need not fear the result of a hundred battles." — Sun Tzu, The Art of War (5th century BC)
Sun Tzu's ancient wisdom remains remarkably relevant in cybersecurity. To defend effectively, we must understand how attackers operate. This lesson introduces the frameworks and methodologies that structure our understanding of cyber attacks.
Modern cyber attacks aren't random chaos—they follow predictable patterns. By understanding these patterns, defenders can anticipate attacker moves, detect intrusions earlier, and break the attack chain before damage occurs.
🎯 Lesson Objectives
- Explain the seven stages of the Lockheed Martin Cyber Kill Chain
- Navigate and apply the MITRE ATT&CK framework for threat analysis
- Differentiate between various attack vectors and entry points
- Analyze real-world APT campaigns using attack frameworks
1. The Lockheed Martin Cyber Kill Chain
Developed by Lockheed Martin in 2011, the Cyber Kill Chain models the stages of a targeted attack. The key insight: breaking any single link stops the entire attack.
1.1 The Seven Stages
Reconnaissance
Attacker Goal: Gather information about the target
Activities: OSINT research, LinkedIn harvesting, DNS enumeration, port scanning, social media analysis
Example: Attacker finds employee emails on company website, discovers technologies from job postings
Defense: Limit public exposure, monitor for reconnaissance activity, employee privacy training
Weaponization
Attacker Goal: Create attack payload
Activities: Coupling exploit with backdoor, creating malicious documents, developing custom malware
Example: Attacker creates Word document with embedded macro that downloads RAT
Defense: Threat intelligence on emerging weapons, sandbox analysis
Delivery
Attacker Goal: Transmit weapon to target
Activities: Phishing emails, watering hole websites, USB drops, compromised supply chain
Example: Spear-phishing email to finance department with "Invoice.pdf.exe" attachment
Defense: Email filtering, web proxies, endpoint protection, security awareness training
Exploitation
Attacker Goal: Trigger the weapon
Activities: Exploiting software vulnerability, leveraging user action (clicking, enabling macros)
Example: User opens document, enables macros, code executes
Defense: Patch management, application whitelisting, disable macros, EDR
Installation
Attacker Goal: Establish persistence
Activities: Installing backdoor, RAT, creating scheduled tasks, modifying registry
Example: Malware adds itself to startup folder, creates scheduled task
Defense: Endpoint detection, file integrity monitoring, application control
Command & Control (C2)
Attacker Goal: Establish remote control channel
Activities: Beaconing to C2 server, encrypted tunnels, domain fronting, social media C2
Example: Malware connects to attacker server over HTTPS every 5 minutes
Defense: Network monitoring, DNS filtering, outbound traffic analysis, threat intelligence
Actions on Objectives
Attacker Goal: Achieve mission
Activities: Data exfiltration, ransomware deployment, lateral movement, destruction
Example: Attacker exfiltrates database, deploys ransomware across network
Defense: DLP, network segmentation, backup verification, incident response
💡 Real Example: The Sony Pictures Hack (2014)
Let's map the infamous Sony Pictures attack to the Kill Chain:
- Reconnaissance: Attackers researched Sony employees, infrastructure
- Weaponization: Created custom wiper malware "Destover"
- Delivery: Spear-phishing emails to employees
- Exploitation: Users clicked malicious links/attachments
- Installation: Backdoors installed across network
- C2: Communication with attacker infrastructure
- Actions: 100TB data exfiltrated, systems wiped, data leaked publicly
Impact: $100M+ in damages, executive resignations, unreleased films leaked
2. MITRE ATT&CK Framework
While the Kill Chain provides a linear view, MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) offers a comprehensive matrix of attacker behaviors observed in the wild.
2.1 Understanding ATT&CK Structure
ATT&CK Hierarchy
Tactics (the "why") → Techniques (the "how") → Sub-techniques (specific implementations) → Procedures (real-world examples)
2.2 The 14 Enterprise Tactics
| Tactic | Goal | Example Techniques |
|---|---|---|
| Reconnaissance | Gather information for planning | Active Scanning, Search Open Websites |
| Resource Development | Establish resources for operations | Acquire Infrastructure, Develop Capabilities |
| Initial Access | Get into the network | Phishing, Valid Accounts, Exploit Public-Facing App |
| Execution | Run malicious code | PowerShell, Command Line, User Execution |
| Persistence | Maintain foothold | Registry Run Keys, Scheduled Tasks, Boot Autostart |
| Privilege Escalation | Gain higher permissions | Exploitation, Access Token Manipulation |
| Defense Evasion | Avoid detection | Obfuscation, Disable Security Tools, Masquerading |
| Credential Access | Steal credentials | Brute Force, Credential Dumping, Keylogging |
| Discovery | Understand the environment | Network Scanning, Account Discovery, File Discovery |
| Lateral Movement | Move through network | Remote Services, Pass the Hash, SMB/Windows Admin |
| Collection | Gather target data | Data from Local System, Screen Capture, Email Collection |
| Command & Control | Communicate with compromised systems | Web Protocols, DNS, Encrypted Channel |
| Exfiltration | Steal data | Exfil Over C2, Exfil Over Web Service |
| Impact | Disrupt, destroy, or manipulate | Data Encrypted for Impact, Defacement, Wiper |
2.3 Using ATT&CK for Defense
🔍 Threat Intelligence
Map threat actors to their known techniques. If APT28 targets your sector, prioritize defenses against their documented TTPs.
📊 Gap Analysis
Map your detection capabilities to ATT&CK. Which techniques can you detect? Where are your blind spots?
🧪 Red Team Planning
Use ATT&CK to plan realistic attack simulations that test specific defensive capabilities.
📋 SOC Playbooks
Create detection rules and response procedures mapped to ATT&CK techniques for consistent handling.
💡 ATT&CK Technique Deep Dive: T1566 - Phishing
Tactic: Initial Access
Sub-techniques:
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1566.003 - Spearphishing via Service
Detection: Monitor email gateways for suspicious attachments, analyze URLs in emails, user reporting of suspicious emails
Mitigations: User training (M1017), Antivirus (M1049), Network Intrusion Prevention (M1031)
3. Common Attack Vectors
An attack vector is the path or method used to gain access to a target. Understanding vectors helps prioritize defenses.
3.1 Primary Attack Vectors
Email (Phishing)
Prevalence: #1 attack vector (91% of attacks start with email)
Methods: Malicious attachments, credential harvesting links, BEC scams
Defense: Email gateway, sandboxing, DMARC/DKIM/SPF, user training
Web Applications
Prevalence: Growing rapidly with digital transformation
Methods: SQL injection, XSS, CSRF, file upload vulnerabilities
Defense: WAF, secure coding, penetration testing, input validation
Compromised Credentials
Prevalence: 61% of breaches involve credentials (Verizon DBIR)
Methods: Credential stuffing, brute force, password spraying, purchased credentials
Defense: MFA, password policies, credential monitoring, SSO
Remote Access Services
Prevalence: Surged during COVID-19 remote work shift
Methods: RDP brute force, VPN exploitation, exposed management interfaces
Defense: MFA on all remote access, VPN patching, no public RDP
Supply Chain
Prevalence: Most sophisticated attacks (SolarWinds, Kaseya)
Methods: Compromised software updates, third-party vendors, hardware implants
Defense: Vendor assessment, code signing, software composition analysis
Removable Media
Prevalence: Still used in targeted attacks (Stuxnet used USB)
Methods: Infected USB drives, USB drop attacks, autorun malware
Defense: Disable autorun, USB device control, endpoint protection
4. Advanced Persistent Threats (APTs)
APTs are sophisticated, long-term attack campaigns typically backed by nation-states or well-funded criminal organizations.
4.1 APT Characteristics
- Advanced: Use zero-days, custom malware, sophisticated techniques
- Persistent: Maintain access for months or years; return if detected
- Threat: Specific objectives (espionage, sabotage, financial theft)
4.2 Notable APT Groups
| Group | Aliases | Attribution | Targets | Notable Attacks |
|---|---|---|---|---|
| APT28 | Fancy Bear, Sofacy | Russia (GRU) | Government, Military, Media | DNC hack (2016), Bundestag |
| APT29 | Cozy Bear, The Dukes | Russia (SVR) | Government, Think Tanks | SolarWinds (2020) |
| APT41 | Winnti, Barium | China | Healthcare, Telecom, Gaming | Supply chain attacks |
| Lazarus | Hidden Cobra, Zinc | North Korea | Financial, Crypto, Media | Sony (2014), WannaCry, Bangladesh Bank |
| APT33 | Elfin, Refined Kitten | Iran | Aerospace, Energy | Shamoon attacks |
⚠️ APTs Targeting India
India faces significant APT activity, particularly from groups attributed to China and Pakistan:
- SideWinder: Targets military and government in India and South Asia
- Transparent Tribe: Focuses on Indian military and diplomatic entities
- Stone Panda (APT10): Economic espionage targeting Indian companies
In 2020, amid border tensions, India's power grid and critical infrastructure faced increased APT probing.
5. Legal Framework for Cyber Attacks in India
⚖️ Information Technology Act, 2000
Section 66: Computer-related offences - Imprisonment up to 3 years and/or fine up to ₹5 lakhs
Section 66B: Receiving stolen computer resource - Imprisonment up to 3 years and/or fine up to ₹1 lakh
Section 66C: Identity theft - Imprisonment up to 3 years and/or fine up to ₹1 lakh
Section 66D: Cheating by personation using computer resource - Imprisonment up to 3 years and/or fine up to ₹1 lakh
Section 66F: Cyber terrorism - Imprisonment for life
⚖️ Case Law: Shreya Singhal v. Union of India (2015)
The Supreme Court struck down Section 66A of the IT Act (which criminalized "offensive" online content) as unconstitutional for violating freedom of speech under Article 19(1)(a).
Relevance: While not directly about attacks, this case established important boundaries on cyber law and demonstrated that even security laws must respect constitutional rights.
Citation: (2015) 5 SCC 1
📝 Key Takeaways
The Cyber Kill Chain has 7 stages—breaking any link stops the attack
MITRE ATT&CK provides a comprehensive matrix of adversary TTPs for detection and defense planning
Email remains the #1 attack vector—91% of attacks start with phishing
APTs are sophisticated, patient, and persistent—they require advanced detection and response
Understanding attacker methodologies enables proactive, intelligence-driven defense
✅ Lesson Complete!
You now understand how attackers plan and execute cyber attacks. Next: Deep dive into malware analysis.