网络威胁情报：企业安全的必要手段

点击蓝字 关注我们

1. Stages of the Kill Chain: The Cyber Kill Chain comprises seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Each stage represents a phase in the attack lifecycle, from initial scouting to achieving the attacker's goals.

杀伤链的阶段：网络杀伤链包含七个阶段：侦察（Reconnaissance）、武器化（Weaponization）、交付（Delivery）、利用（Exploitation）、安装（Installation）、命令与控制（Command and Control, C2）以及针对目标的行动（Actions on Objectives）。从最初的侦察到攻击者实现其目标，每个阶段代表了攻击生命周期中的一个环节。

 2. Visibility and Interruption: By breaking down the attack process into stages, the Kill Chain helps security teams identify opportunities to detect and interrupt attacks before they progress.

可见性与阻断：通过将攻击过程分解为不同阶段，杀伤链能够帮助安全团队识别在攻击推进之前检测和阻断攻击的机会。

1. Incident Response: The Cyber Kill Chain is invaluable during incident response, as it provides a framework for analysing and understanding the progression of an attack.

事件响应：网络杀伤链在事件响应中至关重要，因为它为分析和理解攻击的进展提供了框架。

2. Threat Detection and Prevention: Organizations can use the model to develop strategies that detect and prevent attacks at various stages of the Kill Chain.

威胁检测与预防：组织可以利用该模型制定策略，在杀伤链的不同阶段检测并预防攻击。

The Cyber Kill Chain is crucial for its ability to transform complex attack scenarios into manageable phases. By understanding each stage, organizations can implement targeted defences and improve their overall security posture. It emphasizes the importance of early detection and proactive measures, which are key to preventing successful breaches.

网络杀伤链的关键作用在于其能够将复杂的攻击场景分解为可管理的不同阶段。通过理解每个阶段，组织可以实施有针对性的防御措施，并提升整体安全态势。它强调了早期检测和主动措施的重要性，这些是防止成功入侵的关键。

1. Tactics and Techniques: ATT&CK is organized into tactics (the "why" of an attack) and techniques (the "how"), offering a granular view of adversary behavior.

策略与技术：ATT&CK框架分为策略（攻击的“why”）和技术（攻击的“how”），提供了对对手行为的细致分析。

2. Continuous Updates: The framework is regularly updated with new data, ensuring it reflects the latest threat landscapes and adversary strategies.

持续更新：该框架定期根据新数据进行更新，确保其反映最新的威胁态势和对手策略。

1. Threat Hunting: Security teams use ATT&CK to proactively hunt for threats by identifying patterns and behaviours associated with known adversaries.

威胁狩猎：安全团队利用ATT&CK框架主动搜寻威胁，通过识别与已知对手相关的模式和行为来发现潜在风险。

2. Security Assessment: Organizations leverage the framework to assess their current security measures and identify gaps in defenses.

安全评估：组织借助该框架评估当前的安全措施，并识别防御中的漏洞。

3. Training and Awareness: ATT&CK is a valuable resource for training security professionals, enhancing their understanding of adversary tactics and improving their response capabilities.

培训与意识提升：ATT&CK是培训安全专业人员的宝贵资源，能够帮助他们更好地理解对手策略并提升响应能力。

MITRE ATT&CK is vital for its ability to provide a structured approach to understanding and categorizing cyber threats. It enhances an organization's ability to detect, respond to, and mitigate attacks by offering a detailed understanding of adversary tactics and techniques. By aligning security strategies with real-world adversary behaviours, ATT&CK significantly strengthens an organization's cybersecurity posture.

MITRE ATT&CK之所以重要是因为其提供了一种结构化的方法来理解和分类网络威胁。通过详细描述对手的策略和技术，增强了组织检测、响应和缓解攻击的能力。通过将安全策略与现实世界的对手行为相结合，ATT&CK显著提升了组织的网络安全态势。

Image 3 ATT&CK Matrix for Black Basta

图3：勒索软件 Black Basta的ATT&CK矩阵

1. Levels of Indicators: The Pyramid of Pain categorizes indicators into levels, ranging from hash values to Tactics, Techniques, and Procedures (TTPs). Each level represents a different type of indicator, with varying degrees of difficulty for adversaries to change.

指标层级：痛苦金字塔将指标分为多个层级，从哈希值到战术、技术和程序（TTPs）。每个层级代表不同类型的指标，对手更改这些指标的难度各不相同。

2. Adversary Disruption: The model highlights that targeting higher-level indicators, such as TTPs, is more challenging for adversaries to alter, leading to greater disruption of their operations.

对手干扰：该模型强调，针对更高层次的指标（如TTPs）进行干扰，对对手来说更具挑战性，从而能够更有效地破坏其操作。

1. Indicator Prioritization: Organizations use the Pyramid of Pain to prioritize which indicators to focus on based on their potential impact on adversary operations.

指标优先级设定：组织依据“痛苦金字塔”模型，根据指标对对手行动可能产生的影响来确定应重点关注哪些指标的优先级。

2. Defensive Strategy Development: The model informs the development of defensive strategies that target the most impactful indicators, maximizing the effectiveness of security efforts.

防御策略制定：该模型为制定防御策略提供参考，指导将目标设定为最具影响力的指标，从而最大限度地提升安全防范工作的成效。

The Pyramid of Pain is crucial for its emphasis on targeting higher-level indicators to effectively disrupt adversary operations. By focusing on TTPs, organizations can complicate attackers' efforts and enhance the efficacy of their defensive measures. This strategic approach not only improves threat detection but also strengthens an organization's overall resilience against cyber threats.

痛苦金字塔至关重要，因为它强调以更高级别的指标为目标，从而有效地干扰对手的行动。通过聚焦于战术、技术与程序（TTPs），组织能够增加攻击者行动的难度，提升自身防御措施的效力。这种战略方法不仅能改进威胁检测能力，还能增强组织整体应对网络威胁的韧性。

Image 5 Pyramid of Pain for Black Basta

图5：勒索软件Black Basta的“痛苦金字塔”

1. Automation of Simulations: CALDERA enables automated simulations of cyberattacks, replicating tactics, techniques, and procedures (TTPs) used by real adversaries. This helps organizations identify vulnerabilities and evaluate the effectiveness of their defences.

模拟自动化：CALDERA 能够对网络攻击进行自动化模拟，复制真实对手所使用的战术、技术和程序（TTPs）。这有助于组织识别自身的安全漏洞，并评估其防御措施的有效性。

2. Based on MITRE ATT&CK: CALDERA is closely integrated with the MITRE ATT&CK framework, allowing it to utilize a comprehensive database of documented TTPs. This ensures that simulations are realistic and reflect current threats.

基于MITRE ATT&CK：CALDERA与MITRE ATT&CK框架紧密集成，使其能够利用一个记录详尽的战术、技术和程序（TTPs）综合数据库。这确保了模拟过程具有现实性，能够反映当前存在的各类威胁。

3. Customizable Scenarios: Users can create and customize specific attack scenarios to meet their needs, allowing for a more accurate assessment of their security systems.

可定制场景：用户可以创建并定制特定的攻击场景，以满足自身需求，从而更准确地评估其安全系统。

4. User-Friendly Interface: CALDERA offers an intuitive user interface that facilitates the configuration and execution of simulations, as well as the visualization of results and analysis.

用户友好界面：CALDERA提供直观的用户界面，便于用户配置和执行模拟操作，同时也有助于对结果进行可视化展示和分析。

5. Results Analysis: After executing a simulation, CALDERA provides detailed reports on the performance of defences, identifying areas for improvement and recommending corrective actions.

结果分析：完成模拟后，CALDERA 会提供有关防御措施表现的详细报告，指出需要改进的方面，并给出纠正措施建议。

1. Security Assessment: Organizations use CALDERA to evaluate the effectiveness of their current security measures and detect potential gaps before they can be exploited by real adversaries.

安全评估：组织利用 CALDERA 来评估其现有安全措施的有效性，并在真实对手利用潜在漏洞之前将其检测出来。

2. Training Security Teams: CALDERA can be used to train security teams in detecting and responding to attacks, improving their preparedness for real incidents.

安全团队培训：CALDERA 可用于对安全团队进行培训，使其掌握攻击检测与响应技能，提升他们对实际安全事件的应对能力。

3. Defense Strategy Development: By identifying the most effective tactics and techniques used by adversaries, organizations can develop more robust and adaptive defense strategies.

防御策略制定：通过识别对手使用的最有效战术和技术，组织能够制定更严密且更具适应性的防御策略。

CALDERA is a valuable tool for organizations seeking to improve their cybersecurity posture. By providing a platform to safely and controlled simulate real attacks, CALDERA allows organizations to identify and fix weaknesses in their systems before they can be exploited by attackers. Additionally, its integration with the MITRE ATT&CK framework ensures that the simulations are based on up-to-date and relevant data, which increases the relevance and effectiveness of the tests conducted.

对于希望提升自身网络安全态势的组织而言，CALDERA 是一款极具价值的工具。通过提供一个能安全且可控地模拟真实攻击的平台，CALDERA 使组织能够在攻击者利用系统漏洞之前，识别并修复系统中的漏洞。此外，其与MITRE ATT&CK框架的集成确保了模拟过程基于最新且相关的数据，从而提高了所开展测试的针对性和有效性。

Image 7 Caldera Interface

图7：Caldera 界面

● 

● 

● 

● 

● 

● 

● 

● 

● 

●