The Best Practices of Ethical Hacking: Frameworks for Every PenTester
Common Vulnerabilities and Exposures (CVE)
CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A CVE score is often used for prioritizing the security of vulnerabilities.
The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security. Vulnerabilities are collected and cataloged using the Security Content Automation Protocol (SCAP). SCAP evaluates vulnerability information and assigns each vulnerability a unique identifier.
Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After listing, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All vulnerability and analysis information is then listed in NIST’s National Vulnerability Database (NVD).
The CVE glossary was created as a baseline of communication and source of dialogue for the security and tech industries. CVE identifiers serve to standardize vulnerability information and unify communication amongst security professionals. Security advisories, vulnerability databases, and bug trackers all employ this standard.
The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.
The framework consists of 14 tactics categories consisting of “technical objectives” of an The framework consists of 14 tactics categories consisting of “technical objectives” of an adversary. Examples include privilege escalation and command and control. These categories are then broken down further into specific techniques and sub-techniques.
The cyber kill chain
is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).
Lockheed Martin derived the kill chain framework from a military model – originally established to identify, prepare to attack, engage, and destroy the target. Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware and innovative attacks.
How the Cyber Kill Chain Works
There are several core stages in the cyber kill chain. They range from reconnaissance (often the first stage in a malware attack) to lateral movement (moving laterally throughout the network to get access to more data) to data exfiltration (getting the data out). All of your common attack vectors – whether phishing or brute force or the latest strain of malware – trigger activity on the cyber kill chain.
Each stage is related to a certain type of activity in a cyber attack, regardless of whether it’s an internal or external attack:
- Reconnaissance: The observation stage: attackers typically assess the situation from the outside-in, in order to identify both targets and tactics for the attack.
- Intrusion: Based on what the attackers discovered in the reconnaissance phase, they’re able to get into your systems: often leveraging malware or security vulnerabilities.
- Exploitation: The act of exploiting vulnerabilities, and delivering malicious code onto the system, in order to get a better foothold.
- Privilege Escalation: Attackers often need more privileges on a system to get access to more data and permissions: for this, they need to escalate their privileges often to an Admin.
- Lateral Movement: Once they’re in the system, attackers can move laterally to other systems and accounts in order to gain more leverage: whether that’s higher permissions, more data, or greater access to systems.
- Obfuscation / Anti-forensics: In order to successfully pull off a cyberattack, attackers need to cover their tracks, and in this stage they often lay false trails, compromise data, and clear logs to confuse and/or slow down any forensics team.
- Denial of Service: Disruption of normal access for users and systems, in order to stop the attack from being monitored, tracked, or blocked
- Exfiltration: The extraction stage: getting data out of the compromised system.