CEHv12-01 - Basic cybersecurity concepts

Basic cybersecurity concepts

5 pillars of information assurance (IA)

graph LR;

A[Confidenciality];
B[Integrity];
C[Availability];

A --- B;
B --- C;
C --- A;

• CIA triad (iron triangle):
  • Confidenciality: avoid unauthorized users access to information.
  • Integrity: data has not been modified.
  • Availability: servers “are alive”.
• Authenticity + Non-repudiation:
  • Authenticity: verifies the sender’s identity and source of the message (proof of identity).
  • Non-repudiation: confirms the validity and legitimacy of the message (undeniable evidence of both authenticity and integrity).

Red team vs Blue team

• Corporate:

  • Red: attack (pentester, ethical hacker).
  • Blue: defend (threat hunters, SOC analyst).

• “For hire”:

  • Black-hat: “bad guy”.
  • White-hat: “good guy”.

Attacker motives, goals, and objectives

• Personal:
  • Curiosity.
  • Bravado - recognition.
• Political:
  • Hacktivism.
  • Cyberterrorist.
• Financial:
  • Money - Cybercrime:
    • Disrupt business.
    • Political motivations (state sponsored).

Attack classifications

• Passive:
  • “Have a look”, analyze what is it out in the open.
  • Very hard to detect, usually it can not be proved as something illegal.
    • e.g. open wirshark, listen to the network.
    • e.g. have a walk on AWS public buckets.
• Active:
  • Using tools to find weak spot, but not really probing for information.
  • e.g. nmap, vuln scan (metaexploit), DDoS, brute force login.
• Close-in:
  • “personal proximity” (shoulder surfing) or social engineerning.
• Insider:
  • Types:
    • Malicious insider (turn cloack): abuse priviledge, revenge.
    • Cafeless insider (pawn): manipulated.
    • Compromised insider (impostor): use compromised identity (e.g. taken from a pawn) to become insider.
  • Threats: plug device, steal hardware, the insider can perform social engineering.
• Distribution (supply chain):
  • Compromise a 3rd party software.

Information warfare

“Attempting to get competitive advantage through target IT systems”.

• Threat maps
• Types:
  • C2 systems (Command and Control): “set of organizational and technical attributes and processes that employs human, physical, and information resources to solve problems and accomplish missions”*.
  • Intelligence-based warfare (IBW): “design and protections of systems that seek sufficient knowledge to dominate the battlespace, and the denial of that knowledge to the adversary”.
  • Electronic warfare: damage their electronic systems.
  • Psychological warfare: demoralize, control narrative, fake news.
  • Economic warfare: attack finances, block payments and commerce (e.g. SWIFT system).
  • Cyber warfare: information terrorism, semantic attacks, APT (Advanced Persistent Threat), wargame to show strength.
• Strategies:
  • Defense:
    • Protection and prevention.
    • Alerts.
    • Responses, deterrence (AvR, Firewall).
      *Eemergency prepareness.
  • Offense:
    • Web attacks.
    • Systems hacking (Man in the middle, replay attacks, session hijacking).

Cyber kill chain

• Phases:
  1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
  2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
  3. Delivery: Intruder transmits weapon to target (e.g. via e-mail attachments, websites or USB drives).
  4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
  5. Installation: Malware weapon installs an access point (e.g. “backdoor”) usable by the intruder.
  6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to the target network.
  7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.

Tactics, Techniques and Procedures (TTP)

How do they attack (modus operandi):

• Tactic: highest-level description of this behavior.
  • Intiial goal, e.g. take off website.
• Technique: more detailed description of behavior in the context of a tactic.
  • How to implement that goal, e.g. DDoS attack.
• Procedure: even lower-level, highly detailed description in the context of a technique.
  • Step by step attack, e.g. use a certain tool.

Common adversarial behaviors

• What to look for:
  • Recon actions: scanning, enumerating and getting layout.
  • Strange batch files, scripts…
  • Control programmng languages and shell (logs), in case they are using built-in tools.
  • User Agent Strings
  • Webshells: file that will be parsed and executed as code by a webserver, which sends the results of back to the originator of the web request. Capabilities:
    • Command execution on both Windows and Linux platforms
    • File upload.
    • File download.
    • Archive creation and download.
    • Database query execution.
    • Database table dumping.
    • Executing code to create a network connection back to an attacker-controlled machine (a “reverse shell”).
  • Malicious C2: learn IP or domains from malicious ones.
  • DNS tunnels, data exfiltration, firewall bypass: dnscat2, iodine.
• Remember: keep an eye on logging and monitoring! Backups can save your life!

Threat hunting concepts

• Threat hunting: proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization’s network.
  • Average time to detect and contain is 287 days.
  • Steps:
    1. The Trigger: it points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new threat can be the trigger for proactive hunting (e.g. a security team may search for advanced threats that use tools like fileless malware to evade existing defenses).
    2. Investigation: use technology such as EDR (Endpoint Detection and Response) to take a deep dive into potential malicious compromise of a system. The investigation continues until either the activity is deemed benign or a complete picture of the malicious behavior has been created.
    3. Resolution: communicating relevant malicious activity intelligence to operations and security teams so they can respond to the incident and mitigate threats.
• After a breach:
  • Indicator of compromise (IoC in computer forensics): artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
    • Examples: virus signatures and IP addresses, MD5 hashes of malware files, URLs or domain names of botnet command, control servers, anomalies in priviledged user activity, login failed activity, service account running as user, geolocation abnormalities.
    • After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
    • Bits (elements):
      • Atomic: weird DNS.
      • Computer: C2 agent: verify via hash value system.
      • Behavioural: “weird stuff doing weird stuff” (e.g. macro connecting to weird place).
    • Artifact categories:
      • Network IOCs: signal suspicious activity on a network, like domains, IP addresses, and URLs known to be malicious.
        • Examples: unusual traffic behavior, such as an increase in web traffic to a specific website.
        • Remediation: network monitoring tools like security information and event management (SIEM) solutions and intrusion detection systems (IDS).
      • File-based: malicious downloads or malware has infected system files.
        • Remediation: sandboxing tools or endpoint detection and response (EDR) software scan files for known malicious file hashes, paths, or filenames.
      • Behavioral IOCs draw from deviations in normal activities and patterns.
        • Examples: privilege escalation, numerous requests for the same file, repeated login attempt failures.
        • Remediation: user and entity behavior analytics (UEBA) solutions monitor user and device communication patterns for suspicious behavior that differs from an established baseline.
      • Host-based: potentially malicious activity on individual computers, systems, or other endpoints.
        • Examples: unexpected changes to system settings, changes in system permissions, suspicious processes running on a device.
        • Remediation: monitor endpoints for threats and manage host-based IOCs, EDR or extended detection and response (XDR) tools can be employed.
    • Email analysis example: look for artifacts (headers).

      # look headers (atomic)
      nano email.eml
      # check hashes
      md5sum email.eml
      sha1sum email.eml
      # copy to changed extension to check hashes
      cp email.eml notmalicious.txt
      md5sum notmalicious.txt
      # the hash should be the same as before changing name

      • Network.
      • Host based behaviour.

Risk and risk management

Threat + vulnerabilty + asset_value = risk.

• Risk: probability of a negative impact to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
  • A risk matrix: matrix used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity (severity levels, taking into account probablily vs impact: low, medium, high, critical).
  • Risk management: the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
    • Identification: after establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk identification can start with the source of problems and those of competitors (benefit), or with the problem’s consequences.
    • Assessment: once risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of an unlikely event, the probability of occurrence of which is unknown.
    • Treatment: once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
      • Avoidance (eliminate, withdraw from or not become involved).
      • Reduction (optimize – mitigate).
      • Sharing (transfer – outsource or insure).
      • Retention (accept and budget).

Cyber threat intelligence

• Cyber Threat Intelligence (CTI): knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Source can be Human Intelligence, Open Source INTelligence (OSINT) or vendors.
  • Tactical: technical intelligence (including Indicators of Compromise such as IP addresses, file names, or hashes) which can be used to assist in the identification of threat actors.
  • Operational: details of the motivation or capabilities of threat actors, including their tools, techniques and procedures.
  • Strategic: intelligence about the overarching risks associated with cyber threats which can be used to drive high-level organizational strategy.

Threat modeling

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.

1. Identify security objectives:
   • What needs to be secured.
   • Which regulation applies.
2. Application overview (mapping: OWASP Threat Dragon) or STRIDE ()):
   • Identify roles.
   • Users scenarios (also missuse).
   • Platform (OS, networks).
   • Security (sanitization, input validation, encryption).

Threat	Desired property	Threat Definition
Spoofing	Authenticity	Pretending to be something or someone other than yourself
Tampering	Integrity	Modifying something on disk, network, memory, or elsewhere
Repudiation	Non-repudiability	Claiming that you didn’t do something or were not responsible; can be honest or false
Information disclosure	Confidentiality	Someone obtaining information they are not authorized to access
Denial of service	Availability	Exhausting resources needed to provide service
Elevation of privilege	Authorization	Allowing someone to do something they are not authorized to do

Incident management handling and response

Basic terminology:

• Incident: event that could lead to loss of, or disruption to, an organization’s operations, services or functions.
• Incident management (IcM): term describing the activities of an organization to identify, analyze, prioritize and correct hazards to prevent a future re-occurrence.
• Incident Response Team (IRT), emergency response team (ERT): is a group of people who prepare for and respond to an emergency, such as a natural disaster or an interruption of business operations. Incident response teams are common in public service organizations as well as in other organizations, either military or specialty. This team is generally composed of specific members designated before an incident occurs, although under certain circumstances the team may be an ad hoc group of willing volunteers.
• Triage: analyze, confirm, categorize and prioritize security incidents.

Tools:

• Playbooks.
• Logs and documentation.
• Digital Forensic software: find compromise indicators.
  • Write blockers: be forensincly sound, “admitted in court”.
• REMnux

Notification: who needs to know in order to contain:

• Management.
• Third party involved.
• Client affected.

Erradication: “Bag and tag”: send to collection team (eh. keep hard drive) and start remediation:

• Patch vulnerabilty.
• Training.

Recovering:

• Reinstall machines if required, send back assets.
• After-action meeting and documentation: what went right, what went wrong.
• Create new prcedures.

ML and AI

• ML: Machine learning (ML) is a field of inquiry devoted to understanding and building methods that ‘learn’, that is, methods that leverage data to improve performance on some set of tasks.
  • Learning techniques:
    • Supervised learning: give them labeled datasets, so agents learn to classify data, and discern relationships (regression: predict outcome).
    • Unsupervised learning: give them unlabeled datasets, look for patterns.
  • Problems:
    • Clustering: grouping unlabelled data based on similarities and diferences (“this is a cup, this is not a cup”).
    • Association: discover relationships between variables on a dataset. Connection and trends (e.g. Amazon: “people who bought this also bought…”).
    • Dimensionality reduction: reducing high number of data inputs into manageable sizes (e.g. clean up image based on statistics, like “based on the colour, this part of the picture is the face of a person”).
• AI: intelligence demonstrated by machines, as opposed to the natural intelligence displayed by animals and humans. AI research has been defined as the field of study of intelligent agents, which refers to any system that perceives its environment and takes actions that maximize its chance of achieving its goals.

Standards and regulations

Guidelines and boundaries.

Legal systems

Categories of legal systems in World (may be mixed):

1. Common law
   • Unwritten laws based on legal precedents established by the courts.
     • Civil law (in common law): focuses on dispute resolution and victim compensation for individuals and organizations.
     • Criminal law: includes the punishment and rehabilitation. Proscribes conduct threatening, harmful, or otherwise endangering to the property, health, safety, and moral welfare of people inclusive of one’s self
2. Civil law: codified statutes and legal codes predominate.

PCI DSS

Payment Card Industry Data Security Standard: applies to organizations that card payments and all entities involved in the process of card payment.

• Global data security standard.

• Common sense steps presenting best security practices.

• Requires tester to notify organization if cardholder data is accessed during a penetration test

• Resources: official guide and simpler version.

• PCI DSS Requirements

  • Build and maintain a secure network:
    • (1) Install and maintain a firewall.
    • (2) Do not use vendor-supplied defaults for any security parameters (e.g. passwords).
  • Protect cardholder data:
    • (3) Protect stored data:
      • Storing cardholder data is discouraged, but if stored it must be encrypted or hashed.
      • Never store sensitive data on the magnetic stripe or chip including PIN and CAV2 / CVC2 / CVV2 / CID.
    • (4) Encrypt transmission of cardholder data across public networks.
  • Maintain a vulnerability management program:
    • (5) Use and regularly update anti-virus software.
    • (6) Develop and maintain secure systems and applications.
  • Implement strong access control measures:
    • (7) Restrict access to cardholder data by business need-to-know.
    • (8) Assign a unique ID to each person with computer access.
    • (9) Restrict physical access to cardholder data.
      • Store media back-ups in a secure location, preferably off site.
      • Review and confirm that back-up media is secure at least annually.
  • Regularly monitor and test networks:
    • (10) Track and monitor all access to network resources and cardholder data.
    • (11) Regularly test security systems and processes.
      • (11.1) Test presence of wireless access points on a quarterly basis.
      • (11.2) Network vulnerability scans at least quarterly and after any significant change.
      • (11.3) Penetration testing at least once a year and after any significant change.

• Maintain an information security policy:

  • (12) Maintain a policy that addresses information security.

ISO/IEC 27000-series

Set of worldwide information security standards, also known as ISMS Family of Standards or ISO27K. ISO (International Standard for Standardization) /IEC (International Electrotechnical Commission). Use the free version to learn (2013).

• ISO/IEC 27001

  • Titled as []”Information technology - Security Techniques - Information security management systems — Requirements”](https://www.iso.org/standard/27001).
  • Defines requirements for the organization’s information security management system..
  • Applies a risk management process.
  • Used:
    • To create security requirements and objectives.
    • To ensure the cost efficiency of managing the security risks.
    • To ensure that laws and regulations are followed.
    • For defining new information security processes.
    • For identifying and clarifying existing information security processes.
    • For determining the status of information security management activities in an organization.
    • For implementing business information security.
    • For providing relevant security information to customers.

• ISO/IEC 27002

  • Titled as “Information technology – Security techniques – Code of practice for information security controls”.
  • Information security controls to enforce best-practices.
  • Includes controls for Access Control, Cryptography, Physical and environmental security…

HIPAA

• Health Insurance Portability and Accountability Act.

• Provides data privacy and protection of medical information.

• Specifies administrative, physical, and technical protection for all entities involved.

• Initially created to protect people from losing their health insurance e.g. when changing jobs.

  • Extended to reduce costs and administrative burdens of healthcare transactions.

• HIPAA transactions

  • Healthcare transaction:
    • A transaction is an electronic exchange of information between two parties to carry out financial or administrative activities related to health care.
    • Usually represented by claims and enrollment data.
    • E.g. a health care provider will send a claim to a health plan to request payment for medical services.
  • Standard transactions:
    • Adopted standard by HSA (U.S. Health & Human Services) under HIPAA.
    • Include payment and remittance advice, claims status, eligibility, premium payment, enrollment and disenrollment, referrals and authorizations.

• HIPAA rules

  • Electronic transaction and code sets standards every provider who performs electronic transactions needs to use the same health care transactions, codes, and identifiers.
  • Security rule which ensures the confidentiality, integrity, and security of health information.
  • Enforcement rule: details provisions in regard to the compliance, investigations, violations, and hearing procedures.
  • Privacy rule: protects a person’s health information and defines who has the access to the information. Controls include:
  • Administrative safeguards: such as performing risk analysis, employee training, security policies and procedures, business associate agreements.
    • Physical safeguards such as access controls, policies for workstations (e.g. laptops), workstation security.
    • Technical safeguards such as access control, audit control, integrity control, transmission security.
  • National identifier requirements:
    • National Provider Identifier (NPI): A 10-digit number used for covered healthcare providers
    • National Health Plan Identifier (NHI): An identifier that is used for identifying health plans.
    • Employer Identifier Standard: A number that identifies employers on standard transactions.

FISMA

• Federal Information Security Management Act
• US legislation that regulates federal data security standards and guidelines.
• Protects government information, operations and assets against various threats.
• Provides standards for:
  • Categorizing information and information systems by mission impact.
  • Minimum security requirements for information and information systems.
• Provides guidance for:
  • Choosing appropriate security controls for information systems.
  • Assessing security controls in information systems.
  • The security authorization of information systems.

NIST SP 800-53

• Shorthand for National Institute of Standards and Technology Special Publication 800-53.
• Security and privacy controls for federal information systems and organization.
• Guidelines to assist in FISMA compliance.

Sarbanes-Oxley act

• Sarbanes Oxley or SOX act.
• US federal law which protect investors by making corporate disclosures more reliable and accurate.
• Regulates what records organizations must keep and for how long (e.g. banks need to save financial reports for a very long time).
• The act contains 11 titles:
  1. Public company accounting oversight board.
  2. Auditor independence.
  3. Corporate responsibility.
  4. Enhanced financial disclosures.
  5. Analyst conflicts of interest.
  6. Commission resources and authority.
  7. Studies and reports.
  8. Corporate and criminal fraud accountability.
  9. White-collar-crime penalty enhancement.
  10. Corporate tax returns.
  11. Corporate fraud accountability.

DMCA

• Digital Millennium Copyright Act: copyright laws in the USA which implements:
  • WIPO (World Intellectual Property Organization) Copyright Treaty
  • WIPO Performances and Phonograms Treaty
• Against theft of intellectual property (e.g. platforms must act as they can not benefit from what is yours, most platforms have copyright notice that you can issue).
• Act contains five titles:
  1. WIPO Treaty Implementation.
  2. Online Copyright Infringement Liability Limitation.
  3. Computer maintenance or repair.
  4. Miscellaneous provisions.
  5. Protection of certain original designs.

COBIT

• Framework created by ISACA for information technology (IT) management and IT governance.
• Helps companies follow law, be more agile and earn more.
• Links business and IT.
• Ties in with COSO, ITIL, BiSL, ISO 27000, CMMI, TOGAF and PMBOK.
• Defines processes for the management of IT
  1. Evaluate, Direct and Monitor (EDM).
  2. Align, Plan and Organize (APO).
  3. Build, Acquire and Implement (BAI).
  4. Deliver, Service and Support (DSS).
  5. Monitor, Evaluate and Assess (MEA).
• Components include:
  • Framework: Link IT objective and best practices to business requirements.
  • Process descriptions: Process model to build common language for planning, building, running and monitoring.
  • Control objectives: High-level requirements to be considered by management.
  • Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
  • Maturity models: Assesses maturity and capability per process and helps to address gaps.

EU Laws

• SCCs

  • Standard Contractual Clauses.
  • Contract between an EU based data exporters and a non-EU-based data importers.
  • Protects personal data sent from the European Union (EU) to countries with lower level of data protection rights.
  • Ensures GDPR requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects.

• EU–US Privacy Shield

  • Framework for regulating exchanges of personal data for commercial purposes between the European Union and the United States.
  • Enables US companies to more easily receive personal data from EU entities.
  • Became invalid in 16 July 2020 as it did not protect EU citizens on government snooping.

• Safe Harbor

  • Also known as International Safe Harbor Privacy Principles, Safe Harbour Privacy Principles, Safe Harbour decision.
  • Signed between US and EU to prevent customer data leakage from private organizations.
  • Seven principles include: notice, choice (can opt out), onward transfer (only share with compliant companies), security, data integrity, access (can be accessed and deleted by individuals), enforcement.
  • Abolished in October 2015 and replaced with EU–US Privacy Shield.

• GDPR

  • Regulates data processing of EU citizens (UK DPA is similar, they had it after Brexit).
  • Applies in EU and outside of EU if personal data is collected from EU.
  • Requires consent to collect data.
  • Privacy by design: Enforces privacy and security measures.
  • Gives rights such as:
    1. Right to be informed.
    2. Right of access.
    3. Right to rectification.
    4. Right to erasure (right to be forgotten).
    5. Right to restrict processing.
    6. Right to data portability.
    7. Right to object.
    8. Right in relation to automated decision making and profiling.

• Common Criteria (ISO/IEC 15408)

  • Standard for computer security certification.
  • Tests to evaluate vendor claims of security about its products.
  • Four aspects to the of evaluation.
    • TOE: the system being tested.
    • ST (security target): documentation describing the TOE and requirements.
    • PP (protection profile).
      • The requirements for the type of product being tested).
      • The evaluation assurance level (EAL, the rating level, ranked from 1 to 7).

Other laws, standards and regulations

• RFC 1918: Private IP Standard.
• RFC 3227: Collecting and storing data.
• CAN-SPAM act: Email marketing.
• GLBA:
  • Gramm-Leach-Bliley Act.
  • Requires financial institutions to take steps to protect customer information.
• FERPA: Education Records.

CEH hacking methodology

Phases:

1. Reconnaissance (footprinting, preliminar research): technique used for gathering information about computer systems and the entities they belong to.
   • Passive Footprinting is the process of gathering information on a target by innocuous, or, passive, means.
   • Active Footprinting is the process of using tools and techniques, such as performing a ping sweep or using the traceroute command, to gather information on a target.
2. Scanning (technical scan, map resources).
3. Gaining access.
   • Password spraying attack: type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application.
   • Vulnerability assessment: process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
   • Vulnerability exploitation: an exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized)..
   • Priviledge escalaton: act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
   • Session hijack, DoS attacks.
4. Maintaining access.
   • Executing applications.
   • Hiding files.
5. Covering tracks.
   • Clearing logs.

MITRE ATT&CK Framework

MITRE ATT&CK: globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Diamond model of intrusion analysis

Model used by information security professionals to authenticate and track cyber threats.

graph LR;

A[Adversary];
B[Infrastructure];
C[Capability];
D[Victim];

A --- B;
A --- C;
B --- C;
B --- D;
C --- D;

Core features:

1. Adversary: The threat actor, attacker or group responsible for a cyber incident (operator and customer).
2. Infrastructure: The technical resources or assets the adversary uses during the attack (e.g., servers, domains, and IP addresses).
   • Type 1: managed by the adversary.
   • Type 2: owned by third party, but used by the adversary to attack (e.g. random IOT unsecure device from unsuspecting party, like a smart dishwasher).
3. Capability: A method, tool, or technique the adversary uses during the attack (e.g., arsenal of malware or exploits).
4. Victim: The individual or organization the adversary targets during the attack.

Relationships:

• Adversary-victim: The interaction between the attacker and target. This relationship concerns questions such as why the attacker selected this target and the attacker’s motivations and objectives.
• Adversary infrastructure: The attacker uses various technical resources and assets. This relationship concerns how the attacker establishes and maintains its cyber operations.
• Victim-infrastructure: The target’s connection to the attacker’s technical resources. This relationship concerns the attacker’s use of various channels, methods, and vectors against the target.
• Victim-capability: The target’s connection to the attacker’s tools and techniques. This relationship concerns specific tactics and attack signatures used against the target.

Important meta-features:

• Timestamp: when did it happen.
• Phases: name and group with different timestamps.
• Results: what did the adversary acomplished (apply CIA triangle).
• Direction: relationship direction (victom to infrastructure, or infrastructure to victim?).
• Resources: what was required for the event to happen? (access, funding, tools…)