Testing Frameworks

Beyond methodologies, security professionals use specialized frameworks to understand and model adversary behavior, providing structured approaches to threat analysis and attack simulation.

MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Structure:

• Tactics: The "why" of an attack technique (what the adversary is trying to achieve)

• Techniques: The "how" of an attack (the method used to achieve tactical goals)

• Sub-techniques: More specific descriptions of adversarial behavior

Key Matrices:

• Enterprise: Covers Windows, macOS, Linux, and cloud environments

• Mobile: Focuses on Android and iOS platforms

• ICS: Industrial Control Systems and operational technology

Use Cases:

• Red team planning and simulation

• Threat hunting and detection development

• Security gap analysis and control validation

• Adversary emulation and purple team exercises

Active Directory Attack Kill Chain

The AD Kill Chain specifically models attacks against Active Directory environments, which are common in enterprise networks.

Phases:

1. Reconnaissance: Enumerate AD structure, users, groups, and trusts

2. Initial Access: Gain foothold through credential theft or service exploitation

3. Privilege Escalation: Elevate permissions within the domain

4. Lateral Movement: Move between systems using AD protocols and services

5. Persistence: Establish lasting access through AD modifications

6. Domain Dominance: Achieve full control over the AD environment

7. Data Exfiltration: Extract sensitive information from domain resources

Common Attack Paths:

• Kerberoasting and ASREPRoasting

• Pass-the-Hash and Pass-the-Ticket attacks

• Golden and Silver Ticket generation

• DCSync and DCShadow techniques

Cyber Kill Chain

Originally developed by Lockheed Martin, the Cyber Kill Chain describes the stages of a cyberattack from initial reconnaissance to final objectives.

Seven Phases:

1. Reconnaissance: Research and identify targets

2. Weaponization: Create malicious payload or exploit

3. Delivery: Transmit the weapon to the target

4. Exploitation: Execute code on victim's system

5. Installation: Install malware on the target system

6. Command and Control: Establish remote control channel

7. Actions on Objectives: Achieve intended goals (data theft, destruction, etc.)

Benefits:

• Linear progression model easy to understand

• Helps identify defensive opportunities at each stage

• Widely recognized in cybersecurity industry

• Useful for incident response and threat analysis

Limitations:

• Linear model may not reflect modern attack complexity

• Less detailed than MITRE ATT&CK for specific techniques

• May oversimplify advanced persistent threats

These frameworks complement testing methodologies by providing structured ways to think about adversary behavior, plan attack simulations, and evaluate defensive capabilities. They help penetration testers adopt an adversarial mindset and ensure comprehensive coverage of potential attack vectors.