# Attack Chains

## Overview

Attack Chains help demonstrate exactly what an attacker is doing at every step of the way - in a simple and easy to understand visual story. It helps clients understand attack paths and focus remediation where it's needed.

> Building Attack Chains can provide extra information to help customers and developers prioritise focus areas for remediation, without relying on traditional risk ratings or scores. 

Attack Chains help to identify ways to block attacks from being chained together, and prioritise core issues with least effort & resources.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2F6E6OTRjqKlbc0LJY9G20%2FScreenshot%202024-06-20%20at%207.54.01%E2%80%AFPM.png?alt=media&#x26;token=8a9de67d-dfb6-4062-86a1-2a3e4518f9a7" alt=""><figcaption></figcaption></figure>

## Creating Attack Chains

To create an attack chain, you must have Edit permissions on your project.&#x20;

From your project dashboard, select Attack Chains then click on `Add`.

### Step 1: Define Attack Objective

This is where you define the objective an attacker can achieve as part of this attack chain. Ensure to keep this is high-level as possible and relatable to the business or customers.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2FncobGQW08KKI8e7W5d8C%2FScreenshot%202024-06-20%20at%208.00.21%E2%80%AFPM.png?alt=media&#x26;token=8185b8f3-0a39-407e-898e-2beee4b6cbb3" alt=""><figcaption></figcaption></figure>

### Step 2: Define Initial Attack Vector

The first link in the attack chain usually starts with the attacker. You can select from an External Attacker e.g. outside customer network/environment; or Internal Attacker e.g. inside customer network/environment.

You also need to define how the attacker is initiating the attack. This is to help organisations better understand the context of where the attacker is coming from e.g. opportunistic (stumbled across a web application); rogue employee or insider threat; etc.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2FU6saOJkxB3Vjq6LVl8bX%2FScreenshot%202024-06-20%20at%208.01.04%E2%80%AFPM.png?alt=media&#x26;token=9040605a-7d09-42b0-b33d-935136d52baf" alt=""><figcaption></figcaption></figure>

### Step 3: Add Links to the Chain

You can add any combination of links to the chain. This is where you build the chain to reach the objective defined in Step 1.

The links currently supported include:

* **Attacker** - Either internal or external attacker. Can be used to demonstrate how an external attacker breaches perimeter and becomes internal attacker.
* **Victim** - Can be used if introducing social engineering component to your attack chain.
* **Defender** - Can be used if introducing blue-team component to your attack chain.
* **Action** - Used when defining what actions are being performed by an actor in the chain.
* **Vulnerability** - This is used to link to a vulnerability discovered on the project.
* **Device** - Can be used to reference a device which is targeted or leveraged as part of the attack chain.
* **Server** - Can be used to reference a server which is targeted or leveraged as part of the attack chain.
* **Database** - Can be used to reference a database which is targeted or leveraged as part of the attack chain.&#x20;
* **Flag** - Used to identify that an attacker has reached end objective (defined in Step 1); or an interim objective on the way to reaching the end goal.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2FSfWnPeymOwQ6e2t0Yq8P%2FScreenshot%202024-06-20%20at%208.02.17%E2%80%AFPM.png?alt=media&#x26;token=9f259795-71bb-47bc-8286-51b83cc92e43" alt=""><figcaption></figcaption></figure>

Once your links have been added, you should have a completed attack chain that you can save.&#x20;

Attack Chains can be viewed by any team members on the project by clicking on Attack Chains from the project menu. They are also included in the reports.

## Updating Attack Chains

Your attack chain can be modified by clicking on `Edit`. You will have the option to make changes to the attack objective as well as any links in the chains. You can add new links or remove any existing links, at any point in the chain.

You can also duplicate attack chains using the `Duplicate` button & also delete attack chains using the `Delete` button.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2FPN3tDchHYXeIRDEMqz7S%2FScreenshot%202024-06-20%20at%208.03.55%E2%80%AFPM.png?alt=media&#x26;token=a54e3bfe-70f1-4cf7-94de-8bc414ad6816" alt=""><figcaption></figcaption></figure>

## Map Attack Chains to MITRE ATT\&CK Framework

You can map your attack chains to `MITRE ATT&CK Framework`.&#x20;

MITRE ATT\&CK Framework is a knowledge base of adversary tactics and techniques based on real-world attack patterns. It provides threat models and methodologies to help you better plan, prepare & defend against real-world attacks.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2F2QdwjRhcIg4MeXF7zO7W%2FScreenshot%202024-06-20%20at%208.06.10%E2%80%AFPM.png?alt=media&#x26;token=f8e9e5b8-d925-41c0-b434-00f82f510e5b" alt=""><figcaption></figcaption></figure>

## Re-Ordering Attack Chains

You can re-order & prioritise how you attack chains are displayed in the application and also in the reports.

To re-order your attack chains, click on any of the `Move Up` or `Move Down` buttons at the top of your attack chain.

<figure><img src="https://372186556-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M8s1QY2Q6YTHB4a6DMu%2Fuploads%2F21PQm8vQK5W7Oil3g4ci%2FScreenshot%202024-06-20%20at%208.10.56%E2%80%AFPM.png?alt=media&#x26;token=79e6c15b-e022-421d-8fc7-81f42494e96e" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.attackforge.com/attackforge-enterprise/getting-started/attack-chains.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.