Attack Chains

Overview

Attack Chains help demonstrate exactly what an attacker is doing at every step of the way - in a simple and easy to understand visual story. It helps clients understand attack paths and focus remediation where it's needed.

Building Attack Chains can provide extra information to help customers and developers prioritise focus areas for remediation, without relying on traditional risk ratings or scores.

Attack Chains help to identify ways to block attacks from being chained together, and prioritise core issues with least effort & resources.

Creating Attack Chains

To create an attack chain, you must have Edit permissions on your project.

From your project dashboard, select Attack Chains then click on Add.

Step 1: Define Attack Objective

This is where you define the objective an attacker can achieve as part of this attack chain. Ensure to keep this is high-level as possible and relatable to the business or customers.

Step 2: Define Initial Attack Vector

The first link in the attack chain usually starts with the attacker. You can select from an External Attacker e.g. outside customer network/environment; or Internal Attacker e.g. inside customer network/environment.

You also need to define how the attacker is initiating the attack. This is to help organisations better understand the context of where the attacker is coming from e.g. opportunistic (stumbled across a web application); rogue employee or insider threat; etc.

You can add any combination of links to the chain. This is where you build the chain to reach the objective defined in Step 1.

The links currently supported include:

  • Attacker - Either internal or external attacker. Can be used to demonstrate how an external attacker breaches perimeter and becomes internal attacker.

  • Victim - Can be used if introducing social engineering component to your attack chain.

  • Defender - Can be used if introducing blue-team component to your attack chain.

  • Action - Used when defining what actions are being performed by an actor in the chain.

  • Vulnerability - This is used to link to a vulnerability discovered on the project.

  • Device - Can be used to reference a device which is targeted or leveraged as part of the attack chain.

  • Server - Can be used to reference a server which is targeted or leveraged as part of the attack chain.

  • Database - Can be used to reference a database which is targeted or leveraged as part of the attack chain.

  • Flag - Used to identify that an attacker has reached end objective (defined in Step 1); or an interim objective on the way to reaching the end goal.

Once your links have been added, you should have a completed attack chain that you can save.

Attack Chains can be viewed by any team members on the project by clicking on Attack Chains from the project menu. They are also included in the reports.

Updating Attack Chains

Your attack chain can be modified by clicking on Edit. You will have the option to make changes to the attack objective as well as any links in the chains. You can add new links or remove any existing links, at any point in the chain.

You can also duplicate attack chains using the Duplicate button & also delete attack chains using the Delete button.

Map Attack Chains to MITRE ATT&CK Framework

You can map your attack chains to MITRE ATT&CK Framework.

MITRE ATT&CK Framework is a knowledge base of adversary tactics and techniques based on real-world attack patterns. It provides threat models and methodologies to help you better plan, prepare & defend against real-world attacks.

Re-Ordering Attack Chains

You can re-order & prioritise how you attack chains are displayed in the application and also in the reports.

To re-order your attack chains, click on any of the Move Up or Move Down buttons at the top of your attack chain.

Last updated

Check YouTube for more tutorials: https://youtube.com/@attackforge