![\"Flowchart](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/Cyber_kill_chain.png\")
<\/p>\n\n\n\nBefore we start talking about handling incidents, we need to understand the attack lifecycle (a.k.a. the cyber kill chain). This lifecycle describes how attacks manifest themselves. Understanding this lifecycle will provide us with valuable insights into how far in the network an attacker is and what they may have access to during the investigation phase of an incident.<\/p>\n\n\n\n
The cyber kill chain consists of seven different stages, as depicted in the image below: <\/p>\n\n\n\n
The In the In the The In the In the The final stage of the chain is the It is important to understand that adversaries don’t operate linearly (as the Cyber Kill Chain suggests). Some previous Cyber Kill Chain stages will be repeated multiple times. For example, after the Our objective is to Another framework for understanding adversary behavior is the MITRE ATT&CK<\/a> framework. It is a more granular, matrix-based knowledge base of adversary tactics and techniques used to achieve specific goals. Cybersecurity professionals use both frameworks to understand and defend against cyberattacks.<\/p>\n\n\n\n The MITRE ATT&CK Enterprise Matrix is a knowledge base that documents adversary behavior observed in the wild against enterprise IT environments (Windows, Linux, macOS, cloud, network, mobile, etc.). It is presented as a The screenshot below shows an example of the MITRE ATT&CK Enterprise Matrix:<\/p>\n\n\n\n A tactic is a high-level adversary objective during an intrusion (the goal they want to accomplish at that stage). For Example:<\/p>\n\n\n\n A technique is a specific method adversaries use to achieve a tactic. Techniques describe concrete attacker behavior (tools, commands, APIs, protocols, etc.).<\/p>\n\n\n\n Techniques have IDs like T1105 (Ingress Tool Transfer)<\/a> or T1021 (Remote Services)<\/a>. For example:<\/p>\n\n\n\n Sub-techniques are children of techniques that capture a particular implementation or target. Sub-technique IDs extend the parent technique: T1003.001 (Credential Dumping -> LSASS Memory)<\/a>, T1021.002 (Remote Services -> SMB\/Windows Admin Shares)<\/a>. For example:<\/p>\n\n\n\n This enables precise detection, attribution, and reporting (we can say “We detected In the diagram below, the Pyramid of Pain illustrates how much For example, At the top of the pyramid are Tools, Tactics, Techniques, and Procedures (TTPs) \u2014 these align directly with the core of MITRE ATT&CK. Detecting and disrupting these (e.g., identifying PowerShell abuse under T1059<\/a> or process injection under T1055<\/a>) forces the adversary to fundamentally change how they operate \u2014 causing maximum pain.<\/p>\n\n\n\n In summary:<\/p>\n\n\n\n Analysts map observed events and indicators to ATT&CK techniques and tactics to quickly understand adversary intent and likely next steps. Usually, it is also used to prioritize alerts based on techniques that target high-value assets. Additionally, it can be used to refer to the mitigation and containment\/eradication actions that disrupt the attacker’s kill chain.<\/p>\n\n\n\n Upon logging in, the dashboard will be displayed. We can view the alerts page as shown in the screenshot below, allowing us to view and manage alerts effectively.<\/p>\n\n\n\n The table below shows some of the techniques (MITRE ATT&CK) that were observed during the incident.<\/p>\n\n\n\n What Is The Cyber Kill Chain? Before we start talking about handling incidents, we need to understand the attack lifecycle (a.k.a. the cyber kill chain). This lifecycle describes how attacks manifest themselves. Understanding this lifecycle will provide us with valuable insights into how far in the network an attacker is and what they may have…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"doc_category":[44],"doc_tag":[],"class_list":["post-7841","docs","type-docs","status-publish","hentry","doc_category-incident-handling-process"],"year_month":"2026-04","word_count":1852,"total_views":0,"reactions":{"happy":0,"normal":0,"sad":0},"author_info":{"name":"admin","author_nicename":"admin","author_url":"https:\/\/scalemedia.co.za\/cybermedia\/author\/admin\/"},"doc_category_info":[{"term_name":"Incident Handling Process","term_url":"https:\/\/scalemedia.co.za\/cybermedia\/docs-category\/incident-handling-process\/"}],"doc_tag_info":[],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7841"}],"version-history":[{"count":1,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7841\/revisions"}],"predecessor-version":[{"id":7842,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/docs\/7841\/revisions\/7842"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7841"}],"wp:term":[{"taxonomy":"doc_category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_category?post=7841"},{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/doc_tag?post=7841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Recon<\/code> (Reconnaissance) stage is the initial stage, and it involves the part where an attacker chooses their target. Additionally, the attacker performs information gathering to become more familiar with the target and gathers as much useful data as possible, which can be used not only in this stage but also in other stages of this chain. Some attackers prefer to perform passive information gathering from web sources such as LinkedIn and Instagram, but also from documentation on the target organization’s web pages. Job ads and company partners often reveal information about the technology utilized in the target organization. They can provide extremely specific information about antivirus tools, operating systems, and networking technologies. Other attackers go a step further; they start ‘poking’ and actively scan external web applications and IP addresses that belong to the target organization.<\/p>\n\n\n\n![\"Reconnaissance](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/ir_recon.png\")
<\/figure>\n\n\n\nWeaponize<\/code> stage, the malware to be used for initial access is developed and embedded into some type of exploit or deliverable payload. This malware is crafted to be extremely lightweight and undetectable by antivirus and detection tools. It is likely that the attacker has gathered information to identify the present antivirus or EDR technology present in the target organization. On a large scale, the sole purpose of this initial stage is to provide remote access to a compromised machine in the target environment, which also has the capability to persist through machine reboots and the ability to deploy additional tools and functionality on demand.<\/p>\n\n\n\nDelivery<\/code> stage, the exploit or payload is delivered to the victim(s). Traditional approaches include phishing emails that either contain a malicious attachment or a link to a web page. The web page can serve two purposes: either containing an exploit or hosting the malicious payload to avoid sending it through email scanning tools. In some cases, the web page can also mimic a legitimate website used by the target organization in an attempt to trick the victim into entering their credentials and collecting them. Some attackers call the victim on the phone with a social engineering pretext in an attempt to convince the victim to run the payload. The payload in these trust-gaining cases is hosted on an attacker-controlled website that mimics a well-known website to the victim (e.g., a copy of the target organization’s website). It is extremely rare to deliver a payload that requires the victim to do more than double-click an executable file or a script (in Windows environments, this can be .bat, .cmd, .vbs, .js, .hta, and other formats). Finally, there are cases where physical interaction is utilized to deliver the payload via USB tokens and similar storage tools that are purposely left around.<\/p>\n\n\n\nExploitation<\/code> stage is the moment when an exploit or a delivered payload is triggered. During the exploitation stage of the Cyber Kill Chain, the attacker typically attempts to execute code on the target system in order to gain access or control.<\/p>\n\n\n\nInstallation<\/code> stage, the initial stager is executed and is running on the compromised machine. As already discussed, the installation stage can be carried out in various ways, depending on the attacker’s goals and the nature of the compromise. Some common techniques used in the installation stage include:<\/p>\n\n\n\n\n
Command and Control<\/code> stage, the attacker establishes a remote access capability to the compromised machine. As discussed, it is not uncommon to use a modular initial stager that loads additional scripts ‘on-the-fly’. However, advanced groups will utilize separate tools to ensure that multiple variants of their malware live in a compromised network, and if one of them gets discovered and contained, they still have the means to return to the environment.<\/p>\n\n\n\nAction<\/code> or objective of the attack. The objective of each attack can vary. Some adversaries may aim to exfiltrate confidential data, while others may want to obtain the highest level of access possible within a network to deploy ransomware. Ransomware is a type of malware that renders all data stored on endpoint devices and servers unusable or inaccessible unless a ransom is paid within a limited timeframe (not recommended).<\/p>\n\n\n\nInstallation<\/code> stage of a successful compromise, the logical next step for an adversary is to initiate the Recon<\/code> (Reconnaissance) stage again to identify additional targets and find vulnerabilities to exploit, allowing them to move deeper into the network and eventually achieve the attack’s objective(s).<\/p>\n\n\n\nstop an attacker from progressing further up the kill chain<\/code>, ideally in one of the earliest stages.<\/p>\n\n\n\n
\n\n\n\nMITRE ATT&CK Framework<\/h2>\n\n\n\n
matrix<\/code> where columns represent adversary goals (tactics<\/code>), and cells are techniques<\/code> attackers use to achieve those goals. The framework helps defenders understand, model, detect, and respond to attacker behavior in a structured way.<\/p>\n\n\n\n![\"The](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/mitreintro.png\")
<\/figure>\n\n\n\nTactic<\/h4>\n\n\n\n
\n
Initial Access<\/code>.<\/li>\n\n\n\nPersistence<\/code>.<\/li>\n\n\n\nPrivilege Escalation<\/code>.<\/li>\n<\/ul>\n\n\n\nTechnique<\/h4>\n\n\n\n
\n
T1105 Ingress Tool Transfer<\/code>: Refers to the tools used by attackers to download a tool, such as\u00a0wget<\/code>,\u00a0curl<\/code>, etc., commonly OS built-in commands\/tools.<\/li>\n\n\n\nT1021 Remote Services<\/code>: Refers to adversaries using protocols such as SSH, RDP, and SMB for lateral movement.<\/li>\n<\/ul>\n\n\n\nSub-technique<\/h4>\n\n\n\n
\n
T1003.001 - OS Credentials: LSASS Memory<\/code>: Refers to adversaries dumping credentials directly from the LSASS process memory when achieving the necessary privileges.<\/li>\n\n\n\nT1021.002 - Remote Services: SMB\/Windows Admin Shares<\/code>: Refers to adversaries interacting with shares using valid credentials.<\/li>\n<\/ul>\n\n\n\nT1003.001<\/code> \u2014 LSASS memory dumping” instead of just T1003<\/code>).<\/p>\n\n\n\nPyramid of Pain<\/h3>\n\n\n\n
effort it takes for an adversary to change their tactics<\/code> when defenders detect and block different types of indicators. At the base of the pyramid are simple indicators like hash values, IP addresses, and domain names \u2014 these are easily changed by attackers (low pain).<\/p>\n\n\n\n![\"Pyramid](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/ir_mitre.png\")
<\/figure>\n\n\n\nblocking a malicious IP<\/code> in a MITRE ATT&CK “Command and Control” (T1071<\/a>) scenario will only slightly slow down<\/code> the adversary since they can quickly switch to a new C2 server. Moving upward, network and host artifacts (like registry keys, mutex names, or filenames) correspond to specific techniques in ATT&CK (e.g., T1547.001<\/a> \u2013 Registry Run Keys\/Startup Folder). These take more effort<\/code> to change and are more resilient indicators for defenders.<\/p>\n\n\n\n\n
easy<\/code>\u00a0to evade.<\/li>\n\n\n\nhard to evade<\/code>, higher attacker cost, and stronger defense maturity.<\/li>\n<\/ul>\n\n\n\nMITRE ATT&CK integration in TheHive<\/h2>\n\n\n\n
TheHive<\/code> is a case management platform designed for cybersecurity teams to efficiently handle incidents by processing alerts. Users can create cases and link multiple relevant alerts within them. This platform serves as a centralized hub to collect and manage all security alerts from various devices on a single, comprehensive page. Additionally, TheHive offers the capability to import all MITRE ATT&CK Framework Tactics, Techniques, and Procedures (TTPs) into its alert management system. This integration enriches incident analysis by associating discovered attack patterns with the alerts.<\/p>\n\n\n\n![\"TheHive](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/ir_hive.png\")
<\/figure>\n\n\n\n![\"TheHive](\"https:\/\/cdn.services-k8s.prod.aws.htb.systems\/content\/modules\/148\/ir_hive1.png\")
<\/figure>\n\n\n\nExample of MITRE ATT&CK Mapping<\/h2>\n\n\n\n
Tactic<\/th> Technique<\/th> ID<\/th> Description<\/th><\/tr><\/thead> Initial Access<\/code><\/td>Exploit Public-Facing Application<\/td> T1190<\/td> Confluence CVE exploited<\/td><\/tr> Execution<\/code><\/td>Command and Scripting Interpreter: PowerShell<\/td> T1059.001<\/td> PowerShell used for payload download<\/td><\/tr> Persistence<\/code><\/td>Windows Service<\/td> T1543.003<\/td> Windows Service for persistence<\/td><\/tr> Credential Access<\/code><\/td>LSASS Memory Dumping<\/td> T1003.001<\/td> Extracted credentials<\/td><\/tr> Lateral Movement<\/code><\/td>Remote Desktop Protocol<\/td> T1021.001<\/td> RDP lateral movement<\/td><\/tr> Impact<\/code><\/td>Data Encrypted for Impact<\/td> T1486<\/td> LockBit ransomware<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"