Introducing the Common Attack Process Framework for Incident Mapping

Introducing the Common Attack Process Framework for Incident Mapping

Stephen Mancini (Robert Morris University, USA), Laurie Iacono (Robert Morris University, USA), Frank Hartle (Robert Morris University, USA), Megan Garfinkel (Robert Morris University, USA), Dana Horn (Robert Morris University, USA) and Alison Sullivan (Robert Morris University, USA)
Copyright: © 2021 |Pages: 8
DOI: 10.4018/IJCRE.2021070102
OnDemand PDF Download:
No Current Special Offers


The paper presents a new framework that allows both educators and operational personnel to better overlay incidents into a simplified framework. While other attack frameworks exist, they either lack simplicity or are too focused on specific types of attacks. Therefore, the authors have attempted to define a framework that can be used broadly across both physical and cyber incidents. Furthermore, the paper provides several high-profile examples wherein it is shown how this new framework more accurately represents the adversary's actions. Lastly, the framework allows room for expansion in that, within each stage, a plethora of questions can be addressed, giving greater specificity into how that stage was carried out.
Article Preview


Various attack frameworks and methodologies exist which attempt to capture the process of how adversaries conduct different types of attacks. The purpose of capturing adversarial activity is dependent upon the user of the information captured. For example, capturing how a specific malware variant operates can lead to the development of signatures for security devices. In addition, depending on the attack, whether cyber or physical, the methodology can be captured for a variety of reasons ranging from tactical solutions to policy implementations. Furthermore, within these various frameworks and methodologies, there are often redundancies that do not necessarily allow for any distinction between the frameworks themselves and their defined stages as they are either too specific or more likely, sub steps of already identified stages. As such, the authors have conducted research into several attacks and propose that attacks undergo sequentially ordered steps which are often referred to as ‘stages’. In addition, these stages occur regardless of whether the attack is physical or cyber. As a result of identifying these five main stages, both operational personnel and academics are better positioned to understand and thus defend against potential adversary actions. Finally, regardless of the skillset or motivation of the adversary, all adversaries must undergo some sort of ‘thought’ process prior to carrying out their actions. Obviously, the more advanced the adversary, the more likely that they are going to be more methodical in how they conduct each step.

Two of the more common frameworks in place today are the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) and the Lockheed Martin Cyber Kill Chain. MITRE describes their framework as “a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle” (Strom et al., 2018, p. 1). First created in 2013, the MITRE ATT&CK model is designed to focus more on specific environments, capturing adversary actions and dynamically updating the model with regularity (Strom et al., 2018). While there are overarching steps, e.g. initial access, execution, persistence, etc., the model quickly morphs into a large matrix specifically focused on cyber-attacks. Again, while comprehensive, it lacks the simplicity of being able to explain at a strategic level how an attack progresses. Table 1 shows the first stage, Reconnaissance, and the ten corresponding techniques as identified in the MITRE ATT&CK model.

Table 1.
MITRE ATT&CK Reconnaissance Stage and the Ten Techniques
Reconnaissance Techniques
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Search Victim-Owned Websites

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 4: 2 Issues (2022): Forthcoming, Available for Pre-Order
Volume 3: 2 Issues (2021)
Volume 2: 2 Issues (2020)
Volume 1: 2 Issues (2019)
View Complete Journal Contents Listing