NixSec Labs | Methodology

// 01 — Red Team & Offensive Security

FRAMEWORK // PTES

Penetration Testing Execution Standard

OFFENSIVE

Internationally accepted baseline established in 2009. Defines how penetration tests should be scoped, planned, executed, and reported — from initial client contact to final deliverable. The gold standard for structured pen testing engagements.

// Engagement Phases (7)

Pre-Engagement

Intel Gathering

Threat Modeling

Vuln Analysis

Exploitation

Post-Exploitation

Reporting

Pre-Engagement Interactions

Scope definition, legal agreements (SOW/NDA), rules of engagement, communication protocols, and emergency contacts established before any testing begins.

Intelligence Gathering

OSINT collection on infrastructure, personnel, third-party connections, and business processes. Passive recon using public sources, DNS records, WHOIS, shodan.

Threat Modeling

Identify critical business assets, map threat communities, analyze attacker capability and motivation. Prioritize attack vectors by business impact.

Vulnerability Analysis

Active scanning, service enumeration, vulnerability research, and manual testing to identify security weaknesses in scope.

Exploitation

Controlled exploitation of discovered vulnerabilities to demonstrate real-world impact. Document successful attack paths and entry vectors.

Post-Exploitation

Privilege escalation, lateral movement, persistence mechanisms, data exfiltration simulation, and footprint expansion within authorized scope.

Reporting

Executive summary for C-suite, technical findings for engineers, risk-rated vulnerabilities, remediation roadmap with prioritization.

pentest-standard.org

Pen Testing Full-Scope Enterprise

FRAMEWORK // MITRE ATT&CK

MITRE ATT&CK Enterprise

OFFENSIVE

A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK structures the "why" (tactics) and "how" (techniques) of adversary operations — the lingua franca of modern offensive and defensive security.

// Enterprise Tactics (14)

TA0043

Recon

TA0042

Resource Dev

TA0001

Initial Access

TA0002

Execution

TA0003

Persistence

TA0004

Priv Escalation

TA0005

Defense Evasion

Reconnaissance (TA0043)

Gathering information prior to compromise. Passive and active techniques including scanning, phishing for info, and OSINT.

Resource Development (TA0042)

Establishing capabilities — acquiring infrastructure, compromising accounts, developing malware, and staging operations.

Initial Access (TA0001)

Entry into the target environment via spearphishing, exploit public-facing apps, trusted relationships, or supply chain compromise.

Execution (TA0002)

Running adversary-controlled code: command-line, scripting engines, scheduled tasks, user execution triggers.

Persistence (TA0003)

Maintaining foothold across restarts and credential changes via registry run keys, scheduled tasks, web shells, and account creation.

Privilege Escalation (TA0004)

Gaining higher-level permissions through exploitation of system weaknesses, misconfigurations, or valid credentials.

Defense Evasion (TA0005)

Avoiding detection via obfuscation, disabling security tools, masquerading, and living off the land binaries (LOLBins).

Credential Access (TA0006)

Stealing credentials via keylogging, credential dumping (Mimikatz), brute force, and password spraying.

Discovery (TA0007)

Mapping the internal environment — network scanning, account enumeration, process listing, and software discovery.

Lateral Movement (TA0008)

Pivoting through the environment using pass-the-hash, RDP, SMB, and exploitation of remote services.

Collection (TA0009)

Gathering data of interest: files, email, screenshots, audio capture, and clipboard data.

Command & Control (TA0011)

Communicating with compromised systems via encrypted channels, domain fronting, and multi-stage C2 frameworks.

Exfiltration (TA0010)

Moving data out of the environment over C2 channels, cloud storage, or alternative protocols.

Impact (TA0040)

Disruption, destruction, or manipulation of data and systems: ransomware, disk wipe, defacement, DoS.

attack.mitre.org

Adversary TTP Red Team Threat Intel

FRAMEWORK // LOCKHEED MARTIN

Cyber Kill Chain

OFFENSIVE

Developed by Lockheed Martin as part of the Intelligence Driven Defense model. Maps the sequential stages of a cyberattack — from initial reconnaissance to achieving objectives. Used to identify interception and disruption points.

// Attack Stages (7)

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Actions on Obj

Reconnaissance

Passive/active information gathering — OSINT, scanning, social media, public records. Identifies targets, personnel, and exposed infrastructure.

Weaponization

Creating or obtaining malicious payloads — exploit bundled with backdoor, crafted spearphishing lures, or trojanized documents.

Delivery

Transmission of the weapon to the target via email attachments, malicious URLs, USB drops, watering-hole attacks.

Exploitation

Triggering the exploit to execute code on the target — software vulnerabilities, zero-days, or user-triggered macros.

Installation

Dropping persistent implants — RATs, backdoors, web shells, scheduled tasks — ensuring access survives reboots.

Command & Control (C2)

Establishing encrypted, covert channels back to operator infrastructure. May use DNS, HTTPS, or social media APIs to blend into normal traffic.

Actions on Objectives

Achieving mission goals — data exfiltration, ransomware deployment, sabotage, espionage, or establishing long-term presence.

lockheedmartin.com

Kill Chain APT Analysis Intelligence-Driven

FRAMEWORK // ISECOM

OSSTMM v3 — Open Source Security Testing Methodology Manual

OFFENSIVE

A peer-reviewed security testing standard maintained by ISECOM since 2000. Provides a scientific approach to security testing across five distinct channels. Uniquely quantifies security through its Risk Assessment Values (RAV) metric system.

// Testing Channels (5)

CH1

Human Security

CH2

Physical Security

CH3

Wireless Comms

CH4

Telecoms

CH5

Networks

Human Security

Testing security in human interactions — social engineering, physical access via social pretexting, badge cloning, and dumpster diving.

Physical Security

Tangible security aspects — access controls, locks, CCTV, perimeter security, physical intrusion testing.

Wireless Communications

RF and electronic signal security — WiFi, Bluetooth, RFID, SDR-based attacks, wireless protocol analysis.

Telecommunications

Digital and analog telecom security — VoIP, PBX systems, SS7 vulnerabilities, PSTN testing.

Networks

Full network security assessment — port scanning, service enumeration, firewall testing, protocol analysis, and exploitation.

isecom.org/OSSTMM.3.pdf

Modular Quantifiable Multi-Channel

// 02 — Blue Team & Threat Hunting

FRAMEWORK // MITRE D3FEND

D3FEND — Detection, Denial & Disruption Framework

DEFENSIVE

A knowledge graph of defensive cybersecurity techniques that maps directly to ATT&CK adversary behaviors. D3FEND provides structured, actionable countermeasures across 7 defensive categories with deep technique detail.

// Defensive Categories (7)

D3-M

Model

D3-H

Harden

D3-D

Detect

D3-I

Isolate

D3-E

Deceive

D3-V

Evict

D3-R

Restore

Model

Understanding the environment before attacks occur. Asset inventory, network mapping, and establishing baseline visibility for all defensive operations.

Harden

Reducing attack surface through configuration hardening, patch management, removing unnecessary services, and applying security benchmarks (CIS, STIG).

Detect

Identifying threats via log analysis, network traffic inspection, EDR telemetry, behavioral analytics, and SIEM correlation rules.

Isolate

Containing threats through network segmentation, endpoint isolation, DNS sinkholing, and blocking C2 communications.

Deceive

Misleading adversaries using honeypots, honeytokens, deception credentials, and fake network shares to detect and delay attackers.

Evict

Removing adversaries — credential rotation, persistence mechanism removal, malware eradication, and eliminating all footholds.

Restore

Returning to known-good state via clean system restoration, backup recovery, and verified rebuild from trusted images.

d3fend.mitre.org

ATT&CK Mapped Defense Knowledge Graph

FRAMEWORK // FI-ISAC / TAHITI

TaHiTI — Targeted Hunting integrating Threat Intelligence

THREAT HUNTING

Developed by the Dutch financial sector (FI-ISAC), TaHiTI is a structured, hypothesis-driven threat hunting methodology that integrates threat intelligence as the primary input. Focuses on the top layers of the Pyramid of Pain.

// Hunt Phases (3 Phases / 6 Steps)

Initiate

Define + Hypothesize

Hunt

Investigate + Document

Finalize

Analyze + Improve

Define / Refine

Establish hunt scope, identify the threat actor or TTP being hunted, define success criteria, and select relevant data sources.

Hypothesis Development

Create testable, intelligence-backed hypotheses. Map to ATT&CK techniques. Hypotheses guide what to look for and where.

Investigation

Active hunting using SIEM queries, EDR telemetry, network logs, and threat intelligence. Search for evidence of the hypothesized TTPs.

Documentation

Record all findings, dead-ends, and discoveries in a structured hunt log. Preserve evidence chain throughout the process.

Analysis & Reporting

Correlate findings, determine if hypothesis confirmed or refuted, document attacker TTPs discovered, and produce hunt report.

Improvement

Convert successful hunts into automated detections. Feed gaps back into the security roadmap. Iterate the program maturity.

betaalvereniging.nl — TaHiTI Whitepaper

Threat Hunting TI-Driven ATT&CK Aligned

// 03 — Digital Forensics & Incident Response

FRAMEWORK // NIST SP 800-61r3

NIST Computer Security Incident Handling Guide

DFIR

The National Institute of Standards and Technology's definitive guide for incident response. SP 800-61r3 reframes IR as a continuous risk management function — not a reactive cleanup — integrated throughout organizational security.

// IR Lifecycle (4 Phases)

Preparation

Detection & Analysis

Containment, Eradication & Recovery

Post-Incident Activity

Preparation

Establish IR policies, build the CSIRT, deploy tools (EDR, SIEM, forensic workstations), define communication trees, conduct tabletop exercises.

Detection & Analysis

Monitor for incidents via alerts, logs, and threat intel. Validate, classify, and scope the incident. Collect initial evidence and determine severity.

Containment

Short-term: isolate affected systems. Long-term: implement temporary fixes while preserving forensic evidence. Prevent further spread.

Eradication

Remove all traces of the threat — malware, persistence mechanisms, unauthorized accounts. Identify and patch the root-cause vulnerability.

Recovery

Restore systems from clean backups, verify integrity, return to production with enhanced monitoring. Validate no re-compromise occurs.

Post-Incident Activity

Lessons learned meeting within 2 weeks. Document timeline, root cause, impact, and control failures. Update playbooks and security posture.

csrc.nist.gov

Incident Response Risk Management Federal Standard

FRAMEWORK // SANS INSTITUTE

SANS PICERL — Incident Response Cycle

DFIR

SANS's 6-step IR model that expands NIST's phases into more granular operational steps. Separates Containment, Eradication, and Recovery into discrete phases for better operational control and clear team handoffs during active incidents.

// Response Phases (6)

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

Preparation

Codify security policy, conduct risk assessments, identify critical assets, deploy tooling, and build/train the CSIRT team.

Identification

Detect deviations from baseline via monitoring. Collect and preserve initial evidence. Classify incident severity and scope. Notify stakeholders.

Containment

Short-term: isolate compromised systems to prevent spread. Long-term: implement temporary workarounds while maintaining forensic integrity.

Eradication

Remove all malicious artifacts, persistence, unauthorized accounts, and attack tools from every affected system in the environment.

Recovery

Full forensic analysis, rebuild from trusted media, restore from verified backups, validate integrity, and return to operational status.

Lessons Learned

Post-incident review within 2 weeks. Document timeline, attack vector, root cause, team performance, and update IR playbooks.

sans.org — IR Cycle

PICERL Incident Response Operational

STANDARD // RFC 3227

RFC 3227 — Evidence Collection & Archiving

FORENSICS

Published in 2002, RFC 3227 defines best practices for collecting and archiving digital evidence from security incidents. The foundational reference for maintaining chain of custody and legal admissibility of forensic artifacts.

// Collection Order of Volatility

CPU / Cache / Registers

Live Memory (RAM)

Network State / Connections

Running Processes

Disk / Storage

Remote Logs / Backups

Order of Volatility

Always collect most volatile data first. CPU registers and live RAM are lost on shutdown. Disk data persists but may be overwritten. Prioritize accordingly.

Chain of Custody

Every piece of evidence must be documented from collection to presentation. Who collected it, when, how, and any transfers. Breaks in chain invalidate evidence.

Bit-Level Imaging

Create forensic duplicates using write blockers. Verify integrity with MD5/SHA-256 hashes. Never work from original media — always from verified copies.

Minimise Contamination

Minimise actions taken on live systems. Document every command executed. Avoid installing tools on the subject system — use forensic boot media.

Transparency

All procedures must be documented, repeatable, and defensible in court. Methodology must be explainable to non-technical legal and judicial audiences.

Legal Considerations

Understand jurisdiction, obtain proper authorization before collection. Privacy laws, search warrants, and regulations vary by region and sector.

datatracker.ietf.org/doc/html/rfc3227

Evidence Collection Chain of Custody Legal Admissibility

// Quick Reference

Framework Comparison Matrix

Framework	Type	Primary Use	Phases	Key Focus
PTES	Offensive	Penetration Testing	7	Complete test lifecycle
MITRE ATT&CK	Offensive	Adversary TTP Mapping	14 Tactics	Real-world adversary behaviors
Cyber Kill Chain	Offensive	Attack Analysis	7	Attack progression & interception
OSSTMM v3	Offensive	Security Testing	5 Channels	Quantifiable, modular testing
MITRE D3FEND	Defensive	Defense Planning	7 Categories	ATT&CK-mapped countermeasures
TaHiTI	Defensive	Threat Hunting	3 (6 Steps)	TI-driven hypothesis hunting
NIST SP 800-61r3	DFIR	Incident Response	4	Continuous IR risk management
SANS PICERL	DFIR	Incident Response	6	Granular operational control
RFC 3227	DFIR	Digital Forensics	3 + Volatility Order	Legal evidence handling

Our Methodology

Framework Comparison Matrix

Ready to run a Real Engagement?