Cyber Kill Chain & Mitre ATT&CK Framework

Cyber Kill Chain

The cyber kill chain (also referred to as the cyber-attack chain ) is a way to understand the sequence of events involved in an external attack on an organization’s IT environment. Understanding the cyber-attack chain model can help IT security teams put strategies and technologies in place to “kill” or contain the attack at various stages, and better protect the IT ecosystem.
The cyber kill chain model was developed by Lockheed Martin to break down the structure of a cyber-attack (either offensive or defensive) into a pattern composed of identifiable stages.

Lockheed Martin’s cyber kill chain breaks down an external attack into 7 distinct steps:

  • Reconnaissance: The attacker determines what methods to use to complete the phases of the attack. Attacker picks a target, researches it, and looks for vulnerabilities.
  • Weaponization: The attacker couples payload code that will enable access with exploit code that will use a vulnerability to execute on the target system. Or Intruder develops malware designed to exploit the vulnerability.
  • Delivery: The attacker identifies a vector by which to transmit the weaponized code to the target environment. The vector may be a phishing email or another medium.
  • Exploitation: The weaponized code is executed on the target system by this mechanism.
  • Installation: This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system. Or in short weaponized code installs a backdoor or other ingress accessible to the attacker.
  • Command & Control (C2): The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
  • Actions on Objectives: The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives.

Cyber Kill chain analysis can be used to identify a defensive course-of-action matrix to counter the progress of an attack at each stage. Over the years, the attack landscape has shifted, and many have argued that the cyber kill chain, while helpful, needed to be updated to accommodate the reality that the traditional perimeter has shifted—some even say it has, in many cases, vanished.

Mitre ATT&CK Framework

Mitre ATT&CK framework is knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization’s risk.

Mitre ATT&CK framework consists of total 14 tactics.

ReconnaissanceThe adversary is trying to gather information they can use to plan future operations.
Resource DevelopmentThe adversary is trying to establish resources they can use to support operations.
Initial AccessThe adversary is trying to get into your network.
ExecutionThe adversary is trying to run malicious code.
PersistenceThe adversary is trying to maintain their foothold.
Privilege EscalationThe adversary is trying to gain higher-level permissions.
Defense EvasionThe adversary is trying to avoid being detected.
Credential AccessThe adversary is trying to steal account names and passwords.
DiscoveryThe adversary is trying to figure out your environment.
Lateral MovementThe adversary is trying to move through your environment.
CollectionThe adversary is trying to gather data of interest to their goal.
Command and ControlThe adversary is trying to communicate with compromised systems to control them.
ExfiltrationThe adversary is trying to steal data.
ImpactThe adversary is trying to manipulate, interrupt, or destroy your systems and data.
To know more about Mitre ATT&CK Framework visit

Diamond Model of Intrusion Analysis

Diamond model of intrusion analysis is framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim.

Diamond model of intrusion

Read More

What is cybersecurity & why it is important ?

CIA Triad & AAA in Information Security

What is malware and its different types ?

5 thoughts on “Cyber Kill Chain & Mitre ATT&CK Framework

Leave a Reply

Your email address will not be published. Required fields are marked *