In cyber security, Cyber Kill Chain and MITRE ATT&CK are two frameworks commonly used to understand and prevent cyber attacks.
Are you wondering which one is better or which you should use for your organization? While both have strengths and weaknesses, you may struggle to decide which one’s best.
This article will explain these two popular frameworks' history, background, and respective steps and phases. We’ll look at their key components—such as objectives and applications—and help you understand the main differences between them. Finally, we’ll look at the advantages and limitations of each.
Without further ado, let’s compare Cyber Kill Chain vs MITRE ATT&CK.
Background of the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK Frameworks
Let’s examine the Cyber Kill Chain and MITRE ATT&CK frameworks in detail.
What Is the Cyber Kill Chain?
Developed by computer scientists at Lockheed Martin in 2011, the Cyber Kill Chain framework is derived from the military term “kill chain.”
In military operations, this involves a sequence of steps to complete an attack, starting with identifying the target, dispatching resources, and so on.
The Cyber Kill Chain applies this idea to cyber threat intelligence to identify and prevent cyber attacks as part of Lockheed’s intelligence-driven defense model.
These attacks often include social engineering techniques, malware, and ransomware to infiltrate a network, steal sensitive information, or disrupt operations.
The Cyber Kill Chain framework identifies what the adversaries must complete to achieve their objective, outlining the steps attackers typically take to infiltrate a network and carry out a successful cyber attack.
By understanding these steps, you can better defend against potential threats and strengthen your security posture.
Cyber Kill Chain Steps
By utilizing the Cyber Kill Chain's seven steps, you can better understand an adversary's tactics, techniques, and procedures, improving visibility into an attack.
While we’ll be covering the seven steps in the kill chain, it's important to note that cyber security experts have begun to add an eighth step to this framework, called “monetization.”
In this step, cyber attackers focus on profiting from the data or access they’ve obtained, whether by selling it on the dark web or using it for ransomware attacks. This step highlights the ultimate goal of many cyber attacks: financial gain.
Let’s take a look at each step in more detail.
1. Reconnaissance
In this first step, attackers gather information on their target to find vulnerabilities. This can include harvesting email addresses, looking for system weaknesses, and identifying key personnel.
Tools/Techniques: Social engineering, public information scraping (websites, social media), network scanning tools (Nmap), and WHOIS lookups.
2. Weaponization
Here, attackers create malware to exploit the identified vulnerabilities. This stage involves pairing remote access malware with an exploit to create a deliverable payload.
Tools/Techniques: Custom malware creation, use of exploit kits on the dark web, and packing tools to obfuscate malware from antivirus software.
3. Delivery
In the delivery step, the malware is transmitted to the target through various means, aiming to trick the user into executing the payload.
Tools/Techniques: Phishing emails, malicious attachments or links, watering hole attacks (compromising sites frequently visited by the target), and USB drops.
4. Exploitation
In step four, the malware exploits a vulnerability to execute malicious code on the target's system. During this stage, the attacker installs malware, which activates the malware's payload.
Tools/Techniques: Exploit kits targeting specific vulnerabilities, weak configurations, and buffer overflows.
5. Installation
Here, the malware installs itself on the target system to maintain persistence and possibly provide a backdoor for attackers.
Tools/Techniques: Trojan horses, rootkits to hide malware presence, and scripts for automatic execution at system startup.
6. Command and Control (C2)
Attackers gain control over the compromised system, often remotely, to direct further actions.
Tools/Techniques: HTTP/HTTPS for communication to avoid detection, domain generation algorithms (DGA) for resilient command and control infrastructure, proxychains, and virtual private servers to obscure the attack source.
7. Actions on Objectives
In this final step, the attackers accomplish their intended goals, from data exfiltration to destroying or disrupting critical processes.
Tools/Techniques: Data harvesting tools, ransomware for encryption and extortion, distributed denial of service (DDoS) attack tools, and lateral movement tools like PsExec for spreading through the network and accessing valuable assets.
What Is the MITRE ATT&CK Framework?
MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge.
The MITRE ATT&CK framework, developed in 2013 by the MITRE Corporation, was initially focused on documenting advanced persistent threats (APTs) targeting Windows systems.
As threats evolved, the framework expanded to include macOS, Linux, mobile operating systems (Android, iOS), cloud environments, containers, and ICS networks.
ATT&CK has become a global resource that private and public companies use to understand and defend against cyber threats.
MITRE made ATT&CK publicly available, encouraging contributions from cyber security professionals worldwide.
MITRE ATT&CK Framework Phases
Certain tactics are shared across the enterprise, mobile, and ICS ATT&CK matrices because cyber adversaries' characteristics are consistent regardless of the environment.
These shared tactics reflect the stages of a cyber attack and the adversary's common goals, whether targeting corporate networks, mobile devices, or industrial control systems.
For example, the following tactics are present in all three matrices.
1. Initial Access
Adversaries must gain access to the system or network they target, whether it’s an enterprise network, a mobile device, or an industrial control system.
Tools/Techniques: Phishing attacks often use tools like Gophish or emails created to deliver malware through attachments or links. Access can also be gained by exploiting weaknesses on public-facing servers.
2. Execution
Once access is gained, adversaries will try to execute their code or command.
Tools/Techniques: They might use PowerShell scripts for Windows environments or bash scripts on Linux. Malware payloads, ranging from ransomware to trojans, can vary widely.
3. Persistence
Adversaries aim to maintain their foothold in the environment, ensuring their activities can continue over time.
Tools/Techniques: Techniques include creating new accounts for later access, modifying registry keys, or installing new services.
4. Privilege Escalation
Privilege escalation gives adversaries more control and access within the compromised environment.
Tools/Techniques: Attackers might exploit system vulnerabilities that allow for privilege escalation or use stolen credentials to log in as users with higher privileges.
5. Defense Evasion
A common goal for adversaries is to avoid detection by security systems.
Tools/Techniques: This could involve disabling security software, encrypting payloads, or using stealthy malware, such as rootkits.
6. Credential Access
Stealing credentials allows adversaries to masquerade as legitimate users and access sensitive areas of the network.
Tools/Techniques: Techniques include keylogging and dumping credentials from system memory using tools like Mimikatz.
7. Discovery
Adversaries explore the environment to understand its layout, what is connected, and where valuable data is kept.
Tools/Techniques: This phase might involve network scanning with tools like Nmap or using built-in system commands to list users, services, and connected systems.
8. Lateral Movement
To expand their reach within the environment, adversaries move from one system to another.
Tools/Techniques: Tools like PsExec or techniques like Pass the Hash can be used to move laterally using existing credentials.
9. Collection
In this phase, adversaries gather data relevant to their objectives from various sources.
Tool/Techniques: Techniques include capturing screenshots, keystrokes, audio, and video, and LLMNR/NBT-NS poisoning and SMB relay attacks.
10. Command and Control
Adversaries establish a method to continue directing compromised resources using C2 frameworks.
Tools/Techniques: This could involve using HTTP for communication, custom malware that connects to a C2 server, or tools like Cobalt Strike.
11. Exfiltration
The ultimate goal of many cyber attacks is to steal data, which adversaries try to move to locations they control.
Tools/Techniques: Data can be compressed and encrypted to avoid detection, then exfiltrated using FTP, HTTP, or over a WiFi connection.
12. Impact
Adversaries may wish to disrupt operations, destroy data, or harm the organization’s assets and reputation.
Tools/Techniques: This could involve deleting critical files, deploying ransomware, or conducting DDoS attacks to disrupt services.
In the following section, we’ll see the tactics unique to each matrix.
Enterprise-Specific Tactics
Let’s look at the two tactics specific to the enterprise matrix.
Reconnaissance
Reconnaissance involves adversaries gathering information that can be used to plan initial access.
Tools/Techniques: Tools like Maltego or websites like Shodan and Censys can help adversaries find exposed assets and vulnerabilities.
Resource Development
Resource development involves adversaries creating, purchasing, or compromising resources to support targeting, and it can be used in other phases of the adversary lifecycle.
Tools/Techniques: This could involve renting servers, registering domain names similar to legitimate ones (for phishing or malware distribution), and setting up VPNs or TOR for anonymity.
ICS Specific Tactics
Here are the two tactics specific to the ICS matrix.
Inhibit Response Function
This tactic disrupts the normal operation of safety systems and protective measures relevant to industrial environments where physical safety is critical.
Tools/Techniques: Disabling alarm systems or altering their thresholds so that they fail to alert personnel to abnormal or dangerous conditions.
Impair Process Control
This tactic targets the control processes that manage physical operations in an industrial environment and aims to change or disable them.
Tools/Techniques: Specialized malware, like Stuxnet, which is designed to target control systems. It alters the logic or operation of programmable logic controllers (PLCs).
Key Components of Cyber Kill Chain and MITRE ATT&CK
Let’s look at the key components of the Cyber Kill Chain and MITRE ATT&CK.
Stages vs. Tactics and Techniques of Cyber Kill Chain and MITRE ATT&CK
The Cyber Kill Chain and the MITRE ATT&CK framework are both important to understand and respond to cyber threats, but they approach cyber attacks from different standpoints. Each provides a unique lens through which you can analyze threats and bolster your defenses.
Cyber Kill Chain Characteristics
The Cyber Kill Chain portrays attacks as a step-by-step process primarily designed to prevent attacks from external actors, helping identify and stop attacks at each stage.
MITRE ATT&CK Characteristics
ATT&CK is organized as a matrix of tactics and techniques applicable to different platforms (enterprise, mobile, and ICS). It covers various adversarial behaviors—including those used after gaining initial access—and offers a detailed look at adversary techniques' execution.
Cyber Kill Chain and MITRE ATT&CK Comparison
The Cyber Kill Chain follows a linear progression model, showing that attacks develop in a specific order. Meanwhile, ATT&CK uses a matrix-based approach that shows the variability of real-world attacks, where adversaries may use multiple tactics and techniques in no specific order.
The Cyber Kill Chain is primarily focused on the stages of an external attack leading up to and including the compromise of a target. ATT&CK covers various adversary behaviors, such as post-compromise tactics, lateral network movement, and evasion techniques.
The Cyber Kill Chain helps understand and stop external attacks before an adversary can achieve their goals. ATT&CK provides a detailed framework for understanding, detecting, and responding to various adversary tactics and techniques throughout an attack.
Objectives and Applications of the Cyber Kill Chain and MITRE ATT&CK
Cyber Kill Chain and MITRE ATT&CK have different strategic objectives and practical applications in cyber security operations.
Cyber Kill Chain Objective
The Cyber Kill Chain model provides a structured framework for understanding an adversary's different steps in planning and executing a successful cyber attack.
Breaking down the attack into steps helps companies identify and mitigate threats at various points in the attack chain.
Cyber Kill Chain Applications
- Organizations can develop defensive measures and controls to interrupt or prevent attacks at each stage of the kill chain.
- The model helps identify the current stage of an ongoing attack, allowing for containment and remediation efforts.
- Blue teams can use the kill chain to model potential attack scenarios and proactively address vulnerabilities.
MITRE ATT&CK Objective
The MITRE ATT&CK framework focuses on cataloging and documenting the various attack tactics, techniques, and procedures used by real-world threat actors throughout the attack lifecycle.
It provides a knowledge base of adversary behaviors and a common way of describing and understanding their methods.
MITRE ATT&CK Applications
- The framework helps companies stay informed about the latest adversary TTPs and develop countermeasures accordingly.
- Blue teams can identify gaps and prioritize improvements by mapping adversary behaviors to the company's defenses.
- The ATT&CK knowledge base helps develop threat-hunting models, create detection rules, and enhance security monitoring capabilities.
- Penetration testers and red teams can use the ATT&CK techniques to mimic real-world adversaries and test an organization's defenses.
While the Cyber Kill Chain focuses on understanding the stages of an attack, the MITRE ATT&CK framework relies on understanding adversaries' specific behaviors and methods within those stages.
Both models aid cyber security operations, but from different perspectives: one provides a structured attack lifecycle view, while the other offers a knowledge base on adversary behavior.
Organizations often use these models together, using the Cyber Kill Chain to develop defensive strategies and MITRE ATT&CK to stay informed about the latest adversary TTPs and enhance threat detection and response.
Cyber Kill Chain vs MITRE ATT&CK: Advantages and Limitations
While the Cyber Kill Chain and MITRE ATT&CK are excellent frameworks, they have some limitations.
Cyber Kill Chain Advantages and Limitations
Let’s briefly look at some of the advantages and limitations of the Cyber Kill Chain.
Advantages
Limitations
MITRE ATT&CK Framework Advantages and Limitations
Let’s look at the advantages and limitations of MITRE ATT&CK.
Advantages
Limitations
Integrating Cyber Kill Chain and Mitre ATT&CK Framework
Implementing Cyber Kill Chain and MITRE ATT&CK together is the best way to establish a layered security approach. We'll show you a couple of ways to achieve this.
Threat Hunting
Create threat-hunting campaigns using the Cyber Kill Chain, focusing on identifying indicators of compromise (IoCs) at each stage.
The MITRE ATT&CK framework then offers a detailed knowledge base of techniques to look for across the threat landscape, aiding threat hunters in searching for evidence of specific adversary tactics.
Doing this increases the chances of detecting sophisticated threats that may have evaded initial defenses.
Incident Response
In the event of a security breach, analyze the attack's progression and use the Cyber Kill Chain to determine the compromised stage.
Then, look into the ATT&CK framework to analyze the techniques used, providing information about the attacker's methods and objectives.
This information will help you with effective containment, eradication, and recovery actions while also helping create future defense strategies to prevent similar attacks.
Conclusion
The Cyber Kill Chain and MITRE ATT&CK are important frameworks for analyzing and understanding cyber threats and attacks.
While each of these frameworks has advantages and limitations, MITRE ATT&CK provides a broader view of the tactics, techniques, and procedures used by threat actors, while Cyber Kill Chain provides a more structured approach to understanding a cyber attack’s.
Combining both in your defensive strategy will give you a solid understanding of the cyber attack life cycle.
Are you looking to improve your cyber security knowledge? Consider joining the StationX Accelerator program and take your skills and knowledge to the next level with our massive library of courses. We also offer you everything you need to succeed, including roadmaps, mentorships, and a supportive community.