What is the Cyber Kill Chain and MITRE ATT&CK?

The cyber kill chain, also known as the Lockheed Martin Cyber Kill Chain, is a concept and framework used in the field of cybersecurity to describe the stages of a cyber attack. It provides a systematic approach to understanding and countering the various steps involved in a typical cyber attack. The concept was initially developed by Lockheed Martin in 2011.

The cyber kill chain consists of several stages or steps that an attacker typically goes through during a targeted attack. These stages are as follows:

1. Reconnaissance: The attacker gathers information about the target system or network, such as identifying potential vulnerabilities, system configurations, and potential points of entry.
2. Weaponization: The attacker creates or acquires a malicious payload, such as malware or exploit tools, which will be used to exploit the identified vulnerabilities.
3. Delivery: The attacker delivers the weaponized payload to the target system or network. This can be done through various means, including email attachments, infected websites, or social engineering techniques.
4. Exploitation: The attacker exploits the vulnerabilities in the target system or network using the delivered payload. This allows them to gain unauthorized access or control over the target.
5. Installation: Once the attacker has successfully exploited the target system, they install the necessary tools, malware, or backdoors to maintain persistence and control over the compromised system.
6. Command and Control (C2): The attacker establishes communication channels between the compromised system and their command and control infrastructure. This enables them to remotely control and manage the compromised systems.
7. Actions on Objectives: At this stage, the attacker achieves their primary objectives, which could include data theft, unauthorized access, system manipulation, or any other malicious activities.

By understanding these stages, cybersecurity professionals can develop strategies and defenses to detect, prevent, and mitigate attacks at each step of the cyber kill chain. The goal is to disrupt the attack and minimize the potential damage caused by a cyber intruder.

MITRE ATT&CK 

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework and knowledge base that provides a structured model for understanding and categorizing the various tactics, techniques, and procedures (TTPs) used by adversaries during cyberattacks. It was developed by MITRE, a not-for-profit organization, and has become widely adopted in the cybersecurity community.

The goal of MITRE ATT&CK is to provide a common language and framework for describing and sharing information about adversarial behaviors and techniques across the cybersecurity community. It helps organizations better understand how attackers operate, enabling them to improve their defenses and detection capabilities.

Key aspects of MITRE ATT&CK include:

1. Tactic Categories: MITRE ATT&CK categorizes adversarial behaviors into tactics, which represent the high-level objectives that adversaries aim to achieve during an attack. These tactics include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Command and Control.
2. Technique Matrix: Within each tactic, MITRE ATT&CK identifies specific techniques that adversaries use to accomplish their objectives. Techniques describe the specific actions or methods employed by attackers. For example, a technique under the Execution tactic could be “PowerShell,” indicating the use of PowerShell scripting for execution.
3. Sub-Techniques: MITRE ATT&CK also includes sub-techniques, which provide more granular details about specific variations or methods within a technique. Sub-techniques allow for a more precise description of adversarial behavior, providing valuable information for detection and response.
4. Data Sources and Detection: For each technique, MITRE ATT&CK suggests potential data sources and detection methods that organizations can leverage to identify and mitigate attacks. This helps organizations develop effective detection strategies and enhance their security controls.

The MITRE ATT&CK framework is widely used by security practitioners, including threat hunters, incident responders, and security analysts. It enables them to align their understanding of attacker behavior, share information, and develop effective defensive strategies.

Additionally, many security tools and vendors incorporate MITRE ATT&CK into their offerings, allowing for better integration and mapping of security events to the framework.