Understanding the MITRE ATT&CK Framework and the Cyber Kill Chain

In cybersecurity, there are certain frameworks that have been developed in order to better assist cyber analysts in their endeavors to defend against threat actors. The two most popular frameworks created are the MITRE ATT&CK framework, and the Cyber Kill Chain. Both of these frameworks culminate a vast array of knowledge that can be used to better understand threat actors and the actions they take.

The MITRE ATT&CK Framework

The MITRE attack framework is a large database that tracks cyber tactics and techniques that are used by threat actors throughout the entire attack lifecycle. This attack framework follows a much more granular overview than the cyber kill chain, which is much more linear. This framework covers a wide range of tactics and techniques that represent various stages of an attack from initial access to exfiltration. The framework which was developed by the MITRE corporation is constantly updated and maintained to reflect an up to date picture of the current cybersecurity attack vectors. The MITRE ATT&CK framework is organized into 14 different tactics. Each one of these tactics contain various techniques that describe specific ways an adversary may try to achieve their goal.

The MITRE ATT&CK framework currently identifies 188 techniques and 379 sub techniques for enterprise networks. Below is a list of each individual tactic:

• Reconnaissance: Methods that either actively or passively collect information for planning targeted attacks.

• Resource Development: Processes involving attackers obtaining or stealing resources for use in an upcoming attack.

• Initial Access: Methods where adversaries attempt to establish a presence within your network through various vectors.

• Execution: Techniques employed to execute malicious code on either a local or remote system.

• Persistence: Strategies that are employed to sustain their presence within your network, whether locally or remotely.

• Privilege Escalation: The process through which an adversary seeks to obtain higher-level permissions within your organization’s network.

• Defense Evasion: Strategies used to circumvent detection as they navigate through your network.

• Credential Access: Tactics aimed at acquiring sensitive credentials, like passwords.

• Discovery: The act of attempting to understand the workings of your systems.

• Lateral Movement: The process involving moving within your network, gaining and exercising control over systems.

• Collection: Methods that compile information from pertinent sources inside your organization.

• Command and Control: Techniques where adversaries establish communication with compromised systems to assert control.

• Exfiltration: Tactics that involve the outright theft of data from your network.

• Impact: Efforts aimed at undermining the availability or integrity of data and disrupting business operations.

MITRE ATT&CK Use Cases

The MITRE ATT&CK Framework has a variety of uses in the cybersecurity landscape. First and foremost, it enhances incident response by giving analysts a clear guidebook of the potential attack vectors. Along with this, the framework greatly assists in the culmination of threat intelligence. Having this framework helps to understand how specific threat groups operate by mapping all of their techniques and tactics. Having this knowledge readily available, greatly enhances overall threat intelligence. Another great benefit of the MITRE ATT&CK Framework is its potential to guide and assist red team operations. With this framework red team operations can observe how adversaries behave and create similar simulations for testing defense effectiveness.

The Cyber Kill Chain

The cyber kill chain framework was developed by Lockheed Martin and explains how attackers moved through networks to identify all vulnerabilities they can exploit. The kill chain is divided into seven stages, these stages follow a sequential model that outlines each step an attacker must complete to successfully compromise a target. Below is an outline of what each of these steps entails:

Reconnaissance

During this stage of the cyber kill chain, the attacker will try to target and search for vulnerabilities within the network. Also, in this phase, the attacker may collect a wide range of information. This information could be login details, email addresses, user IDs, or any wide variety of information that may prove to be beneficial for the attack itself.

Weaponization

During this stage of the attack, the attacker will attempt to use all of the information that was gathered during the reconnaissance phase in order to weaponize their intention. This is often done with the creation or modification of existing tools or malware. This stage will act as the initial entry point that was discovered by analysts.

Delivery

During this phase, the attacker will actually initiate the attack. An attacker might distribute email attachments or malicious links to prompt users to interact with their weaponized software that they created in step two.

Exploitation

The exploitation phase is the section in which the threat actor executes the malicious code on the victim’s system. The attacker will take advantage of any vulnerabilities that they have discovered in previous stages in order to execute the malicious code.

Installation

Immediately, after exploitation is the installation phase. During this phase cyber criminals have successfully exploited malicious software onto the host machines. At this point the threat actor will continuously install other malicious software and tools onto the host system in an attempt to take complete control.

Command and Control

In the command and control stage of the cyber kill chain the cyber criminal will leverage the malicious software that was placed in the exploitation step to take complete remote command over the device.

Actions and Objectives

During the final stage of the cyber kill chain, the attacker will take advantage of the malicious software that was placed previously on the system and carry out their original intended goals. This could be theft, data destruction or a wide variety of possibilities.

Cyber Kill Chain Use Cases

The cyber kill chain has been around since 2011. Due to its age, some of the methodology of the cyber kill chain limits the overall framework. However, even with these shortcomings the cyber kill chain still has its uses. The cyber kill chain can be useful for responding to attacks in real time, it provides a clear start to finish of the mindset of the attack actor. Having this linear framework provides a much need to glimpse into each individual step of a cybersecurity attack.

Integrating MITRE ATT&CK and the Cyber Kill Chain

While both models aim to provide frameworks for understanding and mitigating cyber threats both do so from very different perspectives. The cyber kill chain is a much more linear framework that is focused on each individual step an attacker takes to breach a system from start to finish. The MITRE ATT&CK Framework offers a much more granular view of tactics and techniques used by threat actors. In order to create a successful cybersecurity program it is imperative to use both frameworks interchangeably. The MITRE ATT&CK Framework explains the “how” of an attack while the cyber kill chain explains the “when” and “where”. Together they act as a tool to help analysts effectively defend against cyber threats. Integrating both of these models into your cybersecurity program will enable your organization to not only react to threats, but anticipate them and neutralize them before they can cause significant damage.

Final Thoughts

The standardization of cybersecurity attack frameworks like this are the first steps in creating a more cohesive and effective cybersecurity posture worldwide. Having these resources relatively available and implementing them into your organization should be a priority for any cybersecurity program. Thank you for taking the time to learn with me. Join me next week where I hope to continue my long journey on malware development where I will cover process injection!

References:

What is the cyber kill chain? introduction guide - crowdstrike. crowdstrike.com. (2024a, February 21). https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/

Mitre ATT&CK®. MITRE ATT&CK®. (n.d.). https://attack.mitre.org/

Cyber kill chain®. Lockheed Martin. (n.d.). https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

What is the mitre att&ck framework? - crowdstrike. crowdstrike.com. (2024b, January 22). https://www.crowdstrike.com/cybersecurity-101/mitre-attack-framework/