In an era of rampant ransomware and other malicious cyberattacks, it has never been more important to double down on cybersecurity analysis and strategy. There are 2 models that can help security professionals harden network resources and protect against modern-day threats and attacks: the cyber kill chain (CKC)1 and the MITRE ATT&CK framework.2
The CKC, developed by Lockheed Martin more than a decade ago, provides a high-level view of the sequence of a cyberattack from initial reconnaissance through weaponization and action. While it is widely used by security teams, it has its limitations. For example, host attack behaviors are not included in the model, and attackers may bypass or combine multiple steps.3
The newer MITRE ATT&CK framework maps closely to the CKC but focuses more on cyberresilience to withstand emergent threats. This open-source project also provides substantial support for tracing host attack behaviors. The differences between the 2 models can have an outsized impact on the efficacy and resilience of the resulting security analysis and strategies.
The differences between the 2 models can have an outsized impact on the efficacy and resilience of the resulting security analysis and strategies.
The Cyber Kill Chain
The CKC identifies 7 distinct stages of an attack:
- Reconnaissance—Vulnerabilities, email addresses and other details are identified
- Weaponization—A payload, such as a phishing email or other exploit, is constructed
- Delivery—The payload is delivered to targets identified during reconnaissance
- Exploit—Vulnerable devices or users inadvertently execute the payload
- Installation—Malicious software is installed to continue the execution of the attack
- Command-and-Control (C&C)—The malware sends covert communications to the C&C servers, allowing the attacker to control compromised assets
- Actions—The malicious software carries out further actions via the C&C servers per the attacker’s instruction
These 7 phases abstract and simplify attack behaviors, which allows security teams to categorize them by stages rather than analyzing and defending against individual attack behaviors. A typical process for analyzing and mitigating attacks under the CKC model might include:
- Mapping attack behaviors into kill chain stages and understanding the behaviors based on descriptions of the stages
- Initiating detection and mitigation strategy for the attack behaviors as suggested by the corresponding kill chain stages
- Prioritizing execution via detection and mitigation tasks. Prioritizing is crucial because security team resources are often limited.
The Value of Prevention and Cyberresilience
When performing security tasks, it is important to keep in mind that prevention is better than detection. A prevention strategy aims to completely nullify an attack so that no residual damage is done to the systems and no cleanup is required. However, prevention is only possible under certain scenarios at early stages, such as during reconnaissance, delivery, and exploit. At the installation and C&C stages, malware has already caused permanent modifications to systems, so prevention is no longer possible.
Cyberprofessionals should also keep in mind the truism “Fix earlier, cost less.” A cyberresilient infrastructure is more agile and flexible in its response protocol. In a cyberresilient environment, waves of threats can be endured and mitigated early so that the overall cost of a breach is minimized.
One might ask, “How can multiple attack behaviors quickly be mapped to the correct kill chain stages?” This is crucial, but not easy to do. Fortunately, many security products support the CKC model, so detected attack behaviors tend to carry a kill chain stage label. This allows security teams to bypass the cumbersome task of mapping attack behaviors and quickly move to the mitigation and cleanup strategies.
Limitations of the CKC
Present-day attacks utilize encryption over the network, making it very difficult to detect attack behaviors via the network itself. To overcome this limitation, enterprises typically deploy host security products alongside their network security products. Host security products might include traditional antivirus programs, endpoint detection and response (EDR) solutions or endpoint protection platforms (EPPs). Many organizations also deploy extended detection and response (XDR) solutions, which collect various endpoint/network behaviors and application/services logs from other security products to be examined comprehensively.
As mentioned, a shortcoming of the CKC model is that it focuses on network attack behaviors, but not on host attack behaviors. The MITRE ATT&CK framework helps overcome this limitation.
The MITRE ATT&CK Framework
The MITRE ATT&CK framework has gained a significant amount of attention in recent years. It offers 3 major areas of improvement compared to the CKC model:
- Substantial coverage of host attack behaviors
- Granular description of attack behaviors
- Detection and mitigation strategies for attack behaviors
MITRE ATT&CK introduces the concept of tactics and techniques that describe attack behaviors more granularly than the CKC model. The ATT&CK stages include reconnaissance, resource development, initial access, execution, persistence, and C&C.
MITRE ATT&CK expands the CKC’s action stage to include 7 new tactics:
- Privilege escalation
- Defense evasion
- Credential access
- Discovery
- Lateral movement
- Exfiltration
- Impact
The MITRE ATT&CK framework not only describes attack behaviors, but also suggests detections and mitigations.4 Compared to the CKC, MITRE ATT&CK describes attack aspects in a much more organized manner. Mitigation strategies are individually tagged and can be cross-referenced with MITRE ATT&CK tactics and techniques.
A typical process for analyzing and mitigating attacks under the MITRE ATT&CK framework is similar to the CKC model and includes:
- Mapping attack behaviors into MITRE ATT&CK tactics and techniques and understanding the behaviors based on descriptions
- Adopting a detection and mitigation strategy for attack behaviors suggested by the MITRE ATT&CK framework
- Prioritizing execution via detection and mitigation tasks
Most security products support the MITRE ATT&CK framework and the CKC model. Detected attack behaviors are labeled with MITRE ATT&CK framework technique tags.
Considerations When Using MITRE ATT&CK
While the MITRE ATT&CK framework offers improvements over the CKC model, initially it can be challenging to implement due to its comprehensive and growing coverage of adversary tactics and techniques. Several open source tools are available5 to help contend with MITRE ATT&CK’s complexity and make the framework more approachable, especially for less experienced security analysts. In addition, a variety of security technologies offer automation that can offload certain aspects of the more labor-intensive processes and procedures for security personnel.
Conclusion
The MITRE ATT&CK framework extends and expands upon the capabilities of the CKC model. It provides substantial coverage of host attack behaviors and offers more comprehensive descriptions of and suggestions for detection and mitigation. While the venerable CKC paved the way for later methodologies, security practitioners should consider leveraging MITRE ATT&CK to take security strategy to the next level.
Endnotes
1 Dholakiya, P.; “What Is the Cyber Kill Chain and How it Can Protect Against Attacks,” IEEE Computer Society
2 MITRE, “Enterprise Mitigations".
3 Korolov, M.; L. Myers; “What Is the Cyber Kill Chain? A Model for Tracing Cyberattacks,” CSO, 14 April 2022
4 Ibid.
5 Loshin, P.; Challenges and Benefits of Using the Mitre ATT&CK Framework, TechTarget SearchSecurity, April, 2019
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Taking Security Strategy to the Next Level: The Cyber Kill Chain vs. MITRE ATT&CK” episode of the ISACA® Podcast.
Timothy Liu
Is the cofounder and chief technology officer of Hillstone Networks, a leading provider of infrastructure protection solutions. He has more than 25 years of experience in the technology and security industries, working with Fortune 500 enterprises and data centers to proactively defend against cyberattacks on a global level.