The Cybersecurity Kill Chain has been an intrinsic part of the cybersecurity industry for years, influencing the design of technology, incident response programs, and more; however, in recent years a “new” framework has come into the scene which has permeated the industry. The question remains for many, which one should they adhere to? Is there one approach better than another? What is the difference?
If you find yourself asking these questions, look no further. Let’s begin this article by first explaining what a Kill Chain is.
In 2011, the US Department of Defense officially incorporated Cyberspace as a component of the fifth domain of warfare, Information Operations. The defense contractor, Lockheed Martin extended the military concept of a kill chain and adapted it to Cybersecurity.
Lockheed Martin Kill Chain
Now, the Cyber Kill Chain (current naming convention) helps us break down an intrusion or attack into a defined sequence of phases that will help us when trying to identify an attack. These are part of seven phases that go from Reconnaissance to Actions on Objectives.
As specified in Lockheed Martin’s website:
“The Cyber Kill Chain framework is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective”.
Fig.1 Seven Phase of the Cyber Kill Chain
At a high level the phases of the Kill Chain are as follows:
1. Reconnaissance: This is where it all begins, obtaining email addresses, conference information, PI.
2. Weaponization: Pairing exploits with backdoor attacks into the deliverable payload.
3. Delivery: As the title mentions, this would deliver the weaponized bundle to the victim of the attack via email, website, USB, etc.
4. Exploitation: Exploiting a vulnerability to execute code on the victim’s system.
5. Installation: Installing malware on the victim’s device.
6. Command & Control: Command channel for remote manipulation of the victim.
7. Actions on Objectives: With access to the victim’s device, this would be the last phase where the intruder would accomplish and complete the original objectives of the attack.
Now let's dig a bit into the MITRE ATT&CK® Framework
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. MITRE, a Non-Profit organization began developing ATT&CK in 2013, while working with several US Government agencies.
ATT&CK, which stands for Adversarial Tactics, Techniques, & Common Knowledge, was officially released in May 2015 but has undergone several updates, usually quarterly, since.
This framework was thought and created to better document adversary behaviors, in addition to behaviors, the group wanted a way to classify how attackers interacted with systems.
Unlike the Cyber Kill Chain, ATT&CK uses tactics instead of Phases. The ATT&CK framework consists of 14 tactics, you can think of these tactics as, the adversary’s technical goals and objectives they hope to achieve with an attack technique.
There is mention of Techniques in every tactic explained. These techniques are ways the adversary can attack or proceed with getting to his main goal. Now, each Tactic has several Techniques, currently, ATT&CK has a record of 218 techniques obtained and assigned around the Tactics.
Now that we know that both Cyber Kill Chain and MITRE ATT&CK used similar phases or tactics, we can dive into the differences of one to the other.
Cyber Kill Chain and MITRE ATT&CK. What is the difference?
Based on what we have seen on what Cyber Kill Chain and MITRE ATT&CK both cover, we can say that they both follow a similar narrative of an attack, for example, break-in, not get busted, steal some data. However, there is a big difference between one and the other, while Cyber Kill has a clearly defined linear sequence of phases, the ATT&CK framework is a matrix of intrusion techniques that is not confined to a specific order of operations.
What the Cyber Kill Chain does, is that it applies the military concept of a kill chain model to a cyberattack. It’s designed for defenders to improve their defenses by analyzing an attacker’s playbook (the kill chain) and interrupting the attack by breaking the kill chain at each phase as with the MITRE ATT&CK you have a more dynamic way of analyzing what an attacker could do and be better at preventing. As you may see in current events and how the Cyberworld is moving forward, the question of an attack is not if, but when. Does this mean that ATT&CK is a better way to handle an incident or based your systems on it, quick answer? No.
Both models provide a way to counterattack and a way to stop an attack as needed. Like with almost everything in the technology field, it is hard to stay with a model for several years as everything keeps moving forward and keeps evolving at the speed of light. There is no bulletproof model out there and you will need all the “weapons” you have at your disposal.
As stated in the MITRE page:
“ATT&CK and the Cyber Kill Chain are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics are unordered and may not all occur in a single intrusion because adversary tactical goals change throughout an operation, whereas the Cyber Kill Chain uses ordered phases to describe high-level adversary objectives.”
-MITRE ATT&CK FAQ
By: Francisco Cosio,
Senior Security Analyst,
Brier & Thorn