Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack.
Because of this natural disadvantage, security teams should always be on the lookout for ways to become more proactive by predicting and anticipating their adversaries’ next moves. Using a kill chain framework helps security teams get inside the heads of their adversaries and understand their intent. The variation of this concept that I have found to be the most valuable is the MITRE ATT&CK matrix, because of its rich database of real-world cyber attack data.
The Kill Chain
The kill chain originated as a military concept to describe the stages of an attack and was adapted into the intrusion kill chain (or “cyber kill chain”) by Lockheed Martin in 2011 to describe attacks against computer networks. In its original form, the cyber kill chain has seven phases that outline an attack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objective
These phases are like a hypothetical playbook for adversaries, which security teams can use to anticipate and contextualize attacks. Many organizations now use a kill chain framework in some way, and while it is valuable as a high-level concept, it does not include any detail on exactly how attackers achieve the goals of each phase, therefore leaving lots of room for security researchers to elaborate on its basic structure.
What Makes ATT&CK Different
Between 2013 and 2015, the not-for-profit security corporation MITRE developed their own version of a cyber kill chain, which they call ATT&CK (adversarial tactics, techniques & common knowledge). ATT&CK focuses on post-compromise detection, as opposed to the cyber kill chain, which begins with the adversary conducting reconnaissance on their target.
Instead of phases, ATT&CK breaks down incidents into 12 “tactics” (what the adversary is trying to do), each accompanied by numerous “techniques” (how the adversary is doing it). Tactics include Execution, Defense Evasion, and Lateral Movement. Techniques are more specific, such as PowerShell, Modify Registry, and Remote Desktop Protocol. The result is a massive matrix of adversary behavior, based on MITRE’s study of real-world cybersecurity incidents.
The Value of Using the ATT&CK Matrix in Security Operations
Successful cyber attacks need time to unfold, but organizations generally take a long time to detect an attack and recognize what is happening. The good news is that if the organization can detect and disrupt the attack at any phase, it will be unsuccessful, even if the network has already been compromised. For example, an adversary’s goal will not be just to escalate privileges within a target’s systems, but rather to use those privileges for the end goal of exfiltrating data.
Using the ATT&CK framework in your analysis of cybersecurity incidents allows you to make connections between different tactics and techniques. This helps security teams identify ongoing attacks before they are completed and gives the security team a good idea of what the adversary has already done and what they are likely to do next.
The ATT&CK framework is particularly valuable for detecting attacks because it is a behavior-based model, not a signature-based model. Because ATT&CK predicts common behaviors, it isn’t fooled by zero-day attacks, indicators of compromise that are modified by adversaries to avoid detection, or other weaknesses of signature-based systems.
ATT&CK’s “techniques” are also set apart from conventional IOCs because a technique might be a legitimate action that is done for malicious purposes. In other words, once an adversary has compromised a system and gained privileges, they might not need to do anything else that would trip the alarms of conventional security tools. ATT&CK techniques describe the actions that the adversary might take next, even though they might look like normal activity.
MITRE’s extension of the cyber kill chain concept takes the conceptual value of breaking incidents into phases and combines it with behavior-based research that rivals the best threat intelligence sources. Whether it is built-in to your detection and response tools, or just a way to standardize how your security team talks about advanced persistent threats, the MITRE ATT&CK matrix should find a place in your security operations.
More from Stan Engelbrecht
- Sherlock in the SOC: Leveraging Security Knowledge in a Behavior-Based Approach
- Why Incident Response Must Adopt a Kill Chain Perspective
- Level the Security Operations Playing Field With MITRE ATT&CK
- Observations From RSA Conference 2019
- Don’t Search for a Needle in a Haystack: Use Cases for Threat Intelligence
- The Latest Threats to ATM Security
- Business Outcomes for Automated Phishing Response
- Seven Security Activities You Should Automate
Latest News
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation

Click to comment