How to Use the MITRE ATT&CK® Framework and the Lockheed Martin Cyber Kill Chain Together
What is the Lockheed Martin Cyber Kill Chain?
The Lockheed Martin Cyber Kill Chain is the first attempt to describe the structure and lifecycle of a cyberattack. It breaks a cyberattack into seven discrete stages.
The seven stages of the Cyber Kill Chain are:
- Reconnaissance: The reconnaissance phase of a cyberattack is focused on learning as much as possible about the target. This can include the use of open-source intelligence (websites, social media, etc.) and active investigation of the target environment.
- Weaponization: The goal of the reconnaissance phase is to discover a potential attack vector, and weaponization is intended to develop a method of exploiting a discovered weakness. This may include development of custom malware, crafting a phishing email, etc.
- Delivery: The delivery stage involves setting up the target for exploitation. This could be as simple as clicking send on a phishing email or may involve a complicated process of getting the right person at the right place at the right time.
- Exploitation: The exploitation phase is when the attacker takes advantage of the discovered weakness to gain access to the target environment. This may involve exploiting a vulnerability in a webserver, a user enabling macros on a malicious document, etc.
- Installation: The goal of a cyberattack is to gain a foothold on the target network. Once the identified vulnerability has been exploited, an attacker should be able to install and execute malware on the target system.
- Command and Control: A great deal of malware is designed to be interactive, receiving instructions from its creator and/or sending data to them. Establishing a channel for these communications is the next stage in the process.
- Action on Objectives: So far, the stages of the Cyber Kill Chain have focused on granting an attacker access to a target environment. This final stage includes everything that an attacker will do to move from initial access to achieving their final objectives.
What are the similarities between the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK Framework?
The MITRE ATT&CK ® framework’s collection of Tactics are based upon the lifecycle of a cyberattack, which was first outlined in the Lockheed Martin Cyber Kill Chain. These Tactics describe different goals that an attacker may need to achieve as they perform their attacks.
Different MITRE ATT&CK matrices are focused on different stages of the Lockheed Martin Cyber Kill Chain:
- PRE-ATT&CK: Reconnaissance and Weaponization
- Enterprise and Mobile: Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives
What are the differences between the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK Framework?
The MITRE ATT&CK Framework and the Lockheed Martin Cyber Kill Chain are both designed to describe how an adversary could carry out a cyberattack. However, the two tools differ in several ways:
- Depth: The Cyber Kill Chain is designed to outline the stages of the cyberattack lifecycle. MITRE ATT&CK’s Tactics loosely map to these stages, but MITRE ATT&CK goes deeper to describe the methods by which an attacker could meet the goals of a particular stage.
- Coverage: The Cyber Kill Chain maps the complete lifecycle of a cyberattack. MITRE ATT&CK breaks this into multiple matrices (i.e. PRE-ATT&CK and Enterprise).
- Stages: The Cyber Kill Chain outlines seven stages of a cyberattack. MITRE ATT&CK’s Enterprise matrix alone includes fourteen Tactics that fit into the last five stages of the Cyber Kill Chain.
- Ordering: The Cyber Kill Chain has a defined order, where adversaries are expected to move linearly from one phase to another. The MITRE ATT&CK Framework is deliberately unordered to acknowledge that an adversary may move through Tactics out of order, skip some Tactics, and revisit some Tactics multiple times throughout the course of an attack.