Mitre ATT&CK and Lockheed Martin Killchain

MITRE ATT&CK and the Cyber Kill Chain

Understanding how adversaries operate is critical in cybersecurity. Two widely used models that help defenders understand attacker behavior are

The MITRE ATT&CK Framework and the Lockheed Martin Cyber Kill Chain are two of the most widely used models to help defenders understand attacker behavior. Both provide structured ways to describe, detect, and disrupt cyber attacks, however, they differ in focus and granularity.

The Lockheed Martin Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, is a linear model that breaks down the stages of a cyber attack. It helps security teams understand how intrusions progress and where to apply defenses.

The 7 Stages of the Kill Chain:

  1. Reconnaissance: The attacker gathers information about the target. This could include domain names, IP ranges, email addresses, or employee details from social media.

  2. Weaponization: A malicious payload (e.g., malware) is created and prepared for delivery. Often this includes combining an exploit with a delivery mechanism like a PDF or a phishing email.

  3. Delivery: The weapon is sent to the victim. This could be via email attachments, malicious websites, or infected USB drives.

  4. Exploitation: Once the delivery method is successful, the attacker exploits a vulnerability to execute the payload.

  5. Installation: Malware is installed on the system, establishing persistence (e.g., a backdoor or RAT).

  6. Command and Control (C2): The compromised system connects to the attacker’s server, allowing remote control and data exfiltration.

  7. Actions on Objectives: The attacker performs their final goals—stealing data, encrypting systems (ransomware), destroying information, etc.

The Kill Chain helps defenders map detection and response strategies to each attack phase. For example, better email filtering might stop the attack at the Delivery phase.

MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a living, community-driven knowledge base of real-world adversary behaviors. Unlike the linear Kill Chain, ATT&CK is matrix-based and more granular, mapping out the specific tactics and techniques used in attacks.

Key Concepts:

  • Tactics (the why): an attacker’s goal at a certain stage (e.g., Privilege Escalation, Persistence, Defense Evasion).

  • Techniques (The how): —specific methods attackers use to achieve that goal (e.g., using valid accounts, DLL injection).

  • Sub-techniques: Even more detailed variants of techniques.

  • Mitigations and Detections: Guidance is provided for how to prevent or detect each technique.

Example:

  • Tactic: Initial Access

  • Technique: Phishing

  • Sub-technique: Spearphishing Attachment

The ATT&CK matrix is split into platforms (e.g., Windows, Linux, Cloud, ICS) and includes both enterprise and mobile variants. It’s commonly used by SOCs, red teams, and threat hunters to simulate and analyze attacker behavior.

ATT&CK allows defenders to map real-world threats to specific techniques, improve threat detection, and run red/purple team exercises using known adversary playbooks.

Real-World Usage

  • Kill Chain is useful for explaining how an attack unfolded and where detection failed.

  • ATT&CK is better suited for building detection logic in a SIEM, conducting threat hunts, or simulating adversary behavior.

PreviousPhysical AttacksNext✏️Check-In Quiz

Last updated