Understanding MITRE ATT&CK and the Cyber Kill Chain

Models and conceptualization are very useful for understanding complex matters. Cyber attacks are definitely a complex matter. The moment the malware payload executes is just one part of a possible more sophisticated cyber attack chain.

Whether you work in the SOC or digital forensics, you need to understand each and every step of the cyber attack process. Ideally, cyber exploitation attempts should be detected as early as possible, to minimize harm. However, the ability to do so requires not only great security monitoring tools, but also human cyber threat researchers who can spot an IOC (Indicators of Compromise) outside of security tools as well as spotting anomalies in network logs.

Understanding the cyber attack process is also valuable information for pentesters and advanced red team operations. Especially for the latter. The whole point of red team engagements is to simulate the kinds of cyber attacks with which threat actors could target your organization. That way, additional vulnerabilities can be found in networks with high security maturity.

Reality is messy. But models like the MITRE ATT&CK framework and Lockheed Martin’s Cyber Kill Chain can help to make sense out of the chaos. Both the Mitre Corporation and obviously Lockheed Martin have deep roots in the US military, and subsequently military tactics. Our modern computer and networking technologies are mainly built on research by or associated with DARPA. And we live in an era of cyberwarfare. So these models are at home with their subject matter.

Let’s look at the Cyber Kill Chain and MITRE ATT&CK. We’ll see how these models can be combined to make sense out of any cyber threat, big or small.

Cyber Kill Chain

The Cyber Kill Chain conceptualizes an entire cyber attack process into seven stages:

1. Reconnaissance

2. Weaponization

3. Delivery

4. Exploitation

5. Installation

6. Command and Control

7. Actions on Objectives

Reconnaissance is when a threat actor researches their attack target and plans their strategy. They could be harvesting email addresses, looking up employees and contractors on LinkedIn and corporate websites, figuring out what kind of networks and applications their target operates, and so on.

Weaponization is literally when the threat actor plans and prepares the weapons that they need to use. They could acquire malware or develop their own malicious scripts. They could develop backdoors to put into their target’s networks at a later phase. They could file-bind malware onto documents to use as Trojan email attachments. They could develop phishing websites and phishing email templates. These days, they could even develop deep fake videos for really advanced phishing.

Delivery is when they deliver their weapons to their target. Phishing emails are sent. USB sticks with malware are given to malicious insiders. Trusted supply chain entities are compromised in order to infect their target. And so on.

Exploitation is perhaps the stage laypeople think about the most. That’s when the malware payload actually executes. Network and application vulnerabilities are actively exploited. If a victim has to trigger an exploit, such as getting them to click on a malicious link, this is when that happens.

Installation is when the threat establishes itself into the targeted system. Backdoors are installed. Executables become an automatically booted program in the operating system. Malicious shells on installed on targeted servers. The attacker gains a foot hold.

Command and Control (C&C) is when a communication channel is established between the attacker’s C&C client and the targeted computer system. Now they can send malicious commands. They can engage in espionage with spyware. They can even send new malware modules to their target. The most devastating Advanced Persistent Threats may be able to keep a stealthy C&C channel going for months or even longer.

Actions on Objectives is when the threat actor is finally able to achieve their goal. They may privilege escalate. They could conduct internal reconnaissance. They can acquire more privileged credentials. These are the sorts of measures they can take where they can start a new chain from the Reconnaissance phase, but this time conduct even more dangerous attacks with more privileges and more access. They can also exfiltrate sensitive data and destroy computer systems. Sometimes the attacker stops at this stage, and sometimes they can start all over again but more destructively.

MITRE ATT&CK

The MITRE ATT&CK framework describes hundreds of cyber attack techniques. Most cyber attacks use multiple techniques. The techniques are organized into categories that can correspond with the phases of the Cyber Kill Chain, even though the two models were developed separately from each other by separate organizations.

Going through every technique would require a whole book. And MITRE sometimes adds techniques to MITRE ATT&CK. But it’s fairly simple to correspond MITRE ATT&CK categories with the phases of the Cyber Kill Chain.

1. Reconnaissance corresponds with the Reconnaissance and Discovery categories of MITRE ATT&CK.

2. Weaponization corresponds with the Resource Development category.

3. Delivery corresponds with the Initial Access category.

4. Exploitation corresponds with multiple MITRE ATT&CK categories-- Execution, Defense Evasion, and sometimes Credential Access.

5. Installation also corresponds with more than one category-- Persistence, and sometimes Defensive Evasion.

6. Command and Control corresponds with the Command and Control category. Duh.

7. Actions on Objectives corresponds with multiple categories-- Collection, Exhilaration, Impact, and sometimes Lateral Movement and Privilege Escalation if the attacker is establishing a more privileged foot hold to start the Chain again.

Your organization needs to keep the entire chain and each phases’ possible techniques in mind as you plan and improve your cyber defenses and threat models.