Cyber Kill Chain
The basic premise of the the kill chain is to separate the attack into different stages, and that all stages must be complete for the attacker to complete their objective, If the chain of attack is broken, then in theory the whole attack is. This is not always true and we will discuss why a little later in this post. There are a number of attack methodology that we can use.
Below is a picture of the most well known Cyber Kill Chain developed by lockheedmartin.
Please read all about it here. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Cyber Kill Chain
Unified Kill Chain alternative Attack Methodology
There are other Kill Chains too. The unified kill chain by Paul Pols https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf aims to expand on the Lockheedmartin kill chain and recognise their are more phases to each attack phase, specifically initial access, pivoting and such. It most definitely serves to be aware of the two and the differences.
Mitre ATT&CK Framework
Hopefully you are aware of ATT&CK found here https://attack.mitre.org/ it is something you will be using very frequently, certainly with understanding behaviour and tool application in terms of attack. In essence the ATT&CK matrix can be considered a Kill Chain too.
With your tactics running across the top (14 at the time of writing) and the techniques sitting underneath as shown below. The below images is just a snippet and you should refer to the link about to view everything. It is useful to note that although ATT&CK is a great resource it should not be relied upon entirely. Being able to understand its strengths and weaknesses will help you utilise it in the most effective way.
The common terminology is Tactics, Techniques and Procedures.
- Tactics – A tactic is the highest-level description of this behavior.
- Technique – Gives a more detailed description of behavior in the context of a tactic.
- Procedure – An even lower-level, highly detailed description in the context of a technique