Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Rik Turner
Rik Turner
Connect Directly
E-Mail vvv

Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain

The Cyber Kill Chain and MITRE ATT&CK are popular reference frameworks to analyze breaches, but amid the rise of XDR, we may need a new one.

If you work in information security, you will be aware of Lockheed Martin's Cyber Kill Chain and/or the MITRE ATT&CK Framework. Both are attempts to create a common language in which to describe the various stages of an attack, and the tactics utilized by the attackers.

These frameworks were created at a time when it was becoming clear that preventive cybersecurity was no longer viable: Defenders were being forced — by the sheer volume, variety, and speed of new threats — to adopt a "detect and respond" approach, a stance sometimes referred to as "assume the breach."

Related Content:

Augmenting SMB Defense Strategies With MITRE ATT&CK: A Primer

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

Lingua Franca for Discussing Threats and Sharing Intel
The benefits of a framework in this context are clear. Detecting and responding in a timely fashion can be enhanced by sharing threat intelligence, describing an attacker's modus operandi, as well as techniques and tactics that could be used against them.

It's no coincidence that the earlier of the two codification efforts, the Cyber Kill Chain, was created by a defense industry heavyweight and adopts the military parlance used against real-world adversaries in combat.

Lockheed introduced its model for defending customers' IT infrastructure in 2011, describing seven phases of an intrusion, as shown in the diagram below:

Figure 1: The Cyber Kill Chain
Source: Lockheed Martin
Figure 1: The Cyber Kill Chain Source: Lockheed Martin

The MITRE Corporation is a nonprofit that supports US government agencies in its cybersecurity activities. It is the curator of the widely used Common Vulnerabilities and Exposures (CVE) database.

It began developing ATT&CK (which stands for Adversarial Tactics, Techniques, and Common Knowledge) in 2013, officially releasing the framework in May 2015, with several updates since then.

In the following diagram, on the right are the 11 tactic categories (plus Impact, which is clearly not a tactic but rather a result). MITRE says these categories are derived "from the later stages (exploit, control, maintain, and execute)" of the Cyber Kill Chain, and are designed to provide "a deeper level of granularity in describing what can occur during an intrusion."

Figure 2: ATT&CK for Enterprise
Source: The MITRE Corporation
Figure 2: ATT&CK for Enterprise Source: The MITRE Corporation

These frameworks help practitioners in security operations centers (SOCs) investigate threats, exploits, and breaches, and share information with their peers to do so. Framework adoption among enterprises is driven by the usefulness of having a common language to describe what attackers were doing, and in turn more quickly figure out how to stop and prevent those attacks.

Tech vendors also map their products to the stages of a framework, showing how they can help customers address the challenges of detecting and responding to threats.

Perceived Shortcomings of the Frameworks
Omdia has observed vendor mapping to the Cyber Kill Chain taking place through the mid-2010s. More recently, there has been a shift away from the Cyber Kill Chain model, with more companies instead adopting the ATT&CK Framework.

This may be on account of MITRE ATT&CK's nonlinearity, making it more appropriate for red- and blue-teaming: Attackers and defenders can utilize and describe any number of tactics, techniques, and procedures (TTPs) in any order, since genuine threat actors often change their approaches.

Another criticism of the Cyber Kill Chain has been that it does not help to model insider threats, as its initial stages happen outside the corporate infrastructure.

A further issue is that it is more malware-centric: Assume the attacker will find a target, get in, and run malware to achieve an objective. Because introducing malware is difficult to do without triggering an alert, modern attackers instead try to remain as stealthy as possible, launching fileless exploits or leveraging everyday admin tools like PowerShell (the so-called "living-off-the-land" approach). It gets harder to express such attacks with the Cyber Kill Chain.

MITRE ATT&CK, by contrast, is a more modern approach focused on TTPs. It seeks to classify attackers' goals, tasks, and steps; as such, it is a much more comprehensive approach to modeling an attack.

That said, MITRE ATT&CK also has its shortcomings, notably when a security team is using an XDR platform. In an automated detection scenario, defenders might see the symptoms without knowing the exact root cause, such as suspicious user behavior, and such scenarios are harder to fit into MITRE ATT&CK.

A Framework for XDR?
Stellar Cyber, a developer of XDR technology (a detection and response platform designed to discover and correlate threats across endpoint, network, and cloud), argues for the creation of a new framework. It envisions an XDR framework/kill chain leveraging MITRE ATT&CK on the known root causes and attackers' goals but going further regarding other data sources, such as anomalous user behavior.

There is precedent for an individual vendor feeling a need to extend or amend frameworks. FireEye came up with its own version of the kill chain, which put more emphasis on attackers' ability to persist threats, while endpoint detection and response (EDR) heavyweight CrowdStrike uses MITRE ATT&CK extensively but provides a set of nonstandard categories to cover a broader range of scenarios.

Equally, recent years have seen the emergence of something called the Unified Kill Chain (UKC). First proposed by Paul Pols from the Netherlands' Cyber Security Academy in 2017, the UKC combines elements of both the leading frameworks and presenting no fewer than 18 distinct attack phases, which researchers came up with in an attempt to address the perceived shortcomings of both the Lockheed Martin and MITRE models.

Figure 3: The Unified Kill Chain
Source: CSAcademy.nl
Figure 3: The Unified Kill Chain Source: CSAcademy.nl

As the threat landscape evolves, so too must cybersecurity. Attackers' erstwhile reliance on malware (i.e., malicious code) to perpetrate their misdeeds has given way to new techniques. One in particular, so-called fileless malware, leverages legitimate software such as PowerShell, to leave no trace of its actions and hence is more difficult to detect. A framework formulated when malware reigned supreme clearly requires adjustment for the new world of fileless attacks, and Omdia anticipates many other future attack types will necessitate further framework refinements.

Omdia understands Stellar Cyber's desire for a framework that is more appropriate for XDR and looks forward to seeing it when the vendor unveils its proposal for one. However, a proliferation of attack-description frameworks may ultimately defeat the objective that brought them into existence in the first place — i.e. the creation of a common language in which to discuss threats, exploits, and breaches.

In this context, the Tower of Babel remains a cautionary tale.

Rik is a principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...