Cyber kill chain and Mitre ATT&CK

3 min readJun 9, 2019

I’m writing this as my personal note as well as quick intro to others who may find this useful. Further more can find in reference links.

APT(Advanced Persistent Threats)

A: Targeted, Coordinated, Purposeful
P: Month after Month, Year after Year
T: Person(s) with Intent, Opportunity, and Capability

IOCs(Indicators of compromise)

are forensic artifacts of an intrusion that can be identified on a host or network.
Type of IOCs

Atomic
Computed
Behavioral

Some key of IOCs to monitor:

Unusual outbound Network Traffic
Anomalies in Privileged user account activity
Geographical Irregularities
Other Log-in red flags
Swells in Database read volume
HTML response size
Large numbers of requests for the same file
Mismatched Port-application traffic
Suspicious registry or system file changes
DNS request anomalies

Cyber kill chain(CKC) by Lookheedmartin

7 phases of cyber kill chain are as follows:

Reconnaissance:
Researching, identifying and selecting targets. This may consists of passive reconnaisance where internet facing systems are probed for potential weaknesses.
Weaponization:
Coupling a remote access trojan with an exploit inot a deliverable payload. Typically PDF or Microsoft Office documents can serve as weaponized deliverable for malicious payload.
Delivery:
Transmitting the payload to the targeted environment. Prevalent delivery vectors include e-mail attachments, malicious websites and removable media such as USB.
Exploitation:
Exploitation triggers the intruder’s payload. Exploitation may target vulnerability or feature in an application or the operating system. Exploitation can also involve social engineering to target a user directly.
Installation:
Installing a remote access trojan or backdoor on the system allows an attacker to maintain their presence in the target environment even if the compromised system is rebooted.
Command and Control(C2):
Beaconing out bound to an Internet controller server to establish a Command & Control(C2) channel. The channel provides attackers with direct remote access to the compromised system in the target environment.
Actions on Objectives:
Taking actions on the original objectives, such as exfiltration of confidential data, the violation of data integrity or availability, or compromising additional systems and moving laterally inside the network.

An example of indicators matched in CKC

Courses of action matrix

Mitre ATT&CK

ATT&CK stand for Adversarial techniques, tactics and common knowledge. It is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

ATT&CK tactics

ATT&CK matrix
ATT&CK matrix includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.

The Unified Kill Chain

A unified version of the kill chain was developed to overcome common critiques against the traditional cyber kill chain, by uniting and extending Lockheed Martin’s Kill Chain and MITRE’s ATT&CK framework.

The Unified kill chain is an ordered arrangement of 18 unique attack phases that may occur in end-to-end cyber attacks, which covers activities that occur outside and within the defended network.