The Cyber Kill Chain, developed by Lockheed Martin, and Mitre ATT&CK (pronounced “attack”), are frequently compared, for obvious reasons. Both of them describe how adversaries attack computer networks. So when it comes to Cyber Kill Chain vs Mitre ATT&CK, which is better? It depends who’s asking.
Cyber Kill Chain vs Mitre ATT&CK at a high level
The main thing you need to know is the Cyber Kill Chain is very broad and high level. It describes in broad, conceptual terms what attackers do. I compare it to a list of ingredients. Mitre ATT&CK is very detailed. It’s more like a recipe, with much more granular specifics.
For some people, those specifics are everything. For others, the specifics make their eyes glaze over. When deciding which model to use, I consider the audience.
Advantages of the Cyber Kill Chain model
Sometime around 2014, I gained the trust of the system administrators where I was working. They would confide in me. Tell me things they wouldn’t tell anyone else who worked in security. And they would ask me questions they were terrified to ask anyone else in security. One of the managers asked me if I supported a particular initiative that was making their life inconvenient.
I didn’t answer his question directly. I went to the whiteboard and I drew the seven boxes representing the stages of the Cyber Kill Chain on the board. Then I wrote in the words: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
“If I’m Bob the Bad Guy,” I said, “this is what I want to do to your network. I need to find a way in, then manufacture a payload, get it into the network, run it, make it stay there, and then I can send commands and get the data I want.”
“Everything we ask you to do is designed to disrupt one or more of these seven steps. The earlier we can interrupt this, the more effective we’ll be.”
Then I circled Delivery. “This initiative is going to make delivering that payload much more difficult.”
Then I circled Exploitation. “Remember when we asked you to deploy Microsoft EMET? That disrupts all the way over here. It’s effective, but we want to get earlier in the chain.” (Note: EMET is obsolete now, but it was a useful tool in 2014, especially on aging Windows operating systems.)
This helped the manager to see there was a method to our madness. We weren’t just asking for stuff that we thought seemed cool even though it made their work more difficult.
When it comes to showing the big picture and where security initiatives fit into it, the Cyber Kill Chain is hard to beat. It shows enough detail to show how malicious activity correlates with defensive strategies, but without getting too lost in minutiae.
So why do we need Mitre’s ATT&CK? Well, for a long time I thought I didn’t. Here’s what changed my mind.
Advantages of Mitre ATT&CK
The knock on the Cyber Kill Chain is that the stages don’t necessarily always happen in the same sequence, and that they are very generic. Sometimes you need a greater level of detail.
The ATT&CK model expands the number of categories to 14: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.
Some of those are the same as the Cyber Kill Chain. But each category has techniques. There are 188 techniques and 379 sub-techniques in all. Reconnaissance has subtechniques for a few types of social engineering, as well as scanning and dozens of other information gathering techniques.
When you need to describe an attack in great detail, this is a model you can use. It provides a standard framework and language to describe an incident or a scenario.
Security teams don’t necessarily have time to break down every incident they investigate into the ATT&CK model. But when something big happens, it’s helpful to analyze it against this model, and then line it up against whatever security measures are in place. Then you can see what worked and what didn’t.
When to use the Cyber Kill Chain vs Mitre ATT&CK
When describing high-level initiatives and generic incidents or scenarios, the Cyber Kill Chain is probably adequate. And the model is simple enough that a large population of security professionals can explain it. It’s a fairly frequent job interview question, or at least it used to be. Most importantly, a competent security professional can explain this model in a way that someone outside of security can understand.
When a 400-foot view isn’t enough, that’s when you might need to use Mitre ATT&CK. With three levels of detail across 14 categories, it has a much steeper learning curve. I can talk the Cyber Kill Chain cold, but have to prepare any time I need to do anything with ATT&CK. The same is probably true for anyone who doesn’t specialize in it.
But sometimes it’s warranted. If the same thing happens to you a lot, this kind of analysis is helpful for figuring out why. What do I mean by the same thing happening to you? The same malware getting into your network. Repeated ransomware attacks. Failing your penetration test the same way multiple years in a row.
If any of that sounds familiar, breaking down the incident into its individual components using Mitre ATT&CK is helpful. It can help you pinpoint where things went sideways and what you might be able to do to head off future incidents.
But then again, maybe it’s worth 30 minutes to run through the Cyber Kill Chain first. Writing out the seven stages and where the organization’s defenses map to them could be productive. Then that could lead to some high-level brainstorming about whether any of those defenses could be shored up or might be due for replacement. If the problem is clear at that level, diving deeper may not be the most productive use of everyone’s time.