Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain

Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
The Cyber Kill Chain and MITRE ATT&CK are popular reference frameworks to analyze breaches, but amid the rise of XDR, we may need a new one.

If you work in information security, you will be aware of Lockheed Martin's Cyber Kill Chain and/or the MITRE ATT&CK Framework. Both are attempts to create a common language in which to describe the various stages of an attack, and the tactics utilized by the attackers.


These frameworks were created at a time when it was becoming clear that preventive cybersecurity was no longer viable: Defenders were being forced — by the sheer volume, variety, and speed of new threats — to adopt a "detect and respond" approach, a stance sometimes referred to as "assume the breach."


A Lingua Franca for Discussing Threats and Sharing Intel The benefits of a framework in this context are clear. Detecting and responding in a timely fashion can be enhanced by sharing threat intelligence, describing an attacker's modus operandi, as well as techniques and tactics that could be used against them.


It's no coincidence that the earlier of the two codification efforts, the Cyber Kill Chain, was created by a defense industry heavyweight and adopts the military parlance used against real-world adversaries in combat.


Lockheed introduced its model for defending customers' IT infrastructure in 2011, describing seven phases of an intrusion, as shown in the diagram below:



Figure 1: The Cyber Kill Chain Source: Lockheed Martin



The MITRE Corporation is a nonprofit that supports US government agencies in its cybersecurity activities. It is the curator of the widely used Common Vulnerabilities and Exposures (CVE) database.


It began developing ATT&CK (wh ..