The Cyber Kill Chain & MITRE ATT&CK¶

To defend systematically, you need a map of how attacks unfold. Two frameworks dominate.

The Lockheed Martin Cyber Kill Chain¶

A linear model of an intrusion's phases:

1. 1.Reconnaissance — research the target.
2. 2.Weaponization — craft the payload.
3. 3.Delivery — send it (email, web, USB).
4. 4.Exploitation — trigger the vulnerability.
5. 5.Installation — establish a foothold.
6. 6.Command & Control (C2) — remote control.
7. 7.Actions on Objectives — exfiltrate, encrypt, destroy.

Defensive value: break any link and the attack fails. Map your controls to each phase to find gaps.

MITRE ATT&CK¶

A far more detailed, continuously updated knowledge base of real-world adversary tactics (the "why") and techniques (the "how"), based on observed campaigns.

Tactics (the columns / goals)¶

Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command & Control → Exfiltration → Impact

Techniques (the "how")¶

Each tactic has many techniques with IDs, e.g.:

• T1566 Phishing (Initial Access)
• T1059 Command and Scripting Interpreter (Execution)
• T1003 OS Credential Dumping (Credential Access)
• T1021 Remote Services (Lateral Movement)

How Defenders Use ATT&CK¶

1. 1.Detection engineering — write detections mapped to specific techniques.
2. 2.Coverage mapping — visualize which techniques you can detect vs. blind spots (ATT&CK Navigator).
3. 3.Threat intel — describe adversary behavior in a shared language ("this group uses T1566 then T1059").
4. 4.Purple teaming — emulate techniques (Atomic Red Team, Caldera) and verify detections fire.

Kill Chain vs ATT&CK¶

Use the kill chain to explain an attack's arc; use ATT&CK to operationalize detection and measure coverage.