The Cyber Kill Chain and MITRE ATT&CK

Introduction

Understanding how attacks unfold is as important as understanding how to prevent them. Two frameworks have become industry standards for modeling cyber attacks: the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK framework. Together, they provide complementary views of adversary behavior that inform detection strategies, incident response, and AI-based threat modeling.

This section explains both frameworks, demonstrates how to map real-world attacks using them, and shows how threat modeling with ATT&CK directly informs the design of ML-based detection systems.

The Lockheed Martin Cyber Kill Chain

Published in 2011, the Cyber Kill Chain model describes the stages of a targeted cyber attack as a linear progression. Originally adapted from military doctrine, it provides a high-level framework for understanding how adversaries plan and execute intrusions. The model's key insight is that defenders can disrupt an attack by breaking any single link in the chain.

1. Reconnaissance: The attacker researches the target, gathering information about employees, technology stack, network architecture, and potential vulnerabilities through OSINT and scanning.
2. Weaponization: The attacker creates a deliverable payload—a malicious document, exploit kit, or backdoored software—tailored to the target's environment.
3. Delivery: The weaponized payload is transmitted to the target via email, compromised websites, USB drives, or supply chain compromise.
4. Exploitation: The payload executes, exploiting a vulnerability in the target's systems to gain an initial foothold.
5. Installation: The attacker installs persistent access mechanisms (backdoors, web shells, scheduled tasks) to maintain access.
6. Command and Control (C2): The compromised system establishes communication with attacker-controlled infrastructure for ongoing instruction.
7. Actions on Objectives: The attacker accomplishes their goal—data exfiltration, ransomware deployment, sabotage, or espionage.

Limitation: The Kill Chain model is linear and assumes attacks follow a fixed progression. Modern attacks are often iterative, non-linear, and may skip stages entirely (for example, insider threats bypass delivery entirely). This is where MITRE ATT&CK provides a more nuanced view.

The MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive knowledge base of adversary behavior based on real-world observations. Unlike the Kill Chain's linear model, ATT&CK organizes adversary behavior into a matrix of tactics (the "why"—what the adversary is trying to achieve) and techniques (the "how"—specific methods used).

The framework covers 14 tactics spanning the full lifecycle of an attack, from initial reconnaissance through impact. Each tactic contains multiple techniques and sub-techniques, documented with real-world examples, detection guidance, and mitigation recommendations. As of 2025, the Enterprise ATT&CK matrix contains over 200 techniques and 400 sub-techniques.

• Reconnaissance: Gathering information about the target (active scanning, phishing for information)
• Initial Access: Techniques to gain a foothold (phishing, exploiting public-facing applications)
• Execution: Running adversary-controlled code (command-line interfaces, scripting, user execution)
• Persistence: Maintaining access across system restarts (registry run keys, scheduled tasks, implants)
• Privilege Escalation: Gaining higher-level permissions (exploiting vulnerabilities, access token manipulation)
• Defense Evasion: Avoiding detection (obfuscation, disabling security tools, rootkits)
• Lateral Movement: Moving through the network (pass-the-hash, remote services, internal spearphishing)

Mapping Real Attacks

The true power of ATT&CK emerges when you map real-world attacks to the framework. This exercise reveals patterns in adversary behavior, identifies gaps in your detection capabilities, and prioritizes security investments based on the techniques most likely to be used against your organization.

Consider the SolarWinds supply chain attack (2020): the adversary compromised the build system (T1195.002: Supply Chain Compromise), deployed a trojanized update (T1072: Software Deployment Tools), established C2 channels disguised as legitimate Orion traffic (T1071: Application Layer Protocol), and exfiltrated data from high-value targets (T1041: Exfiltration Over C2 Channel). Mapping this attack reveals that detection efforts should focus on build system integrity monitoring, anomalous network communication patterns, and unusual data access patterns.

AI Application: ATT&CK mappings directly inform feature engineering for ML-based detection models. Each technique has observable indicators (file system artifacts, network patterns, process behaviors) that can be extracted as features. Training models to detect clusters of related techniques rather than individual indicators significantly improves detection rates while reducing false positives.

Threat Modeling with ATT&CK

Threat modeling is the process of identifying potential threats, prioritizing them, and designing countermeasures. ATT&CK provides a structured vocabulary for this process, enabling security teams to systematically evaluate their defenses against documented adversary techniques.

The process begins by identifying which threat groups are most likely to target your organization (based on industry, geography, and asset value), then mapping their known techniques from ATT&CK, and finally assessing your detection and prevention capabilities against each technique. Gaps in coverage represent your highest-priority security investments.

1. Identify Threat Actors: Use ATT&CK Groups to identify adversaries known to target your industry
2. Map Their Techniques: Document the tactics and techniques each threat group commonly employs
3. Assess Current Coverage: For each technique, determine whether you have detection, prevention, or neither
4. Prioritize Gaps: Focus on high-likelihood, high-impact techniques where you have no coverage
5. Build Detection Rules: Create detection logic (Sigma rules, ML models) for prioritized techniques

This systematic approach to threat modeling ensures that your security investments are aligned with the actual threats you face, rather than being driven by vendor marketing or media hype. It also provides a common language for communicating risk to leadership and justifying security budgets.