Topic 06

The Kill Chain and MITRE ATT&CK

ATT&CK

Attacks are not single events; they are campaigns that unfold in stages, and naming the stages gives defenders a shared map. The Cyber Kill Chain is the classic linear model — reconnaissance, weaponization, delivery, exploitation, installation, command-and-control, and actions on objectives. MITRE ATT&CK is the modern, detailed knowledge base of the specific tactics and techniques attackers actually use, observed in the wild.

Together they turn "we got hacked" into a precise, stage-by-stage account of what happened and where it could have been stopped. This topic is the map for the middle of the book: the intruder walks this chain against Meridian in Chapters 5 through 9, and Priya's detections in Chapters 10 and 11 are organized around it.

The Kill Chain, Stage by Stage

Each stage is a chance to break the chain, and the earlier you break it, the cheaper. An attacker who finishes reconnaissance but is stopped at delivery never reaches your data; one caught at command-and-control has already been inside. A defender's job is to have a control or a detection at as many stages as possible, so that a single miss is not fatal.

Why Stages Matter for Defense

Mapping your controls to stages shows exactly where coverage has gaps. Meridian might block delivery well with mail filtering but have nothing watching for command-and-control egress — a gap invisible until you lay the controls against the chain. The model is a lens for finding the stage where you are blind, not a script attackers are obliged to follow.

MITRE ATT&CK — Tactics and Techniques

ATT&CK splits the attacker's world into tactics — the goals, such as Initial Access, Persistence, Privilege Escalation, and Exfiltration — and techniques, the concrete ways each goal is achieved, such as phishing under Initial Access. It is the field's shared vocabulary: when detection, response, and threat-intel teams all describe an incident in ATT&CK terms, they mean the same thing.

Using ATT&CK as a Defender

Its highest value is proactive. Map your detections to techniques and the blind spots appear — "we cover Initial Access" hides that you catch phishing but miss valid-account abuse. Prioritize coverage toward the techniques your actual adversaries use, using threat intel, rather than trying to cover the entire matrix at once. This is the gap analysis Chapter 10 turns into concrete detections.

Kill Chain vs MITRE ATT&CK

Cyber Kill Chain — a short, linear narrative of an attack's shape; good for explaining an intrusion and mapping controls at a high level.

MITRE ATT&CK — a large, non-linear catalog of real techniques; good for detection coverage and precise incident description. The chain tells the story; ATT&CK names the moves. Use both.

Common Mistakes
  • Treating the kill chain as strictly linear and complete, when real attackers loop, skip stages, and live off the land — the model is a lens, not a law.
  • Mapping detections to tactics but never to specific techniques, so "we cover Initial Access" hides that you catch phishing but miss valid-account abuse.
  • Trying to cover every ATT&CK technique equally instead of weighting toward the ones your threat model says apply to you.
  • Using ATT&CK only after an incident, when its highest value is proactive gap analysis of what you cannot currently detect.
  • Assuming a control at one stage is enough, rather than aiming for overlapping detection across several stages.
Best Practices
  • Map your controls and detections to kill-chain stages and ATT&CK techniques so coverage gaps become visible.
  • Aim to break the chain as early as possible, and to have overlapping detection at multiple stages so one miss is not fatal.
  • Describe incidents in ATT&CK terms so detection, response, and threat-intel teams share one vocabulary.
  • Prioritize technique coverage by your real adversaries, using threat intel, rather than the whole matrix at once.
  • Use ATT&CK proactively as a gap analysis, not only as after-incident labeling.
Comparable toolsModel Lockheed Martin Cyber Kill Chain · Unified Kill ChainKnowledge base MITRE ATT&CK · ATT&CK NavigatorAnalysis Diamond Model · Pyramid of Pain

Knowledge Check

Why is breaking the kill chain at an earlier stage more valuable to a defender?

  • The earlier it stops, the less is lost and the cheaper the response
  • Earlier stages are the only ones a defender can detect at all
  • The kill chain must always be broken at one fixed, predetermined stage
  • Later stages are handled automatically by the attacker's own tools

In MITRE ATT&CK, what is the difference between a tactic and a technique?

  • A tactic is the goal; a technique is one way to achieve it
  • A tactic is a specific tool; a technique is the company using it
  • A tactic is a defensive control; a technique is an attack
  • They are two names for the same thing

What is the highest-value way to use MITRE ATT&CK?

  • Proactively, mapping detections to techniques to find gaps
  • Only after an incident, to label the techniques that already happened
  • To attempt equal coverage of every technique in the matrix at once
  • As a strictly linear checklist attackers must follow in order

You got correct