ATT&CK & the Cyber Kill Chain
Threat frameworks that drive every modern detection program
Learning Objectives
- ›Use the Lockheed Cyber Kill Chain to describe a breach
- ›Navigate the MITRE ATT&CK matrix (tactics, techniques, sub-techniques)
- ›Map a real breach to ATT&CK
- ›Understand the Diamond Model and Pyramid of Pain
Module 1 — Cyber Kill Chain (Lockheed)
7 stages: Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives.
Strength: simple, intuitive. Weakness: linear, perimeter-focused, doesn't model insiders.
Module 2 — MITRE ATT&CK
14 tactics × ~200 techniques × ~600 sub-techniques. Tactics = WHY (the goal); Techniques = HOW.
Tactics: Recon, Resource Dev, Initial Access, Execution, Persistence, Priv Esc, Defense Evasion, Cred Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact.
Splunk ES tags every Notable Event with mitre_technique → drives coverage heatmaps.
Module 3 — Diamond Model
4 vertices: Adversary, Capability, Infrastructure, Victim. Pivots between them are how analysts develop intel.
Module 4 — Pyramid of Pain
From bottom (trivial for adversary to change) to top (painful): Hash → IP → Domain → Network/Host artifact → Tool → TTP.
Detect on TTPs, not just hashes — that's where ATT&CK lives.
Lab 7 — Map a Real Breach
- Pick a public breach (Target 2013, SolarWinds, Colonial Pipeline).
- Walk it through the Kill Chain — list one event per stage.
- Map each event to an ATT&CK technique ID.
- Identify which stages your imaginary SOC would have detected.
Key Takeaways
- ✓Kill Chain explains the story; ATT&CK explains the moves
- ✓Splunk ES uses ATT&CK as its taxonomy — learn it cold
- ✓Detect on TTPs, not just IOCs