MITRE ATT&CK vs Cyber Kill Chain: What's the Difference?

MITRE ATT&CK and the Cyber Kill Chain are frameworks to address cyberattacks against an organization. But while the Cyber Kill Chain addresses the cyberattack process from a high level with its seven phases, MITRE ATT&CK contains a deeper scope of knowledge that includes granular details about cyberattacks, such as attack techniques and procedures, and links to industry advisories.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a free and open knowledge base of cybersecurity information first released by the MITRE Corporation in 2018. ATT&CK is designed to help cybersecurity analysts and other stakeholders gain Cyber Threat Intelligence (CTI) insights for planning and designing cybersecurity programs and facilitate communication by providing a common cybersecurity reference vocabulary.

MITRE ATT&CK uses the Tactics, Techniques, and Procedures (TTP) perspective to organize cybersecurity knowledge into a hierarchical framework. Each Tactic contains multiple Techniques, each defining a strategic method of accomplishing the tactical goal. The lowest hierarchical level in the ATT&CK framework includes detailed Procedures for each Technique, such as tools, protocols, and malware strains observed in real-world cyberattacks. The lowest level of ATT&CK information includes related knowledge, such as which adversarial groups are known to use each Technique.

MITRE ATT&CK Tactics

  • Reconnaissance (Enterprise, ICS)
  • Resource Development (Enterprise, ICS)
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access (Enterprise, Mobile)
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration (Enterprise, Mobile)
  • Impact 
  • Network Effects (Mobile-only)
  • Network Service Effects (Mobile-only)
  • Inhibit Response Function (ICS-only)
  • Impair Process Control (ICS-only)

What Is the Cyber Kill Chain?

The Cyber Kill Chain is a cyberattack framework developed by Lockheed Martin and released in 2011. The term “Kill Chain” was adopted from the traditional military concept, which defines it as the process of planning and launching an attack.

Like MITRE ATT&CK, the Cyber Kill Chain categorizes all cyberattack behaviors into sequential tactics, from reconnaissance to achieving objectives. The Cyber Kill Chain also promotes the notion that each phase of the attack is an opportunity to stop it by “breaking the kill chain.” Cyber Kill Chain advocates that planning and testing security controls for each identified stage of an attack will result in a comprehensive defensive strategy.

7 Stages of Cyber Kill Chain

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives

How MITRE ATT&CK Differs from Cyber Kill Chain

The Cyber Kill Chain is fundamentally different from the MITRE ATT&CK framework in that it claims all cyberattacks must follow a specific sequence of attack tactics to achieve success—MITRE ATT&CK makes no such claim. The Cyber Kill Chain is an elementary sequence of stages comprising a cyberattack, combined with a general defensive security axiom that “breaking” any phase of the “kill chain” will stop an attacker from successfully achieving their goal. 

MITRE ATT&CK is more than a sequence of attack tactics. It is a deep knowledge base that correlates environment-specific cybersecurity information along a hierarchy of Tactics, Techniques, Procedures, and other Common Knowledge, such as attribution to specific adversarial groups.

What’s Better: MITRE ATT&CK or Cyber Kill Chain?

As a basic introduction to cyberattack behavior, the Cyber Kill Chain’s simplicity provides a foundational understanding of the cyberattack process and should not overwhelm new learners. Buts its strength in this sense is its weakness in another, as it doesn’t provide deep insights into attacker procedures, limiting its usefulness.

Also, the Cyber Kill Chain is often criticized for focusing on perimeter security, and it’s debatable whether its central axiom—that preventing one stage of an attacker’s process will disable the attack—is a realistic approach to cybersecurity. A practical risk-driven approach to cybersecurity calls for applying resources according to contextual risk; an approach that tries to prevent security breaches by prioritizing the early stages of an attack is inadequate.

The MITRE ATT&CK framework represents a fuller library of malicious behavior (TTP and Common Knowledge) and provides a deeper library of actionable Cyber Threat Intelligence (CTI). Because it is a comprehensive knowledge base of cyberattack information, ATT&CK serves as a checklist of attacker methodologies and goals, justifying the inclusion of security controls and ensuring these controls are comprehensive and offer some degree of protection against all aspects of real-world cyberattacks.

ATT&CK is more helpful to threat hunters, red teamers, and those designing and implementing security policies and controls, such as security and network architects and administrators. It can also normalize communication about cybersecurity between stakeholders by providing a more comprehensive set of terminology and definitions.

BlackBerry’s suite of Cylance cybersecurity solutions was 100 percent successful in preventing both the Wizard Spider and Sandworm attack emulations very early in MITRE ATT&CK's 2022 evaluation—before any damage occurred. 

BlackBerry’s CylancePROTECT® and CylanceOPTICS® solutions provided comprehensive detections on individual attack techniques with high confidence, helping to reduce wasted resources spent chasing false positives.