What are the Cyber Kill Chain and MITRE ATT&CK, and how do they differ as ways of describing an attack?
The Cyber Kill Chain is a short, linear 7-stage model of an intrusion; MITRE ATT&CK is a large, detailed catalogue of attacker tactics organized into stages but not strictly sequential.
* The Cyber Kill Chain — seven sequential intrusion stages, Reconnaissance through Actions on Objectives. *
* Kill Chain (linear story) vs MITRE ATT&CK (granular tactic vocabulary). *
Lockheed Martin's Cyber Kill Chain runs: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. It is simple and good for explaining an attack's overall flow. MITRE ATT&CK is far more granular — tactics such as Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command and Control, and Impact — each backed by hundreds of real-world techniques. WHY two models: the Kill Chain tells the story; ATT&CK gives the vocabulary and evidence to map exactly what an adversary did. See attack.mitre.org.
Go deeper:
Cyber Kill Chain (Lockheed Martin) — Primärquelle des 7-stufigen Intrusion-Modells direkt vom Urheber.
MITRE ATT&CK — Die kanonische, frei zugängliche Wissensdatenbank realer Angreifer-Taktiken und -Techniken.
Cyber Kill Chain (Wikipedia) — Die sieben Phasen samt Kritikpunkten (z. B. schwach bei Insider-Threats).