Hour 5 of 8

Cyber Kill Chain & MITRE ATT&CK

Two lenses on the adversary lifecycle

~70 min3 interactive labs

CEH Objectives ▸ Describe the 7 stages of the Lockheed Martin Cyber Kill Chain · Differentiate Kill Chain (linear) vs MITRE ATT&CK (matrix of TTPs) · Map a real intrusion to both frameworks and identify break points · Use Tactic / Technique / Sub-technique / Procedure correctly

OP. NIGHTJAR

Mission Brief

Glasshouse Bank's SOC just pulled a week of alerts that 'don't seem connected'. Your job: stitch them into a kill chain narrative AND map each step to an ATT&CK technique. Deliver a one-page intrusion timeline the CISO can hand to the board.

▸Order seven scrambled SOC events into the correct kill-chain stage

▸Tag each event with its ATT&CK Tactic

▸Identify the earliest stage where a control could have broken the chain

Story · Seven alerts, one adversary

Monday: a marketing manager's LinkedIn profile is scraped at 03:00 UTC. Tuesday: she receives a 'Q3 board pack' DOCX with a macro. Wednesday: an outbound HTTPS beacon to a residential ASN every 47 minutes. Thursday: a service account suddenly enumerates Active Directory. Friday: ntds.dit is staged to C:\Windows\Temp. Saturday: 14GB of compressed data exits via a legitimate cloud-storage SaaS. Sunday: ransomware notes appear on twelve file servers.

On a whiteboard the SOC lead writes seven dates. Junior analysts see seven incidents. You see ONE adversary moving through seven stages — and you can name each stage, name the ATT&CK tactic, and point at the cheapest place to break the chain next time.

That's the difference between alert-chasing and threat-informed defence. The Kill Chain gives you the story. ATT&CK gives you the vocabulary the entire industry already speaks.

Trainer · Core Concepts

Lockheed Martin Cyber Kill Chain — the 7 stages

Reconnaissance → Weaponisation → Delivery → Exploitation → Installation → Command & Control (C2) → Actions on Objectives. Linear, intruder-centric, born in 2011. Strength: tells a story executives understand. Weakness: ransomware/insider/cloud attacks don't always go left-to-right.

Break-the-chain principle

You don't need to stop the attacker everywhere — just ONCE. The earlier you break, the cheaper the response. A blocked phish (Delivery) costs minutes; ransomware encryption (Actions) costs millions. Every control gets mapped to the stages it addresses; gaps become the next investment.

MITRE ATT&CK — the matrix

ATT&CK is a globally-curated knowledge base of adversary Tactics (the WHY — 14 columns for Enterprise: Recon, Resource Dev, Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact) and Techniques (the HOW). Updated continuously from real incidents — not theoretical.

Tactic vs Technique vs Sub-technique vs Procedure

Tactic = adversary's goal (Credential Access). Technique = method (T1003 OS Credential Dumping). Sub-technique = specific variant (T1003.003 NTDS). Procedure = exactly how a named actor did it (APT29 used Mimikatz on a DC at 02:14 UTC). CEH expects you to read T-numbers fluently.

Kill Chain vs ATT&CK — when to use which

Use Kill Chain for executive storytelling, gap analysis, and tabletop exercises. Use ATT&CK for detection engineering, purple-team planning, threat intel, and SOC content (Sigma/Splunk rules). Mature programs use BOTH: Kill Chain as the spine, ATT&CK as the muscle.

Knowledge Map · drag to explore

kc

Recon

Adversary researches targets — LinkedIn, WHOIS, Shodan

kc

Weaponisation

Builds payload — malicious DOCX, exploit + RAT

kc

Delivery

Transmits to target — phish, USB, watering hole

kc

Exploitation

Code executes on victim — macro fires, CVE triggered

kc

Installation

Persistence — registry run key, scheduled task, service

kc

Beacon to attacker infrastructure for tasking

kc

Actions on Objectives

Steal, encrypt, destroy, pivot — the actual goal

framework

MITRE ATT&CK

Matrix of 14 tactics × hundreds of techniques

attack

Tactic (why)

Adversary's goal in a stage — e.g. Credential Access

attack

Technique (how)

T-number method — e.g. T1003 OS Credential Dumping

attack

Procedure (who+how)

Specific named-actor implementation observed in IR

Micro Labs

CLASSIFY

Lab 13 · Order the Intrusion (Kill Chain stage)

Seven SOC events from the Glasshouse incident. Place each under its correct Kill Chain stage.

Items · drag to a bucket

Marketing manager's LinkedIn scraped at 03:00 UTC

Phishing email with malicious 'Q3 board pack' DOCX received

Office macro spawns powershell.exe with encoded command

Scheduled task 'WindowsUpdateHelper' created in C:\Windows\System32\Tasks

Outbound HTTPS beacon to residential ASN every 47 minutes

ntds.dit copied to C:\Windows\Temp and 7-zipped

14GB compressed archive uploaded to mega.nz

0/7 placed

MATCH

Lab 14 · Match Event → ATT&CK Tactic

Same incidents, different lens. Match each event to the MITRE ATT&CK Tactic that best describes the adversary's goal at that moment.

Vulnerability

Risk statement

0/6 matched

DECISION

Lab 15 · Break the Chain (cheapest break point)

For each scenario, pick the stage where a single control would have broken this intrusion at lowest blast radius.

SCENARIO 1

Macro-laden phishing email lands in 1,400 inboxes. Three users open it; one enables macros. What's the cheapest break point?

SCENARIO 2

An attacker has valid credentials from a third-party breach. Reuse is the only TTP. Where do you break it?

SCENARIO 3

Insider with legitimate access slowly exfiltrates customer data over 6 weeks to personal Dropbox. Kill Chain is awkward here. Best break point?

0/3 decided

Knowledge Check

1. Which Kill Chain stage covers crafting a malicious DOCX with an embedded macro?

2. In MITRE ATT&CK, T1003.003 is a…

3. Best one-line distinction between Kill Chain and ATT&CK?

4. An adversary uses Mimikatz to dump LSASS. Which ATT&CK Tactic?

5. Which Kill Chain stage offers the CHEAPEST defensive ROI for a phishing attack?

0/5 answered

Challenge · The Two-Lens Brief

Write a 5-sentence executive summary of the Glasshouse intrusion using Kill Chain as the spine and ATT&CK T-numbers in parentheses. Identify the ONE control that, if it had existed, would have cut the highest-cost branch.

CEH v13 Exam Focus

★★★★★

Frequently tested

·Cyber Kill Chain 7 stages, in order
·Reading T-numbers (Technique vs Sub-technique)
·Mapping incidents to ATT&CK Tactics
·Break-the-chain reasoning
·Where Kill Chain breaks down (insider, cloud, ransomware-as-a-service)

Memory tricks

·RWDEICA — Recon · Weaponise · Deliver · Exploit · Install · C2 · Actions
·'Really Wicked Dogs Eat Inside Crunchy Apples' — 7 KC stages
·ATT&CK = Adversarial Tactics, Techniques & Common Knowledge

Common traps

⚠Confusing Weaponisation (build) with Delivery (transmit)
⚠Calling C2 'Command and Conquer' — it's Command and Control
⚠Treating ATT&CK as linear — it's a MATRIX
⚠Mixing Tactic (WHY/goal) with Technique (HOW/method)

Rapid revision

▸7 KC stages: Recon → Weaponise → Deliver → Exploit → Install → C2 → Actions
▸14 ATT&CK Enterprise tactics
▸Mimikatz → T1003 Credential Dumping
▸Scheduled Task → T1053 Persistence
▸Phishing → T1566 Initial Access

Interview Prep

Hour 4: CIA / DAD & Security Controls Hour 6: Ethical Hacking Methodology