Cybersecurity analysts rely on structured frameworks to decompose intrusions, attribute behavior, and design defenses. This document covers three complementary models: the Cyber Kill Chain, the Diamond Model of Intrusion Analysis, and MITRE ATT&CK. Each operates at a different level of abstraction and serves a distinct analytical purpose. Used together, they form a coherent methodology for understanding, tracking, and countering adversary operations. For foundational context on how these frameworks fit into broader intelligence practice, see Cyber Threat Intelligence: Foundations, Categories, and Defense Postures.
The Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain breaks a cyberattack into seven sequential stages. Each stage represents a point at which defenders can interrupt an intrusion. Understanding the full sequence allows security teams to identify gaps in detection coverage and apply targeted controls at the most effective intervention points.
Stage 1: Reconnaissance
Before any technical action is taken, attackers conduct intelligence gathering to map the target environment, identify individuals of interest, and locate exploitable weaknesses.
Common methods include:
- Open Source Intelligence (OSINT): Harvesting public data from corporate websites, job postings, press releases, and professional networking platforms such as LinkedIn to reconstruct organizational structure and technology stack. See OSINT and related collection disciplines for a detailed treatment of these methods.
- Social Engineering: Fabricating identities on social media or conducting deceptive phone calls to extract information directly from employees.
- Network Scanning: Using discovery tools to enumerate IP address ranges, identify open ports, and locate externally facing servers with known vulnerabilities.
- Email Analysis: Studying email traffic and header patterns to map internal hierarchies and identify high-value targets for later spear-phishing.
MITRE ATT&CK Mapping: Reconnaissance (TA0043)
Stage 2: Weaponization
Using the intelligence gathered, the attacker constructs or acquires a malicious payload specifically tailored to the target environment’s weaknesses.
- Vulnerability Mapping: Correlating identified weaknesses — such as missing patches or outdated software versions — to known exploit code.
- Tool Development: Building or purchasing malware, ransomware, or automated exploit kits suited to the target’s operating environment.
- Obfuscation: Altering malware signatures and behavioral patterns to evade the target’s specific detection controls.
At this stage, activity occurs entirely within the attacker’s own infrastructure and is not directly visible to defenders. The output is typically a weaponized document, executable, or script ready for delivery.
MITRE ATT&CK Mapping: Resource Development (TA0042)
Stage 3: Delivery
The attacker transmits the weaponized payload to the target. This is the first stage at which the attacker interacts directly with the victim’s environment.
Common delivery vectors include:
- Phishing Emails: Fraudulent messages mimicking legitimate requests — such as a password reset or invoice — designed to induce the recipient to open a malicious attachment or follow a link.
- Malicious Websites: Fake login portals or credential harvesting pages constructed to resemble trusted services.
- Social and Messaging Platforms: Impersonating recruiters or colleagues on platforms such as LinkedIn to distribute links that redirect to malware staging servers.
- Compromised Advertising Networks: Injecting malicious redirects into legitimate ad inventory to silently route site visitors to exploit infrastructure.
MITRE ATT&CK Mapping: Initial Access (TA0001)
Stage 4: Exploitation
Once the payload reaches the target, the attacker triggers it to exploit a vulnerability and gain unauthorized code execution or system access.
Techniques include:
- Code Injection: SQL injection or Cross-Site Scripting (XSS) to manipulate web application logic or underlying databases.
- System Exploits: Targeting misconfigured devices, weak or default credentials, or unpatched external-facing servers.
- User-Assisted Execution: Relying on the user to trigger the exploit — for example, by executing a fake software update that deploys ransomware.
A representative example is the identification of an unsecured administrative panel that an attacker exploits to write a backdoor directly into the application layer.
MITRE ATT&CK Mapping: Execution (TA0002), Exploitation for Client Execution (T1203)
Stage 5: Installation
Having gained access, the attacker works to establish persistent footholds so that access survives reboots, credential rotations, and partial remediation efforts.
- Backdoor Creation: Planting hidden access points — web shells, implants, or scheduled tasks — that allow re-entry without triggering standard authentication alerts.
- Persistence Mechanisms: Configuring malware or scripts to execute automatically on system startup, ensuring the attacker retains access even if the initial entry vector is closed.
MITRE ATT&CK Mapping: Persistence (TA0003)
Stage 6: Command and Control (C2)
The attacker establishes a communication channel between the compromised system and external infrastructure to issue commands and receive exfiltrated data.
- Infrastructure Setup: Deploying command-and-control servers that relay instructions to implants on victim machines.
- Covert Communications: Using dynamic IP addresses, encrypted channels, and protocol mimicry to blend C2 traffic into normal network activity and evade detection by network monitoring tools.
MITRE ATT&CK Mapping: Command and Control (TA0011)
Stage 7: Actions on Objective
The final stage represents the attacker achieving their primary goal. By this point, the attacker has traversed the entire kill chain and is operating with relative freedom inside the target environment.
Objectives vary by adversary type:
- Data Theft: Exfiltrating intellectual property, financial records, or customer data for corporate espionage or sale on criminal markets.
- System Disruption: Deleting critical files or launching Distributed Denial-of-Service (DDoS) attacks to degrade or destroy services.
- Extortion: Deploying ransomware to encrypt organizational data and demanding cryptocurrency payment in exchange for the decryption key.
MITRE ATT&CK Mapping: Exfiltration (TA0010), Impact (TA0040)
Case Study: WannaCry (May 2017)
The WannaCry attack is one of the most illustrative examples of the kill chain executing at global scale.
| Attribute | Detail |
|---|---|
| Date | May 12, 2017 |
| Attack Vector | Exploitation of EternalBlue, a vulnerability in Microsoft’s SMBv1 implementation (CVE-2017-0144), originally developed by the NSA and subsequently leaked by the Shadow Brokers. |
| Primary Objective | Ransomware: encrypted victim files and demanded Bitcoin payment. |
| Major Impact | Global disruption across approximately 150 countries. The UK National Health Service (NHS) was severely affected, resulting in thousands of canceled appointments and diverted emergency services. |
| Key Takeaways | The attack demonstrated the cascading consequences of delayed patch deployment. A Microsoft patch (MS17-010) had been available for two months prior to the attack. Organizations lacking timely patching cycles, offline backups, and network segmentation suffered disproportionate damage. |
The Diamond Model of Intrusion Analysis
The Diamond Model provides a complementary analytical lens focused not on the sequence of an attack, but on the relationships between its core components. It is particularly suited to cyber threat intelligence work, where the goal is attribution, pattern recognition, and adversary profiling.
The Four Vertices
Every intrusion can be mapped to four interconnected elements:
Adversary The individual, group, or state actor behind the operation. Analysis focuses on motive — whether political, financial, ideological, or retaliatory — and on historical activity that can inform attribution and predict future targeting.
Example: The North Korean-linked Lazarus Group consistently targets financial institutions with the explicit objective of generating hard currency for the state.
Victim The specific person, organization, system, or sector targeted. Understanding victim selection logic reveals the adversary’s broader strategic objectives and helps defenders assess their own exposure.
Example: A specific international bank targeted by Lazarus Group because of its cross-border transaction infrastructure and relatively limited threat intelligence capability.
Infrastructure The physical and logical assets the adversary employs to execute and obfuscate the operation. This includes domains, IP addresses, bulletproof hosting providers, proxy servers, and VPN exit nodes.
Example: Lazarus Group routing operations through multiple overseas proxy servers to create attribution confusion and delay incident response.
Capabilities The adversary’s technical toolkit and operational methods. This encompasses malware families, exploitation techniques, social engineering tradecraft, and post-exploitation frameworks.
Example: Lazarus deploying custom remote access trojans (RATs) or keyloggers specifically compiled to evade the security tooling common in the target sector.
Analytical Objectives
Organizations apply the Diamond Model to achieve three primary goals:
- Identifying Attack Elements: Constructing a complete picture of exactly how an intrusion was executed, ensuring no component of the operation is analyzed in isolation.
- Enhancing Threat Intelligence: Using structured incident data to anticipate adversary behavior, accelerate triage of future incidents, and enrich indicators of compromise (IOCs).
- Understanding Adversarial Intent: Deriving insight from the adversary and victim vertices to inform proactive defensive posture — moving beyond reactive blocking toward anticipatory defense.
Case Study: The Sony Pictures Breach (2014)
The Sony Pictures breach is a canonical application of the Diamond Model to a destructive, state-directed operation.
Adversary The attack was attributed to the Lazarus Group, operating on behalf of the North Korean government. The motivation was explicitly political: the group sought to deter the theatrical release of The Interview, a film depicting a fictional assassination of the North Korean leader. The operation was retaliatory and reputationally defensive in nature, distinguishing it from Lazarus’s more typical financially motivated campaigns.
Victim Sony Pictures Entertainment was selected not for financial value but for strategic reasons. The attack resulted in the leak of unreleased film masters, internal financial data, executive communications, and personal information belonging to thousands of employees — producing both operational and reputational damage designed to serve as a public deterrent.
Infrastructure Attackers used proxy servers and spoofed IP addresses, routing data exfiltration through servers distributed across multiple jurisdictions. This multi-hop architecture substantially delayed attribution and complicated Sony’s immediate incident response. Defenders could not readily distinguish legitimate traffic from exfiltration during the active phase.
Capabilities The operation combined two distinct capability layers:
- Initial Access: Spear-phishing emails targeting Sony employees were used to breach the network perimeter.
- Payload: The Destover wiper malware was deployed to destroy data at scale. Destover is engineered to overwrite the Master Boot Record and system files, rendering machines unbootable and making data recovery from affected systems effectively impossible. This destructive function served both an operational goal (eliminating forensic evidence) and a psychological one (demonstrating capacity and willingness to cause irreversible harm).
Analytical Output Applying the Diamond Model to this incident produced an actionable adversary profile: Lazarus Group’s combination of low-sophistication initial access (phishing) with high-impact destructive payloads (wipers) became a recognized signature. This intelligence allowed other organizations — particularly those in sectors exposed to politically motivated actors — to prioritize defenses against social engineering entry points and to treat wiper malware as a distinct threat category requiring dedicated backup and recovery controls.
MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a continuously maintained knowledge base that catalogs the specific behaviors adversaries exhibit during real-world intrusions. Where the Kill Chain describes what stage an attacker is in, and the Diamond Model describes who and what is involved, ATT&CK describes the precise methods used at each point.
Attack Lifecycle: Tactics and Techniques in Sequence
The following illustrates how ATT&CK tactics chain together during a representative breach:
Initial Access and Discovery The attacker enters via Phishing (T1566). Once inside, they execute Discovery techniques to map the environment — enumerating Active Directory structures, identifying domain controllers, and locating high-value servers.
Execution and Privilege Escalation The attacker invokes a Command and Scripting Interpreter (T1059) — most commonly PowerShell — to execute malicious code. Because initial access typically yields only standard user privileges, the attacker must escalate. Tools such as Mimikatz are used to scrape administrator credentials from memory, enabling Privilege Escalation (TA0004).
Lateral Movement Armed with Valid Accounts (T1078) obtained through credential theft, the attacker moves from the initially compromised endpoint to more sensitive assets — database servers, domain controllers, or backup infrastructure. Because these movements use legitimate credentials, they frequently evade signature-based detection.
Collection, C2, and Exfiltration The attacker bundles target data (Collection, TA0009), communicates with external infrastructure using encrypted or protocol-blended channels (Command and Control, TA0011), and transfers the data out of the network (Exfiltration, TA0010).
Cyber Threat Intelligence: Groups and Software
ATT&CK maintains detailed profiles on both threat groups and the software they deploy, enabling defenders to cross-reference observed techniques against known adversary behavior.
Software
Cobalt Strike Originally a commercial red team simulation platform, Cobalt Strike was leaked and has been widely adopted by criminal and state-sponsored threat actors. It operates by deploying “Beacons” on victim machines — lightweight implants that execute commands, capture keystrokes, and stage additional payloads. Cobalt Strike is favored because its network traffic can be configured to mimic legitimate HTTPS traffic, complicating network-layer detection. See the ATT&CK software entry for the full technique mapping.
Mimikatz An open-source credential extraction tool that targets the Windows Local Security Authority Subsystem Service (LSASS) to retrieve plaintext passwords, NTLM hashes, and Kerberos tickets from memory. It is the primary enabler of Pass-the-Hash attacks (T1550.002), in which an attacker authenticates using a captured hash rather than the cleartext password. Its original purpose was to demonstrate a fundamental design weakness in Windows credential caching.
Emotet A modular botnet that initially propagated via malicious email attachments. Emotet functioned as a “loader” — establishing access and then selling or renting that foothold to secondary operators, most notably ransomware groups such as Ryuk. Though disrupted by law enforcement in 2021, Emotet has resurged in modified form and remains tracked as an active threat.
Threat Groups
APT29 (Cozy Bear) Attributed to Russia’s Foreign Intelligence Service (SVR). APT29 is characterized by patient, long-term espionage operations prioritizing stealth over destruction. Their most significant known operation is the 2020 SolarWinds supply chain attack, in which malicious code was inserted into legitimate updates of the Orion IT monitoring platform, granting access to approximately 18,000 organizations including multiple U.S. federal agencies. The technique — compromising a trusted software vendor to reach downstream targets — represents one of the most consequential supply chain compromises on record.
APT28 (Fancy Bear) Attributed to Russia’s Main Intelligence Directorate (GRU). APT28 employs more aggressive and politically disruptive tactics than APT29, including zero-day exploitation, spear-phishing campaigns targeting government and military personnel, and operations designed to interfere in democratic processes. They are associated with the 2016 Democratic National Committee breach and multiple attacks on NATO member infrastructure.
Framework Evolution: Version 18 (Late 2025)
As of Version 18, MITRE ATT&CK restructured how defensive guidance is presented to make it more directly actionable for Security Operations Centers (SOCs). The previous model listed generalized detection notes alongside techniques. The updated model introduces a three-tier structure:
| Component | Description |
|---|---|
| Detection Strategies | Behavior-focused guidance describing what activity to monitor for, independent of specific tooling. Example: monitor for PowerShell invocations spawned by Office applications. |
| Analytics | Platform-specific queries ready for direct ingestion into SIEM platforms, enabling rapid deployment of detections without requiring custom development. |
| Data Components | Precise telemetry requirements that must be in place for analytics to function. Example: Windows Event Log ID 4688 (Process Creation) must be enabled and forwarded for process-based analytics to operate. |
This structural shift reflects a broader maturation in defensive philosophy: rather than attempting to block specific malicious files — which adversaries can trivially recompile or modify — defenders are directed to detect the fundamental behaviors that adversaries are constrained to exhibit regardless of tooling. A threat actor may change their malware, but they cannot change the fact that they need to execute code, escalate privileges, and move laterally.
Summary: Framework Comparison
| Framework | Primary Use | Unit of Analysis | Best Suited For |
|---|---|---|---|
| Cyber Kill Chain | Attack lifecycle modeling | Stages of an intrusion | Security control gap analysis, detection coverage mapping |
| Diamond Model | Intrusion decomposition and attribution | Relationships between adversary, victim, infrastructure, and capabilities | Threat intelligence production, adversary profiling |
| MITRE ATT&CK | Behavior-level technique cataloging | Individual adversary actions | Detection engineering, red team planning, CTI enrichment |