Skip to main content
HashnodeSOC Level 1SOC Level 1

Command Palette

Search for a command to run...

Cyber Kill Chain vs MITRE ATT&CK

Updated
4 min read
M
Mohd Kashif
Aspiring SOC Analyst with hands-on experience in VAPT, firewall configuration, IDS/IPS setup, Windows log monitoring, and network analysis.
Part of seriesSOC Learning Day 1

1. Cyber kill chain framework -

The Cyber kill chain is a foundational cybersecurity framework developed by Lockheed Martin that models the stages of a cyber attack. It is a linear model based on attacker's journey.

Cyber kill chain- attacker's lifecycle

Breaking chain = stop entire attack.

2. MITRE ATT&CK framework-

The MITRE ATT&CK framework (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, continuously updated knowledge base that catalogs real-world cyber adversary behaviours, created by in MITRE corporation 2013.

# Standard Hacking Methodology-

Practical execution workflow.

  1. Reconnaissance

  2. Scanning

  3. Gaining Access

  4. Maintaining Access

  5. Clearing Tracks

1. Reconnaissance- Information gathering

Before attacking, i must know who, what, where & how

Defence view for SOC:

  • Monitor excessive DNS queries

  • Track scanning behaviour

  • Watch unusual OSINT based phishing pattern

2. Weopanization

Attacker prepare a payload + exploit.

Payload = what runs after exploit Exploit = How vulnerability is abused

e.g. Malware embedded in a PDF.

Defence view for SOC:

  • File hash analysis

  • Malware sandboxing

  • Detect known exploit signature

3. Delievery

Weapon is delievered to the victim.

e.g. HR recieve a "Resume.pdf.exe" file in email. (double extension file)

Defence view for SOC:

  • Email gateway filtering

  • URL reputation

  • Attachment Sandboxing

4. Exploitation

Vulnerability is actually triggered.

e.g. User click phishing link, Software buffer overflow.

No exploit = no compromise

💡
SOC- try to break the chain here....

5. Installation

Malware install persistance/backdoor.

Techniques:

  • Registry Run keys

  • Scheduled task

  • Startup folder

  • Backdoor users

Defence view for SOC:

  • EDR

  • Registry Monitoring

  • Autorun analysis

6. Command and Control (C2)

Compromise system talks to attacker's server.

e.g. Beaconing every 60 seconds, DNS tuneeling, HTTP based C2.

Steps:

  1. Initial compromise (Phishing email)

  2. Malware installed/diploy on host

  3. C2 channel established

  4. Command issued(Remote control by attacker)

  5. Data exfilterated/Lateral movement

Defence view for SOC:

  • Abnormal outdated traffic

  • Beconing pattern

  • Known bad IPs/domains

7. Attack on objectives

Attacker does what they came for.

Their objectives:

  • Data theft

  • Ransomware Deployment

  • Credential dump

  • Lateral movement

  • financial fraud

THis is where real damage happend

Alert Reporting

💡
Alert --> Triage --> Reporting --> Escalation --> Communication

Alert reporting is the process of formally documenting.

  • What was detected

  • What was analyzed

  • What conclusion was reached

  • What action was taken or recommended

SOC Golden Rule-

If it's not documented, it did not happened.

💡
5W rule- What, When, Where, Who, Which.

bad report = bad analyst,

even if triage was correct.

Document everything

Escalation

"This alert is beyond tier-1 authority and require higher expertise or action."

Tier-1 : Doesn't fix incident, identifies and hand over correctly.

When should tier-1 escalate?

Condition

Example

1. Confirmed malicious activity

Malware detected

2. Privilege account involved

Admin user

3. Critical assest affected

Server/Domain Controller(DC)

4. Multiple alerts correlated

Phishing + Execution

5. Data risk exists

Possible exfiteration

6. Policy requires escalation

Severity high/critical

Esacalation is not failure, It's professionalism

Alert escalation documentation-

e.g. Tier-1 escalation note:

  • Escalation reason : Confirmed suspecious powershell execution with external communication.

  • Evidence attached : Process tree, command line, destination domain.

  • Severity : high

  • Recommended action : Endpoint isolation and memory analysis.

This makes L2 analyst trust you instantly.

SOC Communication

SOC Communication :

  1. Analyst --> Analyst

  2. Analyst --> IR Team

  3. Analyst --> IT/Admin

  4. SOC -->Managment

You are tranlating technical risk into actionable information.

Communication Principle-

  • Clear

  • Factual

  • No assumptions

  • No panic language

  • No blame

instead of "System hacked badly", say Suspecious activity detected, under investigation.

Communication types-

1. Internal SOC communication:

Used during-

  • Shift handover

  • Escalation

  • Collaboration

e.g. Handover Note:

Alert escalated to L2, endpoint pending isolation. Monitoring outgoing.

2. IT/Admin communication:

used when action is needed.

e.g. Please isolate FIN-Lap-07 from the network as suspecious activity was detected.

3 . Managment communication (High Level):

Managment doesn't want logs, they want impact + status.

e.g. Suspecious activity detected on one finance user's system. No evidence of data exfilteration so far, incident under investigation.

Comments

Join the discussion

No comments yet. Be the first to comment.

SOC Learning Day 1

Part 4 of 4

This is my first day of learning SOC.

Start from the beginning

Security Operation Center - Level 1

SOC L1 is the first line of defence in an organization. SOC exists to minimize "Dwell Time" (the time an attacker stays hidden in the network or system without SOC breaches are discovered by customers

More from this blog

S

SOC Level 1

4 posts

This is my learning of SOC Level 1 Study.