Using the Cyber Kill Chain and the MITRE Matrix for Red Team Operations

When designing and proposing Red Team operations, it is important to present the information in a way that stakeholders can understand and approve. The Cyber Kill Chain (CKC) and MITRE Matrix enable you to explain clearly and concisely the key phases in a Red Team operation.

The CKC lays out the steps in a cyber attack, from reconnaissance to post-attack phase. This can help stakeholders see the big picture and how each step impacts the overall operation.

The MITRE Matrix is another great tool for explaining red team operations. It organizes different aspects of an attack, such as tools, tactics, and procedures, into a easy-to-read table. This can help you quickly identify any potential gaps in your plan and make adjustments.

The Cyber Kill Chain

The Cyber Kill Chain is a model for understanding the stages of an attack. The model was developed by Lockheed Martin and is used by the Department of Defense. The model has seven stages:

  1. Reconnaissance: The attacker gathers information about the target.

  2. Weaponization: The attacker creates a tool or exploit that will be used to attack the target.

  3. Delivery: The attacker delivers the tool or exploit to the target.

  4. Exploitation: The attacker uses the tool or exploit to gain access to the target.

  5. Installation: The attacker installs malware on the target system.

  6. Command and Control: The attacker takes control of the target system.

The Cyber Kill Chain is a valuable communication tool that can help stakeholders visualize the key phases of a proposed red team operation. If you want to work as a Red Teamer, familiarize yourself with the model and its terminology.

The MITRE Matrix

The MITRE Matrix is a tool that can be used during red team operations in order to help plan and track the progress of an attack.

The matrix is divided into fourteen sections:

  1. Reconnaissance: gathering information to plan an attack

  2. Resource Development: establishing resources to support the operation

  3. Initial Access: trying to get into the target’s network

  4. Execution: trying the run malicious code

  5. Persistence: trying to maintain their foothold

  6. Privilege Escalation: trying to gain higher-level permissions

  7. Defense Evasion: trying to avoid being detected

  8. Credential Access: stealing accounts names and passwords

  9. Discovery: trying to understand the target’s environment

  10. Lateral Movement: moving through the target’s environment

  11. Collection: gathering data of interest to the operation’s goals

  12. Command and Control: communicating with compromised systems to control them

  13. Exfiltration: stealing data

  14. Impact: manipulate, interrupt, or destroy systems and data

The MITRE Matrix is a versatile tool that can be used in a variety of ways. The information in each section can be used to help identify and prioritize vulnerabilities, understand the risk associated with an attack, and develop a plan of action.

Important Information!

While the Cyber Kill Chain and MITRE Matrix are valuable tools for understanding how adversaries operate, they are not compliance frameworks. They are not intended for cyber professionals to use them to build a cyber defense strategy.

There is a tendency within large organizations to ask defenders and ethical hackers to “align themselves to MITRE or CKC”. In practice, this doesn’t make any sense!

How to use CKC and the MITRE Matrix for Red Teaming

The Red Team should use the CKC and MITRE Matrix to formulate and communicate their attack plans and strategies. These tools help the Red Team to deliver their message to the right people in a way that is meaningful and credible.

Looking to expand your knowledge of red teaming? Check out our online course, MRT - Certified Red Teamer. In this course, you’ll learn about the different aspects of red teaming and how to put them into practice.